asked on

OSX Lion Server and Active Directory Integration issues

Hey guys i am having big issues with my new Lion server and AD integration.

I am integrating a copy of 10.7.3 with Server 2008 AD infrastructure single domain.

I am able to get the Lion server integrated perfectly and i can see all the users within workgroup manager. My problem stems from when i try and login any user via webmail or mail client. I always get auth failed for od 127.0.0.1

If i try and login that same user to web ical it works perfect and instantly.

I am really trying to figure this out and have been researching online for days now. I have followed Apples white paper on "Best practices for integrating OS X lion with Active Directory" with no luck.

I have also called applecare and they helped me to a certain point but then mentioned that this is where apple care ends and i need to purchase per incident support for further assistance.

Is anyone able to help as i am unwilling to provide almost $700 for one incident of support to apple.

Thanks,

Dani

Irwin W.

So your users are part of AD or are they part of OD?

Have you also joined your Mac workstations to AD? If they(the workstations) are not part of AD, the users cannot logon to a desktop.

itmanager223

ASKER

This has nothing to do with workstations. I am talking solely about lion server and active directory here. My users are in active directory.

Irwin W.

Can you then post some of your system logs that show what is happening during the logon and errors?

Open up your console viewer and check the logs for errors around the same time you try to access those services.

itmanager223

ASKER

Ok here is the log output when i try and login.

This is from /var/log/opendirectoryd.log

2012-03-08 17:04:59.496 EST - Module: SystemCache - SweepInvoke: Expired cache entry for 'pw_name:dcela'
2012-03-08 17:04:59.669 EST - 1002.5962, Module: SystemCache - getpwnam_ext request, Name: dcela
2012-03-08 17:04:59.669 EST - Module: SystemCache - FetchFromCache - Looking for entry with key pw_name:dcela
2012-03-08 17:04:59.669 EST - Module: SystemCache - Cache_Fetch(pw_name:dcela) found invalid 0x10cf864c0
2012-03-08 17:04:59.669 EST - 1002.5962.5964, Module: SystemCache - ODQueryCreateWithNode request, NodeID: A7A9F21C-63EC-409F-9B19-437011FCFD39, RecordType(s): dsRecTypeStandard:Users, Attribute: dsAttrTypeStandard:RecordName, MatchType: EqualTo, Equality: CaseIgnore, Value(s): dcela, Requested Attributes: dsAttrTypeStandard:AppleMetaNodeLocation,dsAttrTypeStandard:RecordName,dsAttrTypeStandard:Password,dsAttrTypeStandard:UniqueID,dsAttrTypeStandard:PrimaryGroupID,dsAttrTypeStandard:NFSHomeDirectory,dsAttrTypeStandard:UserShell,dsAttrTypeStandard:RealName,dsAttrTypeStandard:GeneratedUID,dsAttrTypeStandard:MailAttribute,dsAttrTypeStandard:EMailAddress,dsAttrTypeStandard:FirstName,dsAttrTypeStandard:LastName,dsAttrTypeStandard:RecordType, Max Results: 1
2012-03-08 17:04:59.669 EST - 1002.5962.5964.5965, Module: search - ODQueryCreateWithNode request, NodeID: 5E1A28C3-3355-4BB2-8049-4DB1C89820A5, RecordType(s): dsRecTypeStandard:Users, Attribute: dsAttrTypeStandard:RecordName, MatchType: EqualTo, Equality: CaseIgnore, Value(s): dcela, Requested Attributes: dsAttrTypeStandard:AppleMetaNodeLocation,dsAttrTypeStandard:RecordName,dsAttrTypeStandard:Password,dsAttrTypeStandard:UniqueID,dsAttrTypeStandard:PrimaryGroupID,dsAttrTypeStandard:NFSHomeDirectory,dsAttrTypeStandard:UserShell,dsAttrTypeStandard:RealName,dsAttrTypeStandard:GeneratedUID,dsAttrTypeStandard:MailAttribute,dsAttrTypeStandard:EMailAddress,dsAttrTypeStandard:FirstName,dsAttrTypeStandard:LastName,dsAttrTypeStandard:RecordType, Max Results: 1
2012-03-08 17:04:59.672 EST - 1002.5962.5964.5967, Module: search - ODQueryCreateWithNode request, NodeID: 416F3840-8C93-41BF-95DF-9C95F48254E7, RecordType(s): dsRecTypeStandard:Users, Attribute: dsAttrTypeStandard:RecordName, MatchType: EqualTo, Equality: CaseIgnore, Value(s): dcela, Requested Attributes: dsAttrTypeStandard:AppleMetaNodeLocation,dsAttrTypeStandard:RecordName,dsAttrTypeStandard:Password,dsAttrTypeStandard:UniqueID,dsAttrTypeStandard:PrimaryGroupID,dsAttrTypeStandard:NFSHomeDirectory,dsAttrTypeStandard:UserShell,dsAttrTypeStandard:RealName,dsAttrTypeStandard:GeneratedUID,dsAttrTypeStandard:MailAttribute,dsAttrTypeStandard:EMailAddress,dsAttrTypeStandard:FirstName,dsAttrTypeStandard:LastName,dsAttrTypeStandard:RecordType, Max Results: 1
2012-03-08 17:04:59.672 EST - 1002.5962.5964.5967, Node: /LDAPv3/127.0.0.1, Module: ldap - query with filter - '(&(&(objectClass=inetOrgPerson)(objectClass=posixAccount)(objectClass=shadowAccount)(objectClass=apple-user)(objectClass=extensibleObject))(|(uid=dcela)(cn=dcela)(mail=dcela)(altSecurityIdentities=dcela)))', baseDN - 'cn=users, dc=grey,dc=injjdowns,dc=com'
2012-03-08 17:04:59.673 EST - 1002.5962.5964.5969, Module: search - ODQueryCreateWithNode request, NodeID: 1D52F007-20E7-4152-BE28-50653B7F5DA5, RecordType(s): dsRecTypeStandard:Users, Attribute: dsAttrTypeStandard:RecordName, MatchType: EqualTo, Equality: CaseIgnore, Value(s): dcela, Requested Attributes: dsAttrTypeStandard:AppleMetaNodeLocation,dsAttrTypeStandard:RecordName,dsAttrTypeStandard:Password,dsAttrTypeStandard:UniqueID,dsAttrTypeStandard:PrimaryGroupID,dsAttrTypeStandard:NFSHomeDirectory,dsAttrTypeStandard:UserShell,dsAttrTypeStandard:RealName,dsAttrTypeStandard:GeneratedUID,dsAttrTypeStandard:MailAttribute,dsAttrTypeStandard:EMailAddress,dsAttrTypeStandard:FirstName,dsAttrTypeStandard:LastName,dsAttrTypeStandard:RecordType, Max Results: 1
2012-03-08 17:04:59.673 EST - 1002.5962.5964.5969.5971, Module: ActiveDirectory - ODQueryCreateWithNode request, NodeID: 7E4C1FF7-9A36-4212-AD16-9AB7F3049D8F, RecordType(s): dsRecTypeStandard:Users, Attribute: dsAttrTypeStandard:RecordName, MatchType: EqualTo, Equality: CaseIgnore, Value(s): dcela, Requested Attributes: dsAttrTypeStandard:AppleMetaNodeLocation,dsAttrTypeStandard:RecordName,dsAttrTypeStandard:Password,dsAttrTypeStandard:UniqueID,dsAttrTypeStandard:PrimaryGroupID,dsAttrTypeStandard:NFSHomeDirectory,dsAttrTypeStandard:UserShell,dsAttrTypeStandard:RealName,dsAttrTypeStandard:GeneratedUID,dsAttrTypeStandard:MailAttribute,dsAttrTypeStandard:EMailAddress,dsAttrTypeStandard:FirstName,dsAttrTypeStandard:LastName,dsAttrTypeStandard:RecordType, Max Results: 1
2012-03-08 17:04:59.674 EST - 1002.5962.5964.5969.5971, Node: /Active Directory/INJJDOWNS/Global Catalog, Module: ldap - query with filter - '(&(&(objectCategory=person)(objectClass=user))(|(|(sAMAccountName=dcela)(userPrincipalName=dcela@*))(displayName=dcela)(mail=dcela)(altSecurityIdentities=dcela)))', baseDN - ''
"dcela@jjdowns.com"
2012-03-08 17:04:59.678 EST - Module: SystemCache - Cache_CreateEntry pw_name:dcela @0x10cf84ca0
2012-03-08 17:04:59.678 EST - Module: SystemCache - Cache_CreateEntry(pw_name:dcela -> 0x10cfad0f0
2012-03-08 17:04:59.678 EST - Module: SystemCache - AddEntryToCacheWithKeys(pw_name:dcela -> 0x10cfad0f0)
2012-03-08 17:04:59.678 EST - 1002.5974 - ODQueryCreateWithNode request, NodeID: EDE76E9B-51D3-4CBC-9779-E99089C30A0A, RecordType(s): dsRecTypeStandard:Users, Attribute: dsAttrTypeStandard:RecordName, MatchType: EqualTo, Equality: CaseIgnore, Value(s): dcela@jjdowns.com, Requested Attributes: dsAttributesStandardAll, Max Results: 1
2012-03-08 17:04:59.679 EST - 1002.5974.5975, Module: search - ODQueryCreateWithNode request, NodeID: 5E1A28C3-3355-4BB2-8049-4DB1C89820A5, RecordType(s): dsRecTypeStandard:Users, Attribute: dsAttrTypeStandard:RecordName, MatchType: EqualTo, Equality: CaseIgnore, Value(s): dcela@jjdowns.com, Requested Attributes: dsAttributesStandardAll, Max Results: 1
2012-03-08 17:04:59.680 EST - 1002.5974.5976, Module: search - ODQueryCreateWithNode request, NodeID: 416F3840-8C93-41BF-95DF-9C95F48254E7, RecordType(s): dsRecTypeStandard:Users, Attribute: dsAttrTypeStandard:RecordName, MatchType: EqualTo, Equality: CaseIgnore, Value(s): dcela@jjdowns.com, Requested Attributes: dsAttributesStandardAll, Max Results: 1
2012-03-08 17:04:59.681 EST - 1002.5974.5976, Node: /LDAPv3/127.0.0.1, Module: ldap - query with filter - '(&(&(objectClass=inetOrgPerson)(objectClass=posixAccount)(objectClass=shadowAccount)(objectClass=apple-user)(objectClass=extensibleObject))(|(uid=dcela@jjdowns.com)(cn=dcela@jjdowns.com)(mail=dcela@jjdowns.com)(altSecurityIdentities=Kerberos:dcela@jjdowns.com)))', baseDN - 'cn=users, dc=grey,dc=injjdowns,dc=com'
2012-03-08 17:04:59.681 EST - 1002.5974.5977, Module: search - ODQueryCreateWithNode request, NodeID: 1D52F007-20E7-4152-BE28-50653B7F5DA5, RecordType(s): dsRecTypeStandard:Users, Attribute: dsAttrTypeStandard:RecordName, MatchType: EqualTo, Equality: CaseIgnore, Value(s): dcela@jjdowns.com, Requested Attributes: dsAttributesStandardAll, Max Results: 1
2012-03-08 17:04:59.681 EST - 1002.5974.5977.5978, Module: ActiveDirectory - ODQueryCreateWithNode request, NodeID: 7E4C1FF7-9A36-4212-AD16-9AB7F3049D8F, RecordType(s): dsRecTypeStandard:Users, Attribute: dsAttrTypeStandard:RecordName, MatchType: EqualTo, Equality: CaseIgnore, Value(s): dcela@jjdowns.com, Requested Attributes: dsAttributesStandardAll, Max Results: 1
2012-03-08 17:04:59.682 EST - 1002.5974.5977.5978, Node: /Active Directory/INJJDOWNS/Global Catalog, Module: ldap - query with filter - '(&(&(objectCategory=person)(objectClass=user))(|(|(sAMAccountName=dcela@jjdowns.com)(userPrincipalName=dcela@jjdowns.com@*))(displayName=dcela@jjdowns.com)(mail=dcela@jjdowns.com)(|(altSecurityIdentities=Kerberos:dcela@jjdowns.com)(userPrincipalName=dcela@jjdowns.com))))', baseDN - ''
2012-03-08 17:04:59.689 EST - 1002.5981 - ODRecordVerifyPasswordExtended request, NodeID: FA8AC090-0BF4-4C87-AA42-E0A0660462F6, RecordType: dsRecTypeStandard:Users, Record: dcela, MetaRecordName: CN=Dani Cela,CN=Users,DC=injjdowns,DC=com, AuthType: dsAuthMethodStandard:dsAuthNodeCRAM-MD5, Context: 00000000-0000-0000-0000-000000000000
2012-03-08 17:04:59.692 EST - 1002.5981.5982 - ODQueryCreateWithNode request, NodeID: FA8AC090-0BF4-4C87-AA42-E0A0660462F6, RecordType(s): dsRecTypeStandard:Users, Attribute: dsAttrTypeStandard:RecordName, MatchType: EqualTo, Equality: CaseIgnore, Value(s): dcela, Requested Attributes: dsAttrTypeStandard:AppleMetaRecordName,dsAttrTypeStandard:AuthenticationAuthority,dsAttrTypeStandard:PasswordPolicyOptions,dsAttrTypeStandard:Password,dsAttrTypeStandard:GeneratedUID,dsAttrTypeStandard:UniqueID,dsAttrTypeStandard:RecordType,dsAttrTypeNative:pwdLastSet,dsAttrTypeNative:accountExpires,dsAttrTypeNative:userAccountControl,dsAttrTypeStandard:RecordName, Max Results: 1
2012-03-08 17:04:59.693 EST - 1002.5981.5982, Node: /Active Directory/INJJDOWNS/injjdowns.com, Module: ldap - query with filter - '(&(&(objectCategory=person)(objectClass=user))(|(|(sAMAccountName=dcela)(userPrincipalName=dcela@*))(displayName=dcela)(mail=dcela)(altSecurityIdentities=dcela)))', baseDN - 'DC=injjdowns,DC=com'
2012-03-08 17:04:59.694 EST - 1002.5981, Node: /Active Directory/INJJDOWNS/injjdowns.com - Audit - Credential method not supported (5100) - Modify password for record type Users 'dcela' node '/Active Directory/INJJDOWNS/injjdowns.com', using method dsAuthNodeCRAM-MD5

itmanager223

ASKER

Actually guys i just figured it out.

If you look near the end of that log output.

2012-03-08 17:04:59.694 EST - 1002.5981, Node: /Active Directory/INJJDOWNS/injjdowns.com - Audit - Credential method not supported (5100) - Modify password for record type Users 'dcela' node '/Active Directory/INJJDOWNS/injjdowns.com', using method dsAuthNodeCRAM-MD5

Unsupported credential method "CRAM-MD5"

Once i turned CRAM-MD5 off for both SMTP and IMAP, i was able to login instantly.

I knew it was something simple but did not know it was that simple.

ASKER CERTIFIED SOLUTION

Irwin W.

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

itmanager223

ASKER

fair enough.

I am now working on issues with SMTP and webmail and a few others if i can't get the solutions i will post a new q