I am trying to integrate my Mac OS X Jaguar system into a Windows 2000 Active Directory network, and not having too much luck. I dug through some of the suggestions at Apple Slashdot, but nothing seems to help on the authentication front. I can look up info using Address Book from the Active Directory, but nothing I type in on the login screen works, it simply pauses for a bit, then informs me the username or password is wrong. Any suggestions from someone here who has gotten it working? Changing the schema server side is not a possibility.

The other issue that I have now is that on boot, it hangs for a long time at "Waiting for network file system". Login is also painfully slow. And by slow, I am seeing bootup times measured in hours. I'm trying to get into the system to try and undo the AD integration attempts, and hope that the boot problem is resolved.

edit: For the record, pulling the CAT 5 gets it to boot up normally, but it still hangs at login. I'm still waiting on it to authenticate me after 30 mins.

Can you still get to a CLI login by typing ``>console'' or whatever it was into the login prompt? If so, maybe it'd give you a little more information; maybe not. Just a guess.

Typing >console resulted in the console eventually popping up. I attempted to login with my local user, and it succeeded, but is hung at the "last login: Mon Nov 11 10:05:33 on console". The timestamp seems to be the same as when I last attempted to log into the GUI.

Anyone know of alternate startup options for OS X that might help?

I found the following by doing a Google Groups search (the thread is in French, this is an excerpt). The thread was dated 10/7. The thread was titled "[Jaguar] Kerberos, Active Directory,..."

> Active Directory authentication in Jaguar--how real is it?
> October 4, 2002 -- Steven Allred reports that an Apple rep told him that
> the advertised ability of Mac OS X 10.2 to authenticate to a Windows
> Active Directory server is not actually in Mac OS X. His report:
> I am a Computer Specialist for a large creative entertainment company. We
> have been working with Apple for a month now on getting Active Directory
> (AD) authentication to work. There are the facts as I know them for our
> Sr. Apple Engineer assigned to our company. He has said that the
> advertisements for AD support (10.2 box, and Apple's website) is ahead for
> the actual abilities of the product. He has continued to say that he has
> only found one guy at Apple that is currently working on this, and they
> get promising that it will be able to demonstrate it to us, but so far
> nada. Having an Xserve does improve the ability to do AD authentication,
> but it is still not 100 percent ready.
> Currently, it does not work right out of the box (as advertised), as you
> need plug-ins that are not yet finalized by Apple. It requires you to add
> and make adjustments to the AD server that haven't yet been thoroughly
> tested or verified or signed off by Microsoft for any possible security
> issues. It will be very hard or impossible for us to apply any changes to
> our AD servers for OS X client to authenticate. If you know any other
> information or no anyone who has this working please let me know and I'll
> share it with Apple. (As we reported earlier this year, it is possible to
> integrate Macs using a Mac OS X server on the network. With Mac OS X 10.2,
> Apple claims you don't need a Mac OS X Server.)


HTH.

-Zeke

I finally came across this article explaining how to revert directory changes. I'm able to boot and log in normally now, so back to actually working with the LDAP authentication.

Most of what I found indicates certain schema changes must be done for proper home directory mapping and such. Authentication seems possible, but not worth much as most people report getting dumped to the console if they can authenticate, but don't have the schema changes in place.

For the record, it looks like the hangs that I was seeing have been fixed in the newly released 10.2.2:

# Addresses a startup issue that could occur if an LDAP server designated in Directory Access is not available.

It's possible that when I configured AD support, one of the servers I added went down.

As far as the overall AD implemetation, there is no easy way for me to get it working without some changes server side. I can change a few fields on my own user account in the directory, thus I could add all I need, but it would serve no benefit, as noone else would be able to authenticate and login without similar changes to their account. And AD out of the box is very Windows centric. Adding Services for Unix to the top level domain controller would add the needed schema changes (ie UID, Unix stored home directory, etc...), but that is not implemented on my work network.