Re: Mac OSX Active Directory Connection

Hi William,

Thank you for your assistance. I may be a little out of my depth here, hope
you don't mind but I'd like to ask you a few more questions.

What user account does the Mac use to bind to the AD is it the Mac user
account or an account created within Active Directory on the 2003 server?

Am I right to use the Server 2003 Administrator account when prompted for
the Network Administrator details?

How do I alter the privileges of a user account, is it within the Active
Directory Users and Computers on the Server or from somewhere else?

I have created a computer called BARRYMAC within the Computers container
within Active Directory Users and Computers on the Server and this is what
I've entered into Computer ID in the Directory Access on the Mac?

Please excuse my ignorance.

Many Thanks.

Barry


On 21/7/05 4:11 am, in article
mecklists-CCECA8.22114620072005@xxxxxxxxxxxxxxxxxxxx, "William Smith"
<mecklists@xxxxxxxxxxxxxxxxxxxx> wrote:

> In article <BF043862.722A%b.johns@xxxxxxxxxxxxxxxxxxxxx>,
> Barry Johns <b.johns@xxxxxxxxxxxxxxxxxxxxx> wrote:
>
>> I'm trying to connect a Mac running OSX 10.3.9 to an Active Directory on a
>> 2003 Server using Directory Access. When I click on bind I get prompted for
>> the Network Administrator Username and Password. Here I enter the 2003
>> Server's Administrator account details. It goes through the motion of
>> binding but then responds with:
>>
>> Insufficent Privileges
>>
>> The administrator account you specified does not have the appropriate
>> privileges to perform the requested operation.
>>
>> Can anyone give me any ideas what I'm doing wrong.
>>
>> Many Thanks in advance.
>
> Hi Barry!
>
> I can only offer you my experiences with this same problem. Sincerely
> hope something here will help.
>
> I researched three potential solutions and worked with our AD dude to
> implement one of these recently. It seems to have really helped, but
> isn't yet 100%.
>
> First, Macs must be time synced within 5 minutes of the domain. If they
> aren't, they AD binding will most likely fail.
>
> Otherwise of the options below, we've so far done #1 and none of the
> others yet.
>
> 1. If the user account of the person trying to bind the Mac to AD is a
> member of too many groups (security groups but possibly also
> distribution groups) then the Kerberos ticket may be large and get
> truncated during the binding process. Create a new user account with
> privileges to only bind the Mac and add it to few, if any, groups.
>
> 2. Macs may have a problem with users placed into nested groups. (This
> will only apply to AD domains in native mode.) Microsoft's best
> practices stipulate that global groups should be placed into local
> groups and then local groups should be granted privileges to an object,
> such as the Computers container or whatever OU you're trying to create
> the new object in. Try granting privileges to the object in AD directly
> to the user instead of nesting the user in groups.
>
> 3. The user account binding the Mac to AD should need "Create Objects"
> permission for the container or OU. You may want to test a user with
> full-blown permissions to an AD object to see if you have a permissions
> issue. You can restrict permissions from there if this works reliably.
>
> Also have a look at this link for another idea.
> <http://macenterprise.org/content/view/157/84/>
>
> With that said, we're still testing and I've even had our AD dude, who
> is an Enterprise Administrator, try and fail to bind a Mac. This means
> that there is probably more than a permissions issue happening here.
>
> I've found that if I am able to bind a machine right after I've built it
> and it works, then that machine will allow me to always bind and unbind.
> But if I fail the first time, I can never bind the machine and I have to
> rebuild.
>
> I also learned a great way for creating a log file and suggest you use
> this to help troubleshoot.
>
> Get the Mac ready to bind. Fill in all the blanks and get to the point
> where you're ready to bind. Then from another Mac (not the same Mac)
> open an SSH session and enter:
>
> sudo killall -USR1 DirectoryService
>
> You'll go into debug logging mode for five minutes. Then enter the
> following on one line and hit the Return key.
>
> tail -f /Library/Logs/DirectoryService/DirectoryService.debug.log | grep
> ADPlug
>
> After hitting return you'll see nothing happen. Go to the other Mac and
> start the binding process. You should see the Terminal fill with a few
> dozen lines of connection information. it's extremely insightful.
>
> Our error was LDAP error -81, which is a generic error. But maybe yours
> will be more intelligent.
>
> Hope this helps! bill

.

Relevant Pages

  • Win & Mac Network
    ... I've run into the dredded Win & Mac scenario. ... OS X 10.3 and Win XP-Home Ed. computers to talk to each ... as I setup a user account ... for the Windows computer to log on the Mac as, ...
    (microsoft.public.windowsxp.network_web)
  • Experts: Malicious program targets Macs
    ... It seems that as sleek Mac computers become more popular, they're also more sought-after targets for the authors of harmful programs. ... "The bad guys generally go toward the biggest target, what will get them the biggest bang for their buck," said Kevin Haley, a director of security response at Symantec. ...
    (comp.sys.mac.apps)
  • Re: I got a virus help
    ... Most Windows users will tell you that this is akin to the "Administrator" account on your PC, but that is not exactly the case. ... Microsoft has attempted to emulate this technique many times, but always fails miserably in its implementation. ... But wait, you say, doesn't Mac OS have that same problem? ... So if you happen to exploit one of them, you can only do what that small, very restricted user account can do... ...
    (rec.music.makers.guitar.acoustic)
  • Re: MS Politics
    ... It also adds a whole slew of media center capabilities. ... a tiny percentage of Windows users have ever installed it. ... and have powerful computers and high-bandwidth ... Turn Mac on. ...
    (borland.public.delphi.non-technical)
  • Re: OT: Which PC Laptop?
    ... but if it's a home pc, then it will be in living rooms, and thus it's ... so that a room isn't taken over by computers. ... we haven't plugged the led fans in and the ... why there are PC and Mac folk. ...
    (uk.comp.sys.mac)
Loading