epp1024 Absent Member.
Absent Member.
4249 views

DLU Logins no longer work when in a mixed AD/eDirectory env

In ZCM 10.x, our users were stored in eDirectory, but we managed a number of settings on the machines via Active Directory that couldn't be managed with ZCM (such as Group Policy Preference items). In ZCM 10.x, this worked fine, because users logged in and then the local account was created and then logged in to.

With ZCM 11, it tries to login with a domain account (which doesn't exist) instead of the locally created computer account. After the login failure, the user can login by typing .\username and their password again, but that isn't an acceptable workaround.

Can we restore the old ZCM 10 behavior somehow?
Labels (2)
0 Likes
10 Replies
floort Absent Member.
Absent Member.

Re: DLU Logins no longer work when in a mixed AD/eDirectory

I like to know more about this. (still on zcm 10)
We have also a mixed env.
User source is Edir, but the clients (xpsp3) are also member of an windows server 2003/2008 domain.
Most policy's are coming from zcm, except the default windows domain policy,etc.



epp1024;2063292 wrote:
In ZCM 10.x, our users were stored in eDirectory, but we managed a number of settings on the machines via Active Directory that couldn't be managed with ZCM (such as Group Policy Preference items). In ZCM 10.x, this worked fine, because users logged in and then the local account was created and then logged in to.

With ZCM 11, it tries to login with a domain account (which doesn't exist) instead of the locally created computer account. After the login failure, the user can login by typing .\username and their password again, but that isn't an acceptable workaround.

Can we restore the old ZCM 10 behavior somehow?
0 Likes
floort Absent Member.
Absent Member.

Re: DLU Logins no longer work when in a mixed AD/eDirectory

But i know there is also a novell client 4.91 sp5 FTF FIX for DLU and ZCM11.
don't know if that resolved something, but you can try.


floort;2063495 wrote:
I like to know more about this. (still on zcm 10)
We have also a mixed env.
User source is Edir, but the clients (xpsp3) are also member of an windows server 2003/2008 domain.
Most policy's are coming from zcm, except the default windows domain policy,etc.
0 Likes
epp1024 Absent Member.
Absent Member.

Re: DLU Logins no longer work when in a mixed AD/eDirectory

We are running Novell Client 2 (Win7), so I don't know if this will be an issue on XP.
0 Likes
floort Absent Member.
Absent Member.

Re: DLU Logins no longer work when in a mixed AD/eDirectory

hmm ok. has not seen that.
Looks like there are more problems with windows 7 /zcm11 than with xp... but it's a feeling.

epp1024;2063497 wrote:
We are running Novell Client 2 (Win7), so I don't know if this will be an issue on XP.
0 Likes
epp1024 Absent Member.
Absent Member.

Re: DLU Logins no longer work when in a mixed AD/eDirectory

I'm guessing the lack of response means there is no fix or workaround, except for possibly syncing all of our users between eDirectory and AD. It would be nice if DLU authenticated locally instead of to the domain by default, or at least a setting to change it (because with users in the domain, there is almost no point of using DLU in the first place)
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: DLU Logins no longer work when in a mixed AD/eDirectory env

DLU always authenticates locally.
There is never any other option.

If a user does not have an "Effective" DLU policy due to exclusions,
system requirements, or simply not being assigned then DLU is not in effect.

If a device is in a Domain and you do not WANT domain users to logon to
the PC, then Restrict the rights to "Logon Locally" from those Domain
Users to Those Domain PCs. This is a Windows Right.



On 3/16/2011 11:36 AM, epp1024 wrote:
>
> I'm guessing the lack of response means there is no fix or workaround,
> except for possibly syncing all of our users between eDirectory and AD.
> It would be nice if DLU authenticated locally instead of to the domain
> by default, or at least a setting to change it (because with users in
> the domain, there is almost no point of using DLU in the first place)
>
>



--
Craig Wilson - MCNE, MCSE, CCNA
Novell Knowledge Partner

Novell does not officially monitor these forums.

Suggestions/Opinions/Statements made by me are solely my own.
These thoughts may not be shared by either Novell or any rational human.
0 Likes
epp1024 Absent Member.
Absent Member.

Re: DLU Logins no longer work when in a mixed AD/eDirectory

DLU always authenticates locally.
There is never any other option.


I'm sorry, but in practice, it is trying to authenticate the user to the domain, not locally. It does create a local user account, but then it tries to authenticate the user to the domain (not the account it just created). I can verify this by creating a user in the domain with the same credentials, which results in a successful login. When a user in the domain doesn't exist, the authentication will fail. This is in Win7 (w/o SP1) with Novell Client 2 SP1 IR5, and ZCM 11.

This worked in ZCM 10.x, but it looks like ZCM 11 changed the way DLU logins are handled.
0 Likes
mattross Absent Member.
Absent Member.

Re: DLU Logins no longer work when in a mixed AD/eDirectory

I would agree, it looks to me like it's attempting a Domain login first as we've noticed the same issue. Creating a Domain account lets it login, remove the Domain account and login fails. I have another thread on this here, didn't spot this one before I created it.
0 Likes
blowder Absent Member.
Absent Member.

Re: DLU Logins no longer work when in a mixed AD/eDirectory

I have been trying this multiple ways, with edir user, no ad account and ws on the domain dlu fails. edir user with ad account set for no local access and ws on domain dlu fails. take the ws off the domain and both work.
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: DLU Logins no longer work when in a mixed AD/eDirectory

An SR would likely be the best option.
This is designed to work.

The most common issue folks normally have is the reverse, preventing DLU logins from working when a device is joined to a domain.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.