<html><body bgcolor="#FFFFFF"><div>Present best practice is to bind first to AD and only then create the OD Master. If you do it in this order the assistant doesn't bother creating a new kerb realm and KDC - it just sticks with AD's. </div><div><br></div><div>But if you want to host kerberised services on your Mac server you have to also execute one command to get them using the appropriate principals:</div><div><br></div><div>sudo dsconfigad -enablesso<br><br>On 20/01/2009, at 12:37 PM, Darryl Rosin <<a href="mailto:d.rosin@griffith.edu.au">d.rosin@griffith.edu.au</a>> wrote:<br><br></div><div></div><blockquote type="cite"><div>
<br><font size="2" face="sans-serif">Got it working last night. I wasn't
specifying the AD domain properly (I used the server.domain.griffith.edu.au
instead of domain.griffith.edu.au) and my test server had a pre-existing
stunnel connection existing as LDAPv3/127.0.0.1/ which was messing things
up a bit. We'd tried browsing the AD with LDAPper, but it wants credentials
for binding presented as <a href="mailto:user@domain.griffith.edu.au">user@domain.griffith.edu.au</a>. So It was a
couple of different things that looked like the same problem but weren't.</font>
<br>
<br><font size="2" face="sans-serif">We are now struggling a bit with trying
to get authentication/user management/computer management all working together
seamlessly, but that's not unexpected :^\</font>
<br>
<br><font size="2" face="sans-serif">Oh, one question: Do I need to explicitly
join the OS X OD Master and the AD to the same Kerberos domain? Or does
it magically happen as part of the binding?</font>
<br>
<br><font size="2" face="sans-serif">d<br>
<br>
Darryl Rosin<br>
<br>
Server Administrator, Digital Arts Project<br>
Griffith University AUC Developer Fund Coordinator<br>
<br>
Research Computing Services<br>
Division of Information Services<br>
South Bank Campus<br>
Griffith University 4111 Australia<br>
<br>
<a href="mailto:d.rosin@griffith.edu.au"><a href="mailto:d.rosin@griffith.edu.au">d.rosin@griffith.edu.au</a></a><br>
t: 04 1876 0956<br>
<br>
PRIVILEGED – PRIVATE AND CONFIDENTIAL<br>
This email and any files transmitted with it are intended solely for the
use of the addressee(s) and may contain information which is confidential
or privileged. If you receive this email and you are not the addressee(s)
[or responsible for delivery of the email to the addressee(s)], please
disregard the contents of the email, delete the email and notify the author
immediately</font>
<br>
<br>
<br>
<table width="100%">
<tbody><tr valign="top">
<td><font size="1" color="#5f5f5f" face="sans-serif">From:</font>
</td><td><font size="1" face="sans-serif">Terry Brady <<a href="mailto:tbrady@asia.apple.com">tbrady@asia.apple.com</a>></font>
</td></tr><tr valign="top">
<td><font size="1" color="#5f5f5f" face="sans-serif">To:</font>
</td><td><font size="1" face="sans-serif">University Macintosh Technical Mailing
List <<a href="mailto:unimactech@auc.edu.au">unimactech@auc.edu.au</a>></font>
</td></tr><tr valign="top">
<td><font size="1" color="#5f5f5f" face="sans-serif">Date:</font>
</td><td><font size="1" face="sans-serif">20/01/09 11:29 AM</font>
</td></tr><tr valign="top">
<td><font size="1" color="#5f5f5f" face="sans-serif">Subject:</font>
</td><td><font size="1" face="sans-serif">Re: [UniMacTech] OS X Server,
Active Directory & "Unable to Add
the Domain"</font></td></tr></tbody></table>
<br>
<hr noshade="">
<br>
<br>
<br><font size="3">Hi Darryl,</font>
<br>
<br><font size="3">Did you get this one sorted?</font>
<br>
<br><font size="3">TB</font>
<br>
<br><font size="3">On 15/01/2009, at 1:54 PM, Darryl Rosin wrote:</font>
<br>
<br><font size="2" face="sans-serif"><br>
Hello.</font><font size="3"> <br>
</font><font size="2" face="sans-serif"><br>
I'm trying to add an Active Directory (Windows 2000 Mixed on Win 2003 Server)
to an OS X 10.5.6 server. I'm using Directory Access, adding an Active
Directory and hitting OK then I immediately get an error:</font><font size="3">
<br>
</font><font size="2" face="sans-serif"><br>
"Unable to add the domain. There was no response from controller.ad-domain.griffith.edu.au.
PLease check the address you entered is correct</font><font size="3"><br>
</font><font size="2" face="sans-serif"><br>
Any ideas what's going on? My OS X server has the right forward and back
DNS entries, the times are synchronised and there are no blocked ports
that I can see. Suggestions welcome.</font><font size="3"> <br>
</font><font size="2" face="sans-serif"><br>
thnaks!</font><font size="3"> <br>
</font><font size="2" face="sans-serif"><br>
d<br>
<br>
Darryl Rosin<br>
<br>
Server Administrator, Digital Arts Project<br>
Griffith University AUC Developer Fund Coordinator<br>
<br>
Research Computing Services<br>
Division of Information Services<br>
South Bank Campus<br>
Griffith University 4111 Australia<br>
</font><font size="2" color="blue" face="sans-serif"><u><br>
</u></font><a href="mailto:d.rosin@griffith.edu.au"><font size="2" color="blue" face="sans-serif"><u>d.rosin@griffith.edu.au</u></font></a><font size="2" face="sans-serif"><br>
t: 04 1876 0956<br>
<br>
PRIVILEGED – PRIVATE AND CONFIDENTIAL<br>
This email and any files transmitted with it are intended solely for the
use of the addressee(s) and may contain information which is confidential
or privileged. If you receive this email and you are not the addressee(s)
[or responsible for delivery of the email to the addressee(s)], please
disregard the contents of the email, delete the email and notify the author
immediately</font><font size="3"> _______________________________________________<br>
unimactech mailing list</font><font size="3" color="blue"><u><br>
</u></font><a href="mailto:unimactech@auc.edu.au"><font size="3" color="blue"><u>unimactech@auc.edu.au</u></font></a><font size="3"><br>
</font><a href="http://www.auc.edu.au/mailman/listinfo/unimactech"><font size="3">http://www.auc.edu.au/mailman/listinfo/unimactech</font></a>
<br><tt><font size="2">_______________________________________________<br>
unimactech mailing list<br>
<a href="mailto:unimactech@auc.edu.au"><a href="mailto:unimactech@auc.edu.au">unimactech@auc.edu.au</a></a><br>
</font></tt><a href="http://www.auc.edu.au/mailman/listinfo/unimactech"><tt><font size="2">http://www.auc.edu.au/mailman/listinfo/unimactech</font></tt></a><tt><font size="2"><br>
</font></tt>
<br>
<br>
</div></blockquote></body></html>