Just checked the Mac and Windows.com web site and found this recent issue on one of Apples updates for Panther: http://www.macwindows.com/AD.html#032905
Apple 2005-003 Update causes AD binding problem March 25, 2005 John Skinner reports that Apple Security Update 2005-003 for Mac OS X has cause problems with binding to Active Directory. He also offers a workaround: I've been using Apple Active Directory plug-in for Directory Services to "bind" a Mac to an Active Directory (AD) computer account ever since 10.3 came out. It has worked like a charm! Users with an AD user account (in a specified AD group) could log on to a Mac that they never had before, and would have a local account created for them with administrative rights on the Mac! They could connect to network file shares without authenticating for each connection. Now after the latest 003 update, trying to bind a Mac to an AD computer account stopped working! It gave me an error at the last stage of the bind saying that the user account didn't have sufficient privileges (referring to the AD user account I supplied) to joint the Mac to the AD computer account. So, I called up a network administrator to help me troubleshoot it, and here is what we found out. When you create the computer account in AD, just like always, it inherits the permissions of the OU it was created in. The admin group I am a member of has full permissions on this OU, so the group was added to the computer account with full permissions. Before the Apple Security Update 2005-003: The Apple AD plug-in would be fine with this and realize that the AD user account supplied during the bind was in an AD group that had sufficient permission to join the Mac to the AD computer account. After the Apple Security Update 2005-003: The Apple AD plug-in will not check to see if the AD user account supplied during the bind is a member of an AD group with sufficient permissions to join a Mac to the AD computer account. THE FIX: The way we were able to get around this was to give my AD user account full permissions for the AD computer account I was trying to bind the Mac to. --------------------------------------------------------------------------------------------------------------- -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Brian Desmond Sent: Thursday, April 07, 2005 4:37 PM To: [email protected] Subject: RE: [ActiveDir] MacOSX Active Directory Plug-in I'm quite certain about both of those, esp mac fs and admit mac. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 c - 312.731.3132 ________________________________ From: [EMAIL PROTECTED] on behalf of Medeiros, Jose Sent: Thu 4/7/2005 11:35 AM To: [email protected] Subject: RE: [ActiveDir] MacOSX Active Directory Plug-in Are you sure that he is not using ADMIT Mac on the Mac Clients? To my knowledge the version of Samba www.samba.org in Panther does not support authentication using NTLM v2, please look at the Panther vs Admit Mac comparison at: http://www.thursby.com/products/admitmac-vs-panther.html Can you ask your admin which apple doc he used to get this to work? Are you sure that he is not just using Macintosh file service ( NT has had this since NT 3.51 and it supported Ethertalk ) on the Windows servers? If so this not the same thing that we are trying to accomplish with Active Directory member server binding. Thank you for looking into this! Regards, Jose Medeiros www.ntea.net www.sfntug.org ----------------------------------------------------------- -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Brian Desmond Sent: Thursday, April 07, 2005 9:15 AM To: [email protected] Subject: RE: [ActiveDir] MacOSX Active Directory Plug-in Jose- It's a mix of 2k and 2k3 DCs, 2k native mode. Domain policy is not to require smb signing, but to request it. As far as LM, it's require ntlmv2 or better. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 c - 312.731.3132 ________________________________ From: [EMAIL PROTECTED] on behalf of Medeiros, Jose Sent: Thu 4/7/2005 10:29 AM To: [email protected] Subject: RE: [ActiveDir] MacOSX Active Directory Plug-in Hi Brian, What version of Active Directory are you using? Did he have to turn off SMB signing and enable lanmanger ? Jose -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Brian Desmond Sent: Wednesday, April 06, 2005 10:22 PM To: [email protected] Subject: RE: [ActiveDir] MacOSX Active Directory Plug-in Jose & Matt- This won't help you from a how to standpoint, but I can tell you for a fact that my mac guy has our 10.3 X boxes on the domain. Took him a while to figure it all out, but it does work... --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 c - 312.731.3132 ________________________________ From: [EMAIL PROTECTED] on behalf of Medeiros, Jose Sent: Wed 4/6/2005 8:16 PM To: [email protected] Subject: RE: [ActiveDir] MacOSX Active Directory Plug-in Hi Matt, I also have a MAC running MAC OS 10.3.8 and have also tried adding my Mac to a 2003 Active Directory domain to no avail. I just can't get it to bind as a member workstation. However I have used ADMITMAC by Thursby software it works like a charm and it supports NTLMv2, SMB signing and Kerberos based tickets. The URL for Thursby is: http://www.thursby.com/ and http://www.thursby.com/products/admitmac-vs-panther.html With that said let me give you a URL's that you may also want to try: http://www.macwindows.com/ , if you figure out away to get it to work without Admit Mac please let me know as I am very interested. I hope this helps! Sincerely, Jose Medeiros MCP+I, MCSE, MCT www.ntea.net www.sfntug.org --------------------------------------------------------------------------------------------------------- -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Matt Brown Sent: Wednesday, April 06, 2005 9:29 AM To: [email protected] Subject: [ActiveDir] MacOSX Active Directory Plug-in When adding Mac's to Active Directory using the Mac AD Directory Services Plug-in I can do it just fine using my Domain Admin account. But when I try to add the machine using an account in the group with privileges to add to the domain I get an error saying "Insufficient Privileges". Anybody seen this or know of a privilege I need to set? All of my lab managers on campus have are in the group that can add computers to the domain and it works fine for the PC's. Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
