10.8 OD/AD / Magic Triangle?

undercover's picture
Forums: 

Hey everyone. I'm curious for those who have upgraded to 10.8 how you set up your user/group accounts. Are you using AD only? AD/OD Magic Triangle (does this still work?).

I just installed 10.8 server on a test box, but the OD setup is confusing me.

matx's picture

Both 10.7 and 10.8 changed things a bit (a LOT !!) from the 10.6 days.

http://help.apple.com/advancedserveradmin/mac/10.8/

keithkoby's picture

10.7.5 here... We are to the point where enough things have started breaking/misbehaving that the problems are outweighing the benefits of OD/AD magic triangulation. We're giving up the reigns to IT and going straight AD soon. chmoding the permissions and establishing AD groups and users in some cases takes time on a volume that is in production.

brianwells's picture

We use an OD/AD setup, but the OD server is only used for a few server-side users and groups as well as Managed Preferences on computers with older versions of OS X.

All the end-user permissions are 100% Active Directory and we continually have problems where the video edit stations are sometimes not able to resolve ACLs on Xsan. The user will call and complain about the Xsan volume appearing with no access.

Upgrading to 10.8 has greatly improved the situation, but it has not yet been resolved.

abstractrude's picture

brian, try this ruby script.
http://support.apple.com/kb/TS3556?viewlocale=en_US&locale=en_US

You may need to tweak it a bit to make things kosher, but you get the idea.

-Trevor Carlson
THUMBWAR

undercover's picture

keithkoby wrote:
10.7.5 here... We are to the point where enough things have started breaking/misbehaving that the problems are outweighing the benefits of OD/AD magic triangulation. We're giving up the reigns to IT and going straight AD soon. chmoding the permissions and establishing AD groups and users in some cases takes time on a volume that is in production./quote

By "chmoding" you mean using POSIX only, correct?

Abstract, you are a seasoned veteran, what are you suggesting these days?

abstractrude's picture

well if you problem is that sometimes the volume comes up with a - on it, its mounting faster than directory services, so follow my article and modify it to your needs. you probably can get the job done using launchd though.

-Trevor Carlson
THUMBWAR

keithkoby's picture

Quote:
By "chmoding" you mean using POSIX only, correct?/quote

No. I was using chmod -RN to nuke all ACLs and then going through the 10.7 server gui and terminal to re-add just AD groups. We actually had to put back OD groups on the posix group because we need the local admin account on fcs and a few other servers to continue reading for a little while longer.

The 10.7 and 10.8 server apps are not as good with applying permissions. They took out the little allow/deny switch, so now you have to add the deny ACLs with terminal. Once you've added the deny ACLs with terminal, you can adjust them in the GUI and that works just fine. You just have no way of knowing (except memory) if you are adjusting a deny or an allow ACL without going back to terminal.

We rely on deny ACLs for maintaining order on the san, so it is important for us.

ptrondsen's picture

Hey All, I successfully got this working, and users were getting tickets and single sign-ons, but the problem is that the default realm, is the OD Master, and there was nothing i could do to get the default realm to be the AD DC. I even deleted the 2 files that are created in the Config area. The weird thing is, is it worked, but the System log was filled with error after error, listing the username AS-REQ, and pointing them to the OD Master for Kerberos.
SO, I bailed and went back to Lion. This needs to be fixed.