How did you resolve your SSSD issues, Greg?

We've found switching the default "enumerate = true" to "enumerate = false" stops it from being a little ***er.

On 23 May 2018 at 01:53, greg whynott <greg.whynott@gmail.com> wrote:

Maybe slightly off topic but I'm considering bringing up a FreeIPA server which you can create a trust with your AD. I was doing it because of some challenges I was having with linux clients using SSSD instead of NSLCD and our Macs. I was dealing with multi group membership, SELINUX and UID/GID issues which I since resolved(ing), but may go ahead with it anyway as a 'make work' project and see what problems it resolves and creates. Might help out as it is more LDAPish than AD.
Our company was once a total windows shop, then we migrated 95% of the desktops and servers to linux but kept the AD and Exchange servers in place. If it wasn't for calendars, I'm sure both could be decommissioned.

Give it a look when you have time:https://www.freeipa.org/page/Main_Pagehttps://www.freeipa.org/page/HowTo/Setup_FreeIPA_Services_for_Mac_OS_X_10.12

-greg


On Sun, May 13, 2018 at 6:55 PM, Jeremy Webber <Jeremy.Webber@al.com.au> wrote:

We use Macs against AD without any issues (that Im aware of).
We always set up the Mac accounts as mobile accounts, this provides a useful amount of decoupling from network dependencies, while still using AD authentication. My own desktop is an iMac which is always on the network but I still find the mobile account very useful as I get a local home directory (we use network home directories for our UNIX devices, and Linux and Mac can fight over some folders in the home directory).
To create mobile accounts automatically there is an option Create mobile account at login in the Active Directory edit pane, under Options, in Directory Utility.
I used to see the clock drift on MacOS 10.12 (and maybe earlier?) I noticed that if I opened the Date and Time system preferences that the system would catch up. I always caught it before the clock had drifted 10 minutes which I think is the AD tolerance for clock drift. I no longer have this problem in 10.13.
The Macs use RFC2307 POSIX attributes correctly, except for NIS automount maps. The user accounts are kerberised correctly, so Kerberos single sign on works as expected in Safari.
HTH, Jeremy

On 11 May 2018, at 8:21 am, Ken Spickler <ken.spickler@gmail.com> wrote:
Check the system clock and set it to sync with the AD server or another NTP source that AD syncs with. If the clock drifts too much youll have that problem.



On May 10, 2018, at 8:52 AM, Brandon Lindauer <brandon@thelindauers.com> wrote:

For years Ive seen Macs come up with Network Accounts Unavailable on the login screen, and totally ignored it. Nine times outta ten I can still login and auth against AD. So I would say dont trust that little red dot. But Ive also seen Macs go stupid with their binding. It just happens randomly and occasionally they need to be rebound. Not too often, mind you, but enough that its noticeable. Once you rebind everything is fine. I did some investigating once and found a correlation between many of these instances and the ADs process of resetting the machine password. Apparently there can be a communication issue in that process between the AD and Mac where the Mac never gets the updated pw, it expires. Mind you correlation does not equal causation, and thats as far as I ever got.
Make sure your DNS is good, use mobile accounts, and dont forget to offer your firstborn as a sacrifice to the Apple Gods!

On May 9, 2018, at 11:43 AM, William Sandler <william.sandler@allthingsmedia.com> wrote:

We have to reboot macs sometimes in order for the "network accounts are unavailable" message to go away. Luckily our Macs all have SSDs so a reboot isn't the end of the world but it's still annoying.

William Sandler
All Things Media, LLC
william.sandler@allthingsmedia.com

On Wed, May 9, 2018 at 12:53 PM Daniel Cox <content@studiosysadmins.com> wrote:

I'm the Active Directory Admin at my company. We have a mixed environment of Mac's, Windows (Servers and workstations), and Linux (Servers) all on Active directory. I am trying to find out if our heartache with Mac's is typical in such a mixed environment or if it is unusual and I need to do some thing to make it more stable. The big issue that we see is that the Macs seem to stop talking to AD and require a reboot to get them going again and utilizing the central authentication. However in more problematic cases we have to unbind and re-bind the Macs to AD to get things working again. Now I have had Windows machines in the past go dumb and need to be re-added to AD so I know it is possible but with the Macs it seems like every week at least a couple need this to get working again. As far as we can tell there is no network issues that are dropping connections (at least not for long enough for a human or monitoring to notice). Are these kind of things typical in such an environment? Is there anything I can do to help keep everyone happily talking to one another and improve everyone's experience? Any help or insight you may be willing to share would be apprciated.

To unsubscribe from the list send a blank e-mail to mailto:studiosysadmins-discuss-request@studiosysadmins.com?subject=unsubscribe

To unsubscribe from the list send a blank e-mail to mailto:studiosysadmins-discuss-request@studiosysadmins.com?subject=unsubscribe

To unsubscribe from the list send a blank e-mail to mailto:studiosysadmins-discuss-request@studiosysadmins.com?subject=unsubscribe

To unsubscribe from the list send a blank e-mail to mailto:studiosysadmins-discuss-request@studiosysadmins.com?subject=unsubscribe

--
Jeremy Webber
Senior Systems Engineer

T: +61 2 9383 4800 (main)
D: +61 2 8310 3577 (direct)
E: Jeremy.Webber@al.com.au

Building 54 / FSA #19, Fox Studios Australia, 38 Driver Avenue
Moore Park, NSW 2021
AUSTRALIA




Check out our awesome NEW website www.animallogic.com

CONFIDENTIALITY AND PRIVILEGE NOTICE
This email is intended only to be read or used by the addressee. It is confidential and may contain privileged information. If you are not the intended recipient, any use, distribution, disclosure or copying of this email is strictly prohibited. Confidentiality and legal privilege attached to this communication are not waived or lost by reason of the mistaken delivery to you. If you have received this email in error, please delete it and notify us immediately by telephone or email.
To unsubscribe from the list send a blank e-mail to mailto:studiosysadmins-discuss-request@studiosysadmins.com?subject=unsubscribe

To unsubscribe from the list send a blank e-mail to mailto:studiosysadmins-discuss-request@studiosysadmins.com?subject=unsubscribe

--
Peter Smith Senior Systems Engineer
London New York Los Angeles Chicago Montral
T+44 (0)20 7208 2600 M+44 (0)7816 123009
28 Chancery Lane, London WC2A 1LB
Twitter Facebook framestore.com



To unsubscribe from the list send a blank e-mail to mailto:studiosysadmins-discuss-request@studiosysadmins.com?subject=unsubscribe

Maybe slightly off topic but I'm considering bringing up a FreeIPA server which you can create a trust with your AD. I was doing it because of some challenges I was having with linux clients using SSSD instead of NSLCD and our Macs. I was dealing with multi group membership, SELINUX and UID/GID issues which I since resolved(ing), but may go ahead with it anyway as a 'make work' project and see what problems it resolves and creates. Might help out as it is more LDAPish than AD.
Our company was once a total windows shop, then we migrated 95% of the desktops and servers to linux but kept the AD and Exchange servers in place. If it wasn't for calendars, I'm sure both could be decommissioned.

Give it a look when you have time:https://www.freeipa.org/page/Main_Pagehttps://www.freeipa.org/page/HowTo/Setup_FreeIPA_Services_for_Mac_OS_X_10.12

-greg


On Sun, May 13, 2018 at 6:55 PM, Jeremy Webber <Jeremy.Webber@al.com.au> wrote:

We use Macs against AD without any issues (that Im aware of).
We always set up the Mac accounts as mobile accounts, this provides a useful amount of decoupling from network dependencies, while still using AD authentication. My own desktop is an iMac which is always on the network but I still find the mobile account very useful as I get a local home directory (we use network home directories for our UNIX devices, and Linux and Mac can fight over some folders in the home directory).
To create mobile accounts automatically there is an option Create mobile account at login in the Active Directory edit pane, under Options, in Directory Utility.
I used to see the clock drift on MacOS 10.12 (and maybe earlier?) I noticed that if I opened the Date and Time system preferences that the system would catch up. I always caught it before the clock had drifted 10 minutes which I think is the AD tolerance for clock drift. I no longer have this problem in 10.13.
The Macs use RFC2307 POSIX attributes correctly, except for NIS automount maps. The user accounts are kerberised correctly, so Kerberos single sign on works as expected in Safari.
HTH, Jeremy

On 11 May 2018, at 8:21 am, Ken Spickler <ken.spickler@gmail.com> wrote:
Check the system clock and set it to sync with the AD server or another NTP source that AD syncs with. If the clock drifts too much youll have that problem.



On May 10, 2018, at 8:52 AM, Brandon Lindauer <brandon@thelindauers.com> wrote:

For years Ive seen Macs come up with Network Accounts Unavailable on the login screen, and totally ignored it. Nine times outta ten I can still login and auth against AD. So I would say dont trust that little red dot. But Ive also seen Macs go stupid with their binding. It just happens randomly and occasionally they need to be rebound. Not too often, mind you, but enough that its noticeable. Once you rebind everything is fine. I did some investigating once and found a correlation between many of these instances and the ADs process of resetting the machine password. Apparently there can be a communication issue in that process between the AD and Mac where the Mac never gets the updated pw, it expires. Mind you correlation does not equal causation, and thats as far as I ever got.
Make sure your DNS is good, use mobile accounts, and dont forget to offer your firstborn as a sacrifice to the Apple Gods!

On May 9, 2018, at 11:43 AM, William Sandler <william.sandler@allthingsmedia.com> wrote:

We have to reboot macs sometimes in order for the "network accounts are unavailable" message to go away. Luckily our Macs all have SSDs so a reboot isn't the end of the world but it's still annoying.

William Sandler
All Things Media, LLC
william.sandler@allthingsmedia.com

On Wed, May 9, 2018 at 12:53 PM Daniel Cox <content@studiosysadmins.com> wrote:

I'm the Active Directory Admin at my company. We have a mixed environment of Mac's, Windows (Servers and workstations), and Linux (Servers) all on Active directory. I am trying to find out if our heartache with Mac's is typical in such a mixed environment or if it is unusual and I need to do some thing to make it more stable. The big issue that we see is that the Macs seem to stop talking to AD and require a reboot to get them going again and utilizing the central authentication. However in more problematic cases we have to unbind and re-bind the Macs to AD to get things working again. Now I have had Windows machines in the past go dumb and need to be re-added to AD so I know it is possible but with the Macs it seems like every week at least a couple need this to get working again. As far as we can tell there is no network issues that are dropping connections (at least not for long enough for a human or monitoring to notice). Are these kind of things typical in such an environment? Is there anything I can do to help keep everyone happily talking to one another and improve everyone's experience? Any help or insight you may be willing to share would be apprciated.

To unsubscribe from the list send a blank e-mail to mailto:studiosysadmins-discuss-request@studiosysadmins.com?subject=unsubscribe

To unsubscribe from the list send a blank e-mail to mailto:studiosysadmins-discuss-request@studiosysadmins.com?subject=unsubscribe

To unsubscribe from the list send a blank e-mail to mailto:studiosysadmins-discuss-request@studiosysadmins.com?subject=unsubscribe

To unsubscribe from the list send a blank e-mail to mailto:studiosysadmins-discuss-request@studiosysadmins.com?subject=unsubscribe

--
Jeremy Webber
Senior Systems Engineer

T: +61 2 9383 4800 (main)
D: +61 2 8310 3577 (direct)
E: Jeremy.Webber@al.com.au

Building 54 / FSA #19, Fox Studios Australia, 38 Driver Avenue
Moore Park, NSW 2021
AUSTRALIA




Check out our awesome NEW website www.animallogic.com

CONFIDENTIALITY AND PRIVILEGE NOTICE
This email is intended only to be read or used by the addressee. It is confidential and may contain privileged information. If you are not the intended recipient, any use, distribution, disclosure or copying of this email is strictly prohibited. Confidentiality and legal privilege attached to this communication are not waived or lost by reason of the mistaken delivery to you. If you have received this email in error, please delete it and notify us immediately by telephone or email.
To unsubscribe from the list send a blank e-mail to mailto:studiosysadmins-discuss-request@studiosysadmins.com?subject=unsubscribe

To unsubscribe from the list send a blank e-mail to mailto:studiosysadmins-discuss-request@studiosysadmins.com?subject=unsubscribe

We use Macs against AD without any issues (that Im aware of).
We always set up the Mac accounts as mobile accounts, this provides a useful amount of decoupling from network dependencies, while still using AD authentication. My own desktop is an iMac which is always on the network but I still find the mobile account very useful as I get a local home directory (we use network home directories for our UNIX devices, and Linux and Mac can fight over some folders in the home directory).
To create mobile accounts automatically there is an option Create mobile account at login in the Active Directory edit pane, under Options, in Directory Utility.
I used to see the clock drift on MacOS 10.12 (and maybe earlier?) I noticed that if I opened the Date and Time system preferences that the system would catch up. I always caught it before the clock had drifted 10 minutes which I think is the AD tolerance for clock drift. I no longer have this problem in 10.13.
The Macs use RFC2307 POSIX attributes correctly, except for NIS automount maps. The user accounts are kerberised correctly, so Kerberos single sign on works as expected in Safari.
HTH, Jeremy

On 11 May 2018, at 8:21 am, Ken Spickler <ken.spickler@gmail.com> wrote:
Check the system clock and set it to sync with the AD server or another NTP source that AD syncs with. If the clock drifts too much youll have that problem.



On May 10, 2018, at 8:52 AM, Brandon Lindauer <brandon@thelindauers.com> wrote:

For years Ive seen Macs come up with Network Accounts Unavailable on the login screen, and totally ignored it. Nine times outta ten I can still login and auth against AD. So I would say dont trust that little red dot. But Ive also seen Macs go stupid with their binding. It just happens randomly and occasionally they need to be rebound. Not too often, mind you, but enough that its noticeable. Once you rebind everything is fine. I did some investigating once and found a correlation between many of these instances and the ADs process of resetting the machine password. Apparently there can be a communication issue in that process between the AD and Mac where the Mac never gets the updated pw, it expires. Mind you correlation does not equal causation, and thats as far as I ever got.
Make sure your DNS is good, use mobile accounts, and dont forget to offer your firstborn as a sacrifice to the Apple Gods!

On May 9, 2018, at 11:43 AM, William Sandler <william.sandler@allthingsmedia.com> wrote:

We have to reboot macs sometimes in order for the "network accounts are unavailable" message to go away. Luckily our Macs all have SSDs so a reboot isn't the end of the world but it's still annoying.

William Sandler
All Things Media, LLC
william.sandler@allthingsmedia.com

On Wed, May 9, 2018 at 12:53 PM Daniel Cox <content@studiosysadmins.com> wrote:

I'm the Active Directory Admin at my company. We have a mixed environment of Mac's, Windows (Servers and workstations), and Linux (Servers) all on Active directory. I am trying to find out if our heartache with Mac's is typical in such a mixed environment or if it is unusual and I need to do some thing to make it more stable. The big issue that we see is that the Macs seem to stop talking to AD and require a reboot to get them going again and utilizing the central authentication. However in more problematic cases we have to unbind and re-bind the Macs to AD to get things working again. Now I have had Windows machines in the past go dumb and need to be re-added to AD so I know it is possible but with the Macs it seems like every week at least a couple need this to get working again. As far as we can tell there is no network issues that are dropping connections (at least not for long enough for a human or monitoring to notice). Are these kind of things typical in such an environment? Is there anything I can do to help keep everyone happily talking to one another and improve everyone's experience? Any help or insight you may be willing to share would be apprciated.

To unsubscribe from the list send a blank e-mail to mailto:studiosysadmins-discuss-request@studiosysadmins.com?subject=unsubscribe

To unsubscribe from the list send a blank e-mail to mailto:studiosysadmins-discuss-request@studiosysadmins.com?subject=unsubscribe

To unsubscribe from the list send a blank e-mail to mailto:studiosysadmins-discuss-request@studiosysadmins.com?subject=unsubscribe

To unsubscribe from the list send a blank e-mail to mailto:studiosysadmins-discuss-request@studiosysadmins.com?subject=unsubscribe

--
Jeremy Webber
Senior Systems Engineer

T: +61 2 9383 4800 (main)
D: +61 2 8310 3577 (direct)
E: Jeremy.Webber@al.com.au

Building 54 / FSA #19, Fox Studios Australia, 38 Driver Avenue
Moore Park, NSW 2021
AUSTRALIA




Check out our awesome NEW website www.animallogic.com

CONFIDENTIALITY AND PRIVILEGE NOTICE
This email is intended only to be read or used by the addressee. It is confidential and may contain privileged information. If you are not the intended recipient, any use, distribution, disclosure or copying of this email is strictly prohibited. Confidentiality and legal privilege attached to this communication are not waived or lost by reason of the mistaken delivery to you. If you have received this email in error, please delete it and notify us immediately by telephone or email.
To unsubscribe from the list send a blank e-mail to mailto:studiosysadmins-discuss-request@studiosysadmins.com?subject=unsubscribe

For years Ive seen Macs come up with Network Accounts Unavailable on the login screen, and totally ignored it. Nine times outta ten I can still login and auth against AD. So I would say dont trust that little red dot. But Ive also seen Macs go stupid with their binding. It just happens randomly and occasionally they need to be rebound. Not too often, mind you, but enough that its  noticeable. Once you rebind everything is fine.I did some investigating once and found a correlation between many of these instances and the ADs process of resetting the machine password. Apparently there can be a communication issue in that process between the AD and Mac where the Mac never gets the updated pw, it expires. Mind you correlation does not equal causation, and thats as far as I ever got.
Make sure your DNS is good, use mobile accounts, and dont forget to offer your firstborn as a sacrifice to the Apple Gods! 

On May 9, 2018, at 11:43 AM, William Sandler <william.sandler@allthingsmedia.com> wrote:

We have to reboot macs sometimes in order for the "network accounts are unavailable" message to go away.  Luckily our Macs all have SSDs so a reboot isn't the end of the world but it's still annoying.   

William Sandler
All Things Media, LLC
william.sandler@allthingsmedia.com

On Wed, May 9, 2018 at 12:53 PM Daniel Cox <content@studiosysadmins.com> wrote:

I'm the Active Directory Admin at my company. We have a mixed environment of Mac's, Windows (Servers and workstations), and Linux (Servers) all on Active directory. I am trying to find out if our heartache with Mac's is typical in such a mixed environment or if it is unusual and I need to do some thing to make it more stable. The big issue that we see is that the Macs seem to stop talking to AD and require a reboot to get them going again and utilizing the central authentication. However in more problematic cases we have to unbind and re-bind the Macs to AD to get things working again. Now I have had Windows machines in the past go dumb and need to be re-added to AD so I know it is possible but with the Macs it seems like every week at least a couple need this to get working again. As far as we can tell there is no network issues that are dropping connections (at least not for long enough for a human or monitoring to notice). Are these kind of things typical in such an environment? Is there anything I can do to help keep everyone happily talking to one another and improve everyone's experience? Any help or insight you may be willing to share would be apprciated.

To unsubscribe from the list send a blank e-mail to mailto:studiosysadmins-discuss-request@studiosysadmins.com?subject=unsubscribe

To unsubscribe from the list send a blank e-mail to mailto:studiosysadmins-discuss-request@studiosysadmins.com?subject=unsubscribe

To unsubscribe from the list send a blank e-mail to mailto:studiosysadmins-discuss-request@studiosysadmins.com?subject=unsubscribe

We have to reboot macs sometimes in order for the "network accounts are unavailable" message to go away.  Luckily our Macs all have SSDs so a reboot isn't the end of the world but it's still annoying.   

William Sandler
All Things Media, LLC
william.sandler@allthingsmedia.com

On Wed, May 9, 2018 at 12:53 PM Daniel Cox <content@studiosysadmins.com> wrote:

I'm the Active Directory Admin at my company. We have a mixed environment of Mac's, Windows (Servers and workstations), and Linux (Servers) all on Active directory. I am trying to find out if our heartache with Mac's is typical in such a mixed environment or if it is unusual and I need to do some thing to make it more stable. The big issue that we see is that the Macs seem to stop talking to AD and require a reboot to get them going again and utilizing the central authentication. However in more problematic cases we have to unbind and re-bind the Macs to AD to get things working again. Now I have had Windows machines in the past go dumb and need to be re-added to AD so I know it is possible but with the Macs it seems like every week at least a couple need this to get working again. As far as we can tell there is no network issues that are dropping connections (at least not for long enough for a human or monitoring to notice). Are these kind of things typical in such an environment? Is there anything I can do to help keep everyone happily talking to one another and improve everyone's experience? Any help or insight you may be willing to share would be apprciated.

To unsubscribe from the list send a blank e-mail to mailto:studiosysadmins-discuss-request@studiosysadmins.com?subject=unsubscribe

To unsubscribe from the list send a blank e-mail to mailto:studiosysadmins-discuss-request@studiosysadmins.com?subject=unsubscribe

We have to reboot macs sometimes in order for the "network accounts are unavailable" message to go away. Luckily our Macs all have SSDs so a reboot isn't the end of the world but it's still annoying.

William Sandler
All Things Media, LLC
william.sandler@allthingsmedia.com

On Wed, May 9, 2018 at 12:53 PM Daniel Cox <content@studiosysadmins.com> wrote:

I'm the Active Directory Admin at my company. We have a mixed environment of Mac's, Windows (Servers and workstations), and Linux (Servers) all on Active directory. I am trying to find out if our heartache with Mac's is typical in such a mixed environment or if it is unusual and I need to do some thing to make it more stable. The big issue that we see is that the Macs seem to stop talking to AD and require a reboot to get them going again and utilizing the central authentication. However in more problematic cases we have to unbind and re-bind the Macs to AD to get things working again. Now I have had Windows machines in the past go dumb and need to be re-added to AD so I know it is possible but with the Macs it seems like every week at least a couple need this to get working again. As far as we can tell there is no network issues that are dropping connections (at least not for long enough for a human or monitoring to notice). Are these kind of things typical in such an environment? Is there anything I can do to help keep everyone happily talking to one another and improve everyone's experience? Any help or insight you may be willing to share would be apprciated.

To unsubscribe from the list send a blank e-mail to mailto:studiosysadmins-discuss-request@studiosysadmins.com?subject=unsubscribe

To unsubscribe from the list send a blank e-mail to mailto:studiosysadmins-discuss-request@studiosysadmins.com?subject=unsubscribe