This document describes changes, updates, and workarounds for Directory Services for Mac OS X Server v10.5.
Converting Scripts for Leopard
Checking/Manipulating the DS SearchPath from the CLI
Removing "DisabledUser" Cached Accounts Script-o-matically
Turning on DS Debugging
NTLM/SMB Client Authentication to AD Checklist
The following commands are no longer available in Leopard:
lookupd
memberd
nigrep
nicl
niutil
niload
nidump
Here is an example of a script that will not work in Leopard because it uses using nigrep and nicl commands. The script is intended to remove cached mobile user accounts from the local node.
# Script to remove cached accounts in the local DS node |
# Run this script as root or with sudo |
# This will not run in Leopard! |
#!/bin/sh |
nigrep 'LocalCachedUser' / /users | while read dirid userpath authauth authtype; do # get a list of all users with authauthority containing "LocalCachedUser" |
echo $userpath | tr -d : | while read nipath; do # figure out the path to the record in the local node |
nicl / -delete $nipath # delete the cached account |
done |
done |
To do the same thing without nigrep and nicl, we substitute dscl:
# Script to remove cached accounts in the local DS node |
# This should work in both Tiger and Leopard |
# Run this script as root or with sudo |
#!/bin/sh |
# dscl searching only does exact matches. So we list the records and pipe them through to grep to find the list of records we want. The first column will be the username and we get that using awk. |
# We also remove the line endings with tr to make it one long string. |
for cuser in `dscl . -list /Users AuthenticationAuthority | grep LocalCachedUser | awk '{print $1}' | tr '\n' ' '`; do |
dscl . -delete /Users/$cuser # now we delete the record using dscl |
done |
To see what nodes are in your search path, you can use the command dscl /Search -read / and see what is listed for the CSPSearchPath attribute. To add nodes to the search path:
dscl /Search -create / SearchPolicy CSPSearchPath |
dscl /Search -append / CSPSearchPath /Active\ Directory/All\ Domains |
Don't forget to escape spaces with a backslash or use quotes around values with spaces ("/Active Directory/All Domains"). To change the order of the nodes, change the index of the node in the CSPSearchPathlist:
dscl localhost changei /Search CSPSearchPath 1 /LDAPv3/moof.apple.com |
dscl localhost changei /Search CSPSearchPath 2 /LDAPv3/foom.apple.com |
Indexing starts at 0, but the node at index 0 will always be the local node. This is not editable. An index of 1 is the first non-local node in the list. In the above example, your authentication path would be:
Default Local Node (Netinfo or DSLocal)
/LDAPv3/moof.apple.com
/LDAPv3/foom.apple.com
# This should work in both Tiger and Leopard |
# Run this script as root or with sudo |
#!/bin/sh |
for cuser in `dscl . -list /Users AuthenticationAuthority | grep DisabledUser | awk '{print $1}' | tr '\n' ' '`; do |
dscl . -delete /Users/$cuser |
done |
sudo killall -USR1 DirectoryService |
Start debugging automatically at startup:
touch /Library/Preferences/DirectoryService/.DSLogDebugAtStart |
Log file:
/Library/Logs/DirectoryService/DirectoryService.debug.log
Testing authentication of a user against a directory node:
Standard Authentication:
dirt -u username -p password |
ntlm authentication:
dirt -u username -p password -a nt |
Troubleshooting:
- Run dsconfigad -enablessoafter binding
- Verify the following options in /etc/smb.conf
workgroup = ETS # this should be the netbios name of your AD domain |
security = ads # use "ads" for this value -- "domain" will periodically change the computer trust account and break your binding to AD |
netbios name = bog # this should be the same as the computer name you used in Directory Access/Directory Utility to bind to AD |
use spnego = yes # this should always be "yes" -- it enables negotiation of the authentication methods |
realm = ETS.APPLE.COM # This should be your AD domain in all caps -- it is case sensitive! |
- Verify that winbindd is running on the OS X Server. There should be 2 processes. If it is not, start it:
/usr/sbin/winbindd -s /Library/Preferences/DirectoryService/winbindd.conf
- Verify that samba and the AD plugin are using the same machine trust account password.
Step 1: Get the password that the AD plugin is using:
In the /Library/Preferences/DirectoryService/ActiveDirectory.plist file, look for the section that looks like:
<key>AD Computer Password</key> |
<data> |
ZW5jb2RlIG1lCg== |
</data> |
Step 2: The data field here is base64 encoded. Decode it:
echo "ZW5jb2RlIG1lCg==" | openssl enc -base64 -d |
Step 3: Now compare it with the value stored by samba in /var/db/samba/secrets.tdb:
sudo tdbdump /var/db/samba/secrets.tdb |
You should see a record that looks like:
{ |
key = "SECRETS/MACHINE_PASSWORD/ETS" |
data = ",X2IgQ9sIgpByU" |
} |
If the data value here does not match the value you got from step 2, reset it:
sudo net -f changesecretpw |
When prompted for a password, enter the value that was returned by step 2.
© 2007 Apple Inc. All Rights Reserved. (Last updated: 2007-06-08)
|