[UniMacTech] OS X Server, Active Directory & "Unable to Add the Domain"

Tue Jan 20 13:57:44 EST 2009

Present best practice is to bind first to AD and only then create the  
OD Master. If you do it in this order the assistant doesn't bother  
creating a new kerb realm and KDC - it just sticks with AD's.

But if you want to host kerberised services on your Mac server you  
have to also execute one command to get them using the appropriate  
principals:

sudo dsconfigad -enablesso

On 20/01/2009, at 12:37 PM, Darryl Rosin <d.rosin at griffith.edu.au>  
wrote:

>
> Got it working last night. I wasn't specifying the AD domain  
> properly (I used the server.domain.griffith.edu.au instead of  
> domain.griffith.edu.au) and my test server had a pre-existing  
> stunnel connection existing as LDAPv3/127.0.0.1/ which was messing  
> things up a bit. We'd tried browsing the AD with LDAPper, but it  
> wants credentials for binding presented as  
> user at domain.griffith.edu.au. So  It was a couple of different things  
> that looked like the same problem but weren't.
>
> We are now struggling a bit with trying to get authentication/user  
> management/computer management all working together seamlessly, but  
> that's not unexpected :^\
>
> Oh, one question: Do I need to explicitly join the OS X OD Master  
> and the AD to the same Kerberos domain? Or does it magically happen  
> as part of the binding?
>
> d
>
> Darryl Rosin
>
> Server Administrator, Digital Arts Project
> Griffith University AUC Developer Fund Coordinator
>
> Research Computing Services
> Division of Information Services
> South Bank Campus
> Griffith University 4111 Australia
>
> d.rosin at griffith.edu.au
> t: 04 1876 0956
>
> PRIVILEGED – PRIVATE AND CONFIDENTIAL
> This email and any files transmitted with it are intended solely for  
> the use of the addressee(s) and may contain information which is  
> confidential or privileged.  If you receive this email and you are  
> not the addressee(s) [or responsible for delivery of the email to  
> the addressee(s)], please disregard the contents of the email,  
> delete the email and notify the author immediately
>
>
> From:	Terry Brady <tbrady at asia.apple.com>
> To:	University Macintosh Technical Mailing List  
> <unimactech at auc.edu.au>
> Date:	20/01/09 11:29 AM
> Subject: 	Re: [UniMacTech] OS X Server,        Active Directory &  
> "Unable to Add the Domain"
>
>
>
>
> Hi Darryl,
>
> Did you get this one sorted?
>
> TB
>
> On 15/01/2009, at 1:54 PM, Darryl Rosin wrote:
>
>
> Hello.
>
> I'm trying to add an Active Directory (Windows 2000 Mixed on Win  
> 2003 Server) to an OS X 10.5.6 server. I'm using Directory Access,  
> adding an Active Directory and hitting OK then I immediately get an  
> error:
>
> "Unable to add the domain. There was no response from controller.ad- 
> domain.griffith.edu.au. PLease check the address you entered is  
> correct
>
> Any ideas what's going on? My OS X server has the right forward and  
> back DNS entries, the times are synchronised and there are no  
> blocked ports that I can see. Suggestions welcome.
>
> thnaks!
>
> d
>
> Darryl Rosin
>
> Server Administrator, Digital Arts Project
> Griffith University AUC Developer Fund Coordinator
>
> Research Computing Services
> Division of Information Services
> South Bank Campus
> Griffith University 4111 Australia
>
> d.rosin at griffith.edu.au
> t: 04 1876 0956
>
> PRIVILEGED – PRIVATE AND CONFIDENTIAL
> This email and any files transmitted with it are intended solely for  
> the use of the addressee(s) and may contain information which is  
> confidential or privileged.  If you receive this email and you are  
> not the addressee(s) [or responsible for delivery of the email to  
> the addressee(s)], please disregard the contents of the email,  
> delete the email and notify the author immediately  
> _______________________________________________
> unimactech mailing list
> unimactech at auc.edu.au
> http://www.auc.edu.au/mailman/listinfo/unimactech
> _______________________________________________
> unimactech mailing list
> unimactech at auc.edu.au
> http://www.auc.edu.au/mailman/listinfo/unimactech
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://auc.uow.edu.au/pipermail/unimactech/attachments/20090120/59827c5f/attachment.html