Mac integration with DSfW

  • 7007303
  • 03-Dec-2010
  • 15-Nov-2017

Environment

Open Enterprise Server 2 SP2
Domain Services for Windows
DSfW

Situation

NOTE Macs are not officially supported with DSfW
 
Mac 10.5 or 10.6 can not join a DSfW domain.
The workstation fails to join because Mac sends a request for logonHours.  A null value is returned.

Resolution

Macs are not officially supported with DSfW, but if the November 2010 Maintenance Patch is applied it will resolve the issue.

If the patch can not be applied the workaround is to populate the logonHours with all f's.

Below is a script to populate the logonHours to the default setting for all users in a domain.

Create a file called logonHours.pl (touch logonHours.pl)
Change the permisions to executable (chmod +x logonHours.pl)
After coping the script, run the script (./logonHours.pl).  You will login as administrator and the script will do the rest.
##############################################################################
# logonHours.pl
##############################################################################
#!/usr/bin/perl

use strict;
use warnings;
use Net::LDAP;
use Net::LDAP::Control;

# set the environment variables
$ENV{'LDAPCONF'}="/etc/opt/novell/xad/openldap/ldap.conf";
my $arch=`arch`;
if (lc($arch) eq "x86_64") {
    $ENV{'SASL_PATH'}="/opt/novell/xad/lib64/sasl2"
} else {
    $ENV{'SASL_PATH'}="/opt/novell/xad/lib/sasl2"
}   

# Get the Domain Naming Context
my $val=`/usr/bin/ldapsearch -Q -LLL -Y EXTERNAL  -b "" -s base | grep -i defaultNamingContext`;

my @mems = split(/:/, $val);
my $domainNamingContext = $mems[1];
chomp($domainNamingContext);
$domainNamingContext =~ s/^\s+//g;

print "Domain Naming Context : $domainNamingContext" . "\n";

# Get the Domain Name
$val=`/usr/bin/ldapsearch -Q -LLL -Y EXTERNAL  -b "" -s base | grep -i dnsDomain`;

@mems = split(/:/, $val);
my $dnsDomain = $mems[1];
chomp($dnsDomain);
$dnsDomain =~ s/^\s+//g;

print "Domain Name : $dnsDomain" . "\n";

# Get the Domain mapped's partition information
my $mappedNC = "";
open FH, "</etc/opt/novell/xad/xad.ini" or die "/etc/opt/novell/xad/xad.ini file not found";
while (<FH>) {
    if (/^Mapped Domain NC = /i) {
        $mappedNC = $_;
        $mappedNC =~ s/^Mapped Domain NC = //g;
        chomp($mappedNC);
        last;
    }
}

die "Mapped partition information for this domain is not available. Check the /etc/opt/novell/xad/xad.ini file\n" if ($mappedNC eq "");
 
print "Domain mapped to partition : $mappedNC\n";

# Get the Domain Administrator Name
my $domainAdmin = "cn=Administrator,cn=users,$domainNamingContext";
my $domainAdmin_input;

print "Enter the Domain Administrator [$domainAdmin]: ";
$domainAdmin_input = <STDIN>;

chomp($domainAdmin_input);

if ( $domainAdmin_input ne "" ) {
    $domainAdmin = $domainAdmin_input;
}
#print "Domain Administrator is $domainAdmin\n";

# Get the Domain Administrator Password
my $password;

print "Enter the Domain Administrator Password: ";
system("stty -echo");
$password = <STDIN>;
chop($password);
system("stty echo");
print "\n";

# Create LDAP control
my $ctrl = Net::LDAP::Control->new(
        type => "2.16.840.1.113719.1.513.4.5",
        value => "1",
        critical => 1 );

my $ld = Net::LDAP->new($dnsDomain, scheme => "ldaps", port => 636) or die "$@";

my $mesg = $ld->bind($domainAdmin, password => $password);
if ($mesg->code != 0) {
    print("LDAP bind failure \n");
}   

# Search the Domain users
my $filter = "(&(objectClass=user)(samAccountType=805306368))";
$mesg = $ld->search(
            base => $domainNamingContext,
            scope => "sub",
            filter => $filter);
if ($mesg->code != 0) {
    print("LDAP search failure \n");
}   

my $attrvalue = "ffffffffffffffffffffffffffffffffffffffffff";
my $hex = pack("H*", $attrvalue);
           
# Iterate through the domain users and set the logonHours attribute
for (my $idx = 0 ; $idx < $mesg->count ; $idx++)
{
    my $entry = $mesg->entry($idx);
    my $dn = $entry->dn;
    chomp($dn);
   
    $dn =~ s/$domainNamingContext/$mappedNC/g;
    print "Modifying entry $dn \n";

    my $res = $ld->modify ($dn, replace => [
                'logonHours' => $hex
                ],
                control => $ctrl);
    if ($res->code != 0) {
        die"Modify failed $dn : " . $res->error . "\n";
    }


$ld->unbind();

Additional Information

The patch does not populate the logonHours like the script does.  The logonHours attribute will not be present unless it is explicitly set.  Instead the loginAllowedTimeMap is mapped to logonHours.  This way the
logonHours attribute is displayed over LDAP.

Over NDAP (ConsoleOne Others tab), the attribute is not
present unless it is explicitly set.

The patch is expected to work for the following conditions

- logonHours attribute is not present (default unless explicitly set).
- loginAllowedTimeMap is present and is mapped to logonHours.