itmanager223
asked on
OSX Lion Server and Active Directory Integration issues
Hey guys i am having big issues with my new Lion server and AD integration.
I am integrating a copy of 10.7.3 with Server 2008 AD infrastructure single domain.
I am able to get the Lion server integrated perfectly and i can see all the users within workgroup manager. My problem stems from when i try and login any user via webmail or mail client. I always get auth failed for od 127.0.0.1
If i try and login that same user to web ical it works perfect and instantly.
I am really trying to figure this out and have been researching online for days now. I have followed Apples white paper on "Best practices for integrating OS X lion with Active Directory" with no luck.
I have also called applecare and they helped me to a certain point but then mentioned that this is where apple care ends and i need to purchase per incident support for further assistance.
Is anyone able to help as i am unwilling to provide almost $700 for one incident of support to apple.
Thanks,
Dani
I am integrating a copy of 10.7.3 with Server 2008 AD infrastructure single domain.
I am able to get the Lion server integrated perfectly and i can see all the users within workgroup manager. My problem stems from when i try and login any user via webmail or mail client. I always get auth failed for od 127.0.0.1
If i try and login that same user to web ical it works perfect and instantly.
I am really trying to figure this out and have been researching online for days now. I have followed Apples white paper on "Best practices for integrating OS X lion with Active Directory" with no luck.
I have also called applecare and they helped me to a certain point but then mentioned that this is where apple care ends and i need to purchase per incident support for further assistance.
Is anyone able to help as i am unwilling to provide almost $700 for one incident of support to apple.
Thanks,
Dani
ASKER
This has nothing to do with workstations. I am talking solely about lion server and active directory here. My users are in active directory.
Can you then post some of your system logs that show what is happening during the logon and errors?
Open up your console viewer and check the logs for errors around the same time you try to access those services.
Open up your console viewer and check the logs for errors around the same time you try to access those services.
ASKER
Ok here is the log output when i try and login.
This is from /var/log/opendirectoryd.lo g
This is from /var/log/opendirectoryd.lo
2012-03-08 17:04:59.496 EST - Module: SystemCache - SweepInvoke: Expired cache entry for 'pw_name:dcela'
2012-03-08 17:04:59.669 EST - 1002.5962, Module: SystemCache - getpwnam_ext request, Name: dcela
2012-03-08 17:04:59.669 EST - Module: SystemCache - FetchFromCache - Looking for entry with key pw_name:dcela
2012-03-08 17:04:59.669 EST - Module: SystemCache - Cache_Fetch(pw_name:dcela)found invalid 0x10cf864c0
2012-03-08 17:04:59.669 EST - 1002.5962.5964, Module: SystemCache - ODQueryCreateWithNode request, NodeID: A7A9F21C-63EC-409F-9B19-437011FCFD39 , RecordType(s): dsRecTypeStandard:Users, Attribute: dsAttrTypeStandard:RecordN ame, MatchType: EqualTo, Equality: CaseIgnore, Value(s): dcela, Requested Attributes: dsAttrTypeStandard:AppleMe taNodeLoca tion,dsAtt rTypeStand ard:Record Name,dsAtt rTypeStand ard:Passwo rd,dsAttrT ypeStandar d:UniqueID ,dsAttrTyp eStandard: PrimaryGro upID,dsAtt rTypeStand ard:NFSHom eDirectory ,dsAttrTyp eStandard: UserShell, dsAttrType Standard:R ealName,ds AttrTypeSt andard:Gen eratedUID, dsAttrType Standard:M ailAttribu te,dsAttrT ypeStandar d:EMailAdd ress,dsAtt rTypeStand ard:FirstN ame,dsAttr TypeStanda rd:LastNam e,dsAttrTy peStandard :RecordTyp e, Max Results: 1
2012-03-08 17:04:59.669 EST - 1002.5962.5964.5965, Module: search - ODQueryCreateWithNode request, NodeID: 5E1A28C3-3355-4BB2-8049-4DB1C89820A5 , RecordType(s): dsRecTypeStandard:Users, Attribute: dsAttrTypeStandard:RecordN ame, MatchType: EqualTo, Equality: CaseIgnore, Value(s): dcela, Requested Attributes: dsAttrTypeStandard:AppleMe taNodeLoca tion,dsAtt rTypeStand ard:Record Name,dsAtt rTypeStand ard:Passwo rd,dsAttrT ypeStandar d:UniqueID ,dsAttrTyp eStandard: PrimaryGro upID,dsAtt rTypeStand ard:NFSHom eDirectory ,dsAttrTyp eStandard: UserShell, dsAttrType Standard:R ealName,ds AttrTypeSt andard:Gen eratedUID, dsAttrType Standard:M ailAttribu te,dsAttrT ypeStandar d:EMailAdd ress,dsAtt rTypeStand ard:FirstN ame,dsAttr TypeStanda rd:LastNam e,dsAttrTy peStandard :RecordTyp e, Max Results: 1
2012-03-08 17:04:59.672 EST - 1002.5962.5964.5967, Module: search - ODQueryCreateWithNode request, NodeID: 416F3840-8C93-41BF-95DF-9C95F48254E7 , RecordType(s): dsRecTypeStandard:Users, Attribute: dsAttrTypeStandard:RecordN ame, MatchType: EqualTo, Equality: CaseIgnore, Value(s): dcela, Requested Attributes: dsAttrTypeStandard:AppleMe taNodeLoca tion,dsAtt rTypeStand ard:Record Name,dsAtt rTypeStand ard:Passwo rd,dsAttrT ypeStandar d:UniqueID ,dsAttrTyp eStandard: PrimaryGro upID,dsAtt rTypeStand ard:NFSHom eDirectory ,dsAttrTyp eStandard: UserShell, dsAttrType Standard:R ealName,ds AttrTypeSt andard:Gen eratedUID, dsAttrType Standard:M ailAttribu te,dsAttrT ypeStandar d:EMailAdd ress,dsAtt rTypeStand ard:FirstN ame,dsAttr TypeStanda rd:LastNam e,dsAttrTy peStandard :RecordTyp e, Max Results: 1
2012-03-08 17:04:59.672 EST - 1002.5962.5964.5967, Node: /LDAPv3/127.0.0.1, Module: ldap - query with filter - '(&(&(objectClass=inetOrgPerson)(obj ectClass=p osixAccoun t)(objectC lass=shado wAccount)( objectClas s=apple-us er)(object Class=exte nsibleObje ct))(|(uid =dcela)(cn =dcela)(ma il=dcela)( altSecurit yIdentitie s=dcela))) ', baseDN - 'cn=users, dc=grey,dc=injjdowns,dc=co m'
2012-03-08 17:04:59.673 EST - 1002.5962.5964.5969, Module: search - ODQueryCreateWithNode request, NodeID: 1D52F007-20E7-4152-BE28-50653B7F5DA5 , RecordType(s): dsRecTypeStandard:Users, Attribute: dsAttrTypeStandard:RecordN ame, MatchType: EqualTo, Equality: CaseIgnore, Value(s): dcela, Requested Attributes: dsAttrTypeStandard:AppleMe taNodeLoca tion,dsAtt rTypeStand ard:Record Name,dsAtt rTypeStand ard:Passwo rd,dsAttrT ypeStandar d:UniqueID ,dsAttrTyp eStandard: PrimaryGro upID,dsAtt rTypeStand ard:NFSHom eDirectory ,dsAttrTyp eStandard: UserShell, dsAttrType Standard:R ealName,ds AttrTypeSt andard:Gen eratedUID, dsAttrType Standard:M ailAttribu te,dsAttrT ypeStandar d:EMailAdd ress,dsAtt rTypeStand ard:FirstN ame,dsAttr TypeStanda rd:LastNam e,dsAttrTy peStandard :RecordTyp e, Max Results: 1
2012-03-08 17:04:59.673 EST - 1002.5962.5964.5969.5971, Module: ActiveDirectory - ODQueryCreateWithNode request, NodeID: 7E4C1FF7-9A36-4212-AD16-9AB7F3049D8F , RecordType(s): dsRecTypeStandard:Users, Attribute: dsAttrTypeStandard:RecordN ame, MatchType: EqualTo, Equality: CaseIgnore, Value(s): dcela, Requested Attributes: dsAttrTypeStandard:AppleMe taNodeLoca tion,dsAtt rTypeStand ard:Record Name,dsAtt rTypeStand ard:Passwo rd,dsAttrT ypeStandar d:UniqueID ,dsAttrTyp eStandard: PrimaryGro upID,dsAtt rTypeStand ard:NFSHom eDirectory ,dsAttrTyp eStandard: UserShell, dsAttrType Standard:R ealName,ds AttrTypeSt andard:Gen eratedUID, dsAttrType Standard:M ailAttribu te,dsAttrT ypeStandar d:EMailAdd ress,dsAtt rTypeStand ard:FirstN ame,dsAttr TypeStanda rd:LastNam e,dsAttrTy peStandard :RecordTyp e, Max Results: 1
2012-03-08 17:04:59.674 EST - 1002.5962.5964.5969.5971, Node: /Active Directory/INJJDOWNS/GlobalCatalog, Module: ldap - query with filter - '(&(&(objectCategory=perso n)(objectC lass=user) )(|(|(sAMA ccountName =dcela)(us erPrincipa lName=dcel a@*))(disp layName=dc ela)(mail= dcela)(alt SecurityId entities=d cela)))', baseDN - ''
"dcela@jjdowns.com"
2012-03-08 17:04:59.678 EST - Module: SystemCache - Cache_CreateEntry pw_name:dcela @0x10cf84ca0
2012-03-08 17:04:59.678 EST - Module: SystemCache - Cache_CreateEntry(pw_name:dcela -> 0x10cfad0f0
2012-03-08 17:04:59.678 EST - Module: SystemCache - AddEntryToCacheWithKeys(pw_name:dcel a -> 0x10cfad0f0)
2012-03-08 17:04:59.678 EST - 1002.5974 - ODQueryCreateWithNode request, NodeID: EDE76E9B-51D3-4CBC-9779-E99089C30A0A , RecordType(s): dsRecTypeStandard:Users, Attribute: dsAttrTypeStandard:RecordN ame, MatchType: EqualTo, Equality: CaseIgnore, Value(s): dcela@jjdowns.com, Requested Attributes: dsAttributesStandardAll, Max Results: 1
2012-03-08 17:04:59.679 EST - 1002.5974.5975, Module: search - ODQueryCreateWithNode request, NodeID: 5E1A28C3-3355-4BB2-8049-4DB1C89820A5 , RecordType(s): dsRecTypeStandard:Users, Attribute: dsAttrTypeStandard:RecordN ame, MatchType: EqualTo, Equality: CaseIgnore, Value(s): dcela@jjdowns.com, Requested Attributes: dsAttributesStandardAll, Max Results: 1
2012-03-08 17:04:59.680 EST - 1002.5974.5976, Module: search - ODQueryCreateWithNode request, NodeID: 416F3840-8C93-41BF-95DF-9C95F48254E7 , RecordType(s): dsRecTypeStandard:Users, Attribute: dsAttrTypeStandard:RecordN ame, MatchType: EqualTo, Equality: CaseIgnore, Value(s): dcela@jjdowns.com, Requested Attributes: dsAttributesStandardAll, Max Results: 1
2012-03-08 17:04:59.681 EST - 1002.5974.5976, Node: /LDAPv3/127.0.0.1, Module: ldap - query with filter - '(&(&(objectClass=inetOrgPerson)(obj ectClass=p osixAccoun t)(objectC lass=shado wAccount)( objectClas s=apple-us er)(object Class=exte nsibleObje ct))(|(uid =dcela@jjd owns.com)( cn=dcela@j jdowns.com )(mail=dce la@jjdowns .com)(altS ecurityIde ntities=Ke rberos:dce la@jjdowns .com)))', baseDN - 'cn=users, dc=grey,dc=injjdowns,dc=co m'
2012-03-08 17:04:59.681 EST - 1002.5974.5977, Module: search - ODQueryCreateWithNode request, NodeID: 1D52F007-20E7-4152-BE28-50653B7F5DA5 , RecordType(s): dsRecTypeStandard:Users, Attribute: dsAttrTypeStandard:RecordN ame, MatchType: EqualTo, Equality: CaseIgnore, Value(s): dcela@jjdowns.com, Requested Attributes: dsAttributesStandardAll, Max Results: 1
2012-03-08 17:04:59.681 EST - 1002.5974.5977.5978, Module: ActiveDirectory - ODQueryCreateWithNode request, NodeID: 7E4C1FF7-9A36-4212-AD16-9AB7F3049D8F , RecordType(s): dsRecTypeStandard:Users, Attribute: dsAttrTypeStandard:RecordN ame, MatchType: EqualTo, Equality: CaseIgnore, Value(s): dcela@jjdowns.com, Requested Attributes: dsAttributesStandardAll, Max Results: 1
2012-03-08 17:04:59.682 EST - 1002.5974.5977.5978, Node: /Active Directory/INJJDOWNS/GlobalCatalog, Module: ldap - query with filter - '(&(&(objectCategory=perso n)(objectC lass=user) )(|(|(sAMA ccountName =dcela@jjd owns.com)( userPrinci palName=dc ela@jjdown s.com@*))( displayNam e=dcela@jj downs.com) (mail=dcel a@jjdowns. com)(|(alt SecurityId entities=K erberos:dc ela@jjdown s.com)(use rPrincipal Name=dcela @jjdowns.c om))))', baseDN - ''
2012-03-08 17:04:59.689 EST - 1002.5981 - ODRecordVerifyPasswordExtended request, NodeID: FA8AC090-0BF4-4C87-AA42-E0 A0660462F6 , RecordType: dsRecTypeStandard:Users, Record: dcela, MetaRecordName: CN=Dani Cela,CN=Users,DC=injjdowns ,DC=com, AuthType: dsAuthMethodStandard:dsAut hNodeCRAM- MD5, Context: 00000000-0000-0000-0000-00 0000000000
2012-03-08 17:04:59.692 EST - 1002.5981.5982 - ODQueryCreateWithNode request, NodeID: FA8AC090-0BF4-4C87-AA42-E0A0660462F6 , RecordType(s): dsRecTypeStandard:Users, Attribute: dsAttrTypeStandard:RecordN ame, MatchType: EqualTo, Equality: CaseIgnore, Value(s): dcela, Requested Attributes: dsAttrTypeStandard:AppleMe taRecordNa me,dsAttrT ypeStandar d:Authenti cationAuth ority,dsAt trTypeStan dard:Passw ordPolicyO ptions,dsA ttrTypeSta ndard:Pass word,dsAtt rTypeStand ard:Genera tedUID,dsA ttrTypeSta ndard:Uniq ueID,dsAtt rTypeStand ard:Record Type,dsAtt rTypeNativ e:pwdLastS et,dsAttrT ypeNative: accountExp ires,dsAtt rTypeNativ e:userAcco untControl ,dsAttrTyp eStandard: RecordName , Max Results: 1
2012-03-08 17:04:59.693 EST - 1002.5981.5982, Node: /Active Directory/INJJDOWNS/injjdowns.com, Module: ldap - query with filter - '(&(&(objectCategory=perso n)(objectC lass=user) )(|(|(sAMA ccountName =dcela)(us erPrincipa lName=dcel a@*))(disp layName=dc ela)(mail= dcela)(alt SecurityId entities=d cela)))', baseDN - 'DC=injjdowns,DC=com'
2012-03-08 17:04:59.694 EST - 1002.5981, Node: /Active Directory/INJJDOWNS/injjdowns.com - Audit - Credential method not supported (5100) - Modify password for record type Users 'dcela' node '/Active Directory/INJJDOWNS/injjdo wns.com', using method dsAuthNodeCRAM-MD5
ASKER
Actually guys i just figured it out.
If you look near the end of that log output.
Unsupported credential method "CRAM-MD5"
Once i turned CRAM-MD5 off for both SMTP and IMAP, i was able to login instantly.
I knew it was something simple but did not know it was that simple.
If you look near the end of that log output.
2012-03-08 17:04:59.694 EST - 1002.5981, Node: /Active Directory/INJJDOWNS/injjdowns.com - Audit - Credential method not supported (5100) - Modify password for record type Users 'dcela' node '/Active Directory/INJJDOWNS/injjdo wns.com', using method dsAuthNodeCRAM-MD5
Unsupported credential method "CRAM-MD5"
Once i turned CRAM-MD5 off for both SMTP and IMAP, i was able to login instantly.
I knew it was something simple but did not know it was that simple.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
fair enough.
I am now working on issues with SMTP and webmail and a few others if i can't get the solutions i will post a new q
I am now working on issues with SMTP and webmail and a few others if i can't get the solutions i will post a new q
Have you also joined your Mac workstations to AD? If they(the workstations) are not part of AD, the users cannot logon to a desktop.