• Active Directory,  Mac OS X,  Mac OS X Server,  Xsan

    Mac OS X: adplugin and AD DNS

    Let’s say you bind a Mac to AD.  Let’s say you have two NICs in there.  Now let’s say you get entries for both NICs in DNS.  How do you fix that?  Well, go ahead and create an ipfw rule to block traffic on port 54 for the second NIC.  You aren’t using it for that anyway if you’re using Xsan, which seems to be the big place we’re seeing this issue…  File a bug report if you don’t like the ipfw workaround but don’t hold your breath… UPDATE: Apple actually posted a fix for this: To set Mac OS X Server version 10.5 to only register a single network…

  • Active Directory,  Mac OS X,  Mac OS X Server

    Mac OS X: dirt

    dirt is a new utility in Leopard that can be used to test Directory Services.  You can use dirt to test authentication for LDAP or Active Directory.   The -u flag uses the username from the node you are testing against, in the above example it is the Active Directory username.  dirt tests whether an account exists in any node and can be used with the following structure: dirt -u username -n This would result in the following output if the account is located in Active Directory: User username was found in: /Active Directory/domainname The -p flag can also be used to test passwords.  You can also specify the node in Directory…

  • Active Directory,  Mac OS X,  Mac OS X Server,  Mac Security

    Bind to AD Using the Command Line

    dsconfigad can be used to bind to Active Directory from the command line.  Use as follows:      dsconfigad -h      dsconfigad -show [-lu username] [-lp password]      dsconfigad [-f] [-a computerid] -domain fqdn -u username [-p password]                 [-lu username] [-lp password] [-ou dn] [-status]      dsconfigad -r -u username [-p password] [-lu username] [-lp password]      dsconfigad [-lu username] [-lp password] [-mobile enable | disable]                 [-mobileconfirm enable | disable]                 [-localhome enable | disable] [-useuncpath enable | disable]               …

  • Active Directory,  Mac OS X Server,  Mac Security

    Managing the Keytab with ktutil

    clear_list – Clears the current keylist  read_kt or rkt – Reads a krb5 keytab into the current keylist  read_st or rst – Reads a krb4 srvtab into the current keylist  write_kt or wkt – Writes the current key listing into a krb5 keytab  write_st or wst – Writes the current key listing to a krb4 srvtab  add_entry or addent – Adds an entry to the current key listing  delete_entry, delent – Deletes an entry from the current key listing  list – Lists the current key listing  list_requests or lr – Lists available keys 

  • Active Directory,  Microsoft Exchange Server

    Exchange 2003: Applications that Access the Information Store

    I would always create a service-specific (Atempo, Blackberry, GFM, Symantec, etc) account that is not a Domain Admin but is an Administrator. Then I would provide the rights mentioned here. So, once you do that then you can go to Services and provide the service with an account to fire up as (eg – AtempoAdmin). Then make sure this key is in the registry (according to which SP you have it might not be) HKEY_CURRENT_USERSoftwareMicrosoftExchange EXAdminShowSecurityPage DWORD value =1 Then fire up Exchange System Manager, click on the Organization, click on the Admin Group and then your group and then properties for it. Then you’ll notice that nice security tab.…

  • Active Directory,  Mac OS X Server,  Mac Security

    What is a Kerberos Realm

    A realm is where the kerberos database is stored.  The realm lives on one computer (KDC) and  can have read-only slave servers (kinda’ like a cluster).  Each realm will have a listing in the following files /private/var/db/krb5kdc/  .k5.FQDN.OF.REALM (secret key)  kdc.conf (configuration file for the KDC)  kadm5.acl (access control list for KDC)