I have the really important part of my magic triangle working – Mac OS X clients that I bind to AD & OD can log in with domain credentials. What isn't working is sharing a folder from the mac server to clients. When a client uses Go -> Connect to server, and specifies either smb://mac-server/sharedfolder or afp://mac-server/sharedfolder, the user is prompted for credentials, and domain credentials don't work (shaking window rejection). I've tried prefixing the username with the domain, but no luck.
DNS is working properly, and the client can resolve both mac-server and our AD domain controller
The mac server's DSCONFIGAD is as follows:
mac-server:~ macadmin$ dsconfigad -show
Active Directory Forest = campus.zzz.edu
Active Directory Domain = campus.zzz.edu
Computer Account = mac-server$
Advanced Options - User Experience
Create mobile account at login = Disabled
Require confirmation = Enabled
Force home to startup disk = Enabled
Mount home as sharepoint = Enabled
Use Windows UNC path for home = Enabled
Network protocol to be used = smb
Default user Shell = /bin/bash
Advanced Options - Mappings
Mapping UID to attribute = not set
Mapping user GID to attribute = not set
Mapping group GID to attribute = not set
Generate Kerberos authority = Enabled
Advanced Options - Administrative
Preferred Domain controller = not set
Allowed admin groups = not set
Authentication from any domain = Enabled
Packet signing = allow
Packet encryption = allow
Password change interval = 14
Restrict Dynamic DNS updates = not set
Namespace mode = domain
mac-server:~ macadmin$
My shared folder is configured like this:
Interestingly, clients can:
* log in with Active Directory credentials
* access other network resources they have permission to (like our regular file server), without being prompted for credentials
Clients cannot:
* connect to the mac-server file share.
Both AD & OD added from client side:
I'm guessing that only the AD integration is working in my magic triangle, but the OD integration is not. Unfortunately, OpenDirectory doesn't appear to have any/many options to fiddle with in Server.app.
In the log viewer built into server.app, I do see one weird error in the AFP log saying:
Jul 15 15:18:42 mac-server.campus.zzz.edu AppleFileServer[25005] <Info>: **** - - "SACL membership failure for user chalstead" 0 0 0
I'd be happy to provide more details. I'm curious about this SACL membership failure, but not sure if that's a tree to bark up right now. I suspect I'm missing something far more basic.
Best Answer
What you describe sounds consistent with the AD users not being in the Mac server's SACLs (Service Access Control Lists). You can check this by going into Server.app -> Users in the sidebar -> from the popup menu above the users list choose "Users from ADDOMAIN" -> select chalstead (or some other AD user you can test with) -> from the action (gear icon) menu under the user list choose "Edit Access to Services" -> check whether the "File Sharing" service is enabled.
If File Sharing is not enabled for the user(s) in question, you can enable it per-user (either individually or by selecting a bunch of them and setting them all at once), but it's usually easier to manage if you set it by group. The interface is essentially the same, just in the Groups rather than Users section (and then verify it in the Users section).
I've seen it fail to update properly after a change (essentially, it seems to cache the SACL failure); this seems to go away if you leave it long enough, but if nobody's using the Mac server yet, you can use the brute force solution: reboot the server.
EDIT: once that's fixed, you may also have to enable AD's Kerberos single-sign-on on the Mac server. If you're prompted for credentials when connecting to the Mac server, but allowed in when you supply them, you probably need to set this up:
sudo ktutil -k /etc/krb5.keytab list-- if the result includes entries ending "@ADDOMAIN.EDU", you're good. (Note: it will also contain a bunch of "@LKDC:SHA1.hexgibberish" and maybe also "@MAC-SERVER.whatever" entries; ignore these.)sudo dsconfigad -enableSSO, then recheck withktutil.