We loaded Leopard on a couple of machines yesterday. It went very well, except for two significant problems.
First, Active Directory integration is broken. It centers mostly around authentication issues. If the Mac was joined to the domain before it was upgraded, it can’t log on after. Directory Utility returns a “Server can not be contacted” error. If the machine was not joined to the domain, it fails while trying to with an “unknown error” in step 3 of the bind process.
The other issue is in Safari through a Microsoft ISA 2006 proxy server. When going to an SSL website, Safari crashes after it tries to authenticate. Firefox still works.
I’m guessing that both issues are related to the re-written Kerberos engine. Our call with Apple support has been escalated to engineering, so I’ll post when we get a solution.
Update: As of 4:00PM EDT on Monday Oct 29, we haven’t heard anything from Apple support.
Update 2: One of my coworkers didn’t have a problem joining his domain at home. The difference is that he is in AD Native Mode and has DNS/DHCP hosted on Linux at home. We’re in Mixed Mode and Windows-based here at work. Still no update from Apple.
Update 3: Matt (below) had success by adding his root-level domain as a search domain in the network preference pane. It didn’t help me (I had already set it), but give it a try if you’re failing in step 4 of the bind. I’m still failing in step 3.
Update 4: 10.5.1 didn’t seem to fix my problems, but it fixed some that others were having. Apply it if you haven’t already.
Update 5: We finished out migration to Active Directory native mode on our domain today. Both of my Leopard machines will now join the domain and the Safari crashes are not happening anymore.
Update 6: 10.5.2 took all of the fidgeting out of the bind process for me. It works like a champ on all of the machines we’ve tried it on. Safari still crashes when authenticating to our ISA server in production, but not in the lab. We’re still trying to determine what could possibly be causing that issue.
Last.fm/jshinkle
Del.icio.us/jshinkle
GMail/hinkle.joseph
Technorati/jshinkle
Blog/Personal
October 30, 2007 at 7:25 am |
I too, have the same problem. After the leopard upgrade, any SSL site through my proxy at work fails but works fine via airport at home without proxy.
October 30, 2007 at 11:45 am |
I am able to bind, but I am running across kerberos errors also. “Cannot contact any KDC for requested realm” is what I see in /var/log/system.log. This is a clean install.
October 30, 2007 at 3:09 pm |
First thing I tried when i loaded it. Exact same issue. FYI we don’t use Windows AD integrated DNS at all. Is this also the case for you?
October 30, 2007 at 3:16 pm |
Interesting. That may narrow it down to a Active Directory Native Mode/Mixed Mode issue.
October 30, 2007 at 4:55 pm |
We are seeing the same issue.
Upgrade to Leopard on an AD bound computer will not authenticate domain users.
Native 2003 domain (other than DHCP which is hosted on Linux.)
October 30, 2007 at 7:29 pm |
I am the “matt” from above, and I just solved the issue.
In short, I added my root domain (in my case: uiowa.edu) to the “Search Domains” field in the Network pane in the ethernet adapter I’m using.
My post in apple discussions: http://discussions.apple.com/thread.jspa?messageID=5701445#5701445
November 1, 2007 at 4:47 pm |
The night that I solved it, things were great! My user drive auto mounted I could drag drop to it…
I came in the next morning and could not authenticate.
I have no idea what “changed” but, the issue persists.
November 6, 2007 at 10:19 am |
Any news on Apple fixing this issue? This is all that is stopping me from upgrading to leopard on the 47 Macs I administer here.
November 6, 2007 at 2:57 pm |
No updates from Apple yet. I’ve escalated the call with out account rep, so hopefully we’ll have some movement soon
November 6, 2007 at 3:52 pm |
I have two Macs that I am experimenting on with Leopard and AD. Both Macs when a Leopard upgrade is installed will not mount the users AD home folder. A ‘?’ icon appears in the doc and its named the same as the user, it doesn’t open the home folder nor can it be deleted. In Tiger this was a folder icon and it was linked to the home folder mounted volume. I have now tried a clean install on both machines and the problem persists. Downgraded one back to Tiger and it works fine.
November 6, 2007 at 5:12 pm |
Looking through the logs and see an indication that this may be a kerberos or DNS issue or both. I see errors that canonicalization failed for the host name in kereberos_init.
November 15, 2007 at 5:58 pm |
10.5.1 resolved the issue for me.
December 12, 2007 at 6:55 am |
I think you have to do with Sync problems between the AD and the OD servers. Microsoft has published docs about that…
Maybe that’s an isue here..
December 18, 2007 at 10:37 pm |
Any word on this
we have 25 imacs in our art lab that I want to get on the domain and share printers and file shares but I am having trouble with active directory, the domain that the lab is in is a child domain and it added ok but I can’t logon to the domain only the root domain users can logon to the mac, I remved the ad and readded it and now i get nothing but troubles
Mark
December 19, 2007 at 2:08 pm |
I am still struggling with the same issue. We are trying to get our Leopard Server bound to the domain and having little success. Has there been any progress for others with this?
December 20, 2007 at 11:46 am |
Add me to the list of people that are having issues. I have tried most things and no luck. Users can login, but it takes 2 minutes to do it. Maybe 10.5.3 will fix it. Should be out early January.
January 16, 2008 at 10:44 am |
You know, all you apple fans talk smack about Microsoft but this is a huge screw up for Apple. AD not fixed yet after how many months? I ‘d say they’ve dropped the ball. If Microsoft had an issue like this it would have been fixed by now. Apple better get on the ball. I’ve switched to Vista. Runs much better on my macbook pro than Leopard any way. A lot less bugs in Vista. Also they’re fixed alot faster. 3 months now trying to get leopard to connect to our AD…Come on Apple you can do it. Release the fix already . What are you waiting for? Your commercials wont save you…as funny as they are.
February 1, 2008 at 11:58 am |
Hey Apple!!! I’m still waiting!!! And now I cant load Tiger on the new machines I forced to deploy!!!
February 11, 2008 at 4:48 am |
I am extremly dissapointed with Apple. You are pushing me back to Microsoft. Nowadays it is very important how to serve than what you make. APPLE come up with solution please
February 13, 2008 at 4:23 pm |
My further success with 10.5.2:
Main points: Be sure your local time is being updated by a time server on your network, be sure that all devices are syncing with the same NTP server.
Pre add your computer you want to bind in your domain.
Key: in Directory Utility, choose to authenticate against a known server. So under the Administrative tab choose “prefer this domain server” and enter in the DNS name of a DC in your domain. Also uncheck authentication with any DC in the forest.
Now bind and click Ok.
Now in Directory Utility, click on Search Policy, and add servers in the Authentication tab by choosing Custom Path. Click the + and you should see your domain or multiple domains in your forrest listed. Add them appropriately. In some configurations, you may want to do this for “Contacts”.
You can now go back into the Active Directory plugin, and choose to authenticate from any DC in the forest, and remove the selection that allows only authenticating against one server.
Sorry for the lack of deep explanation, but if you are at the point where the AD and DNS is working fine, then this should be pretty straightforward and to the point.
http://discussions.apple.com/thread.jspa?threadID=1393387&tstart=0
February 26, 2008 at 1:12 pm |
we had similar issues with 10.5.2. However, I removed the computer accounts in AD and readded them ALL UPPER CASE and the AD bind worked perfectly…go figure!
April 15, 2009 at 9:48 am |
After reading this article, I feel that I really need more information on the topic. Could you share some resources ?
November 5, 2009 at 10:27 pm |
hmmm…. whatever…