Updated February 3, 2012
The description of the initial problem and its resolution is intentionally left below for informational purposes.

UPDATE:  This issue should be resolved by the OS X 10.7.3 Update

We have tested OS X 10.7.3 internally, and have had customers confirm our findings that this latest update resolves issues with ".local" domains.

OS X 10.7, Lion, and ".local" domains

Apple has recently made a significant change in how the OS handles requests for ".local" name resolution that can adversely affect Active Directory authentication and DFS resolution.

When processing a ".local" request, the Mac OS now sends a Multicast DNS (mDNS) or broadcast, then waits for that request to timeout before correctly sending the information to the DNS server.  The delay caused by this results in an authentication failure in most cases.

There is an option to change the mDNS timeout in the Mac OS, and after changing this to the lowest possible number, we've been able to successfully authenticate and verify in our test environment.  This does not require any change to your DNS (Apple's "IPv6" solution), only that a command be run on the Mac.

Here are the steps to take to test this in your environment:

 - Log in to the Mac with a local admin account
 - Launch the Terminal (in the /Applications/Utilities folder)
 - At the command prompt, enter the following lines, each followed with the "return" key:

cd /System/Library/SystemConfiguration/IPMonitor.bundle/Contents/

sudo defaults write Info mdns_timeout -int 1

 - Enter your password when prompted
(The Terminal does not show that a password is being enterered.  Simply enter it, then hit return.)
 - Reboot

After restarting the Mac, you should be able to install and configure ADmitMac, join the domain, and connect to Windows shares.

Please Note:  This solution only works with OS X 10.7, Lion, and only affects ".local" domain login.  If you are using Mac OS X 10.6.8, Snow Leopard, please see this FAQ.  If your domain does not end in ".local", or if you have any other questions, please contact our Support Specialists at support@thursby.com

ADmtiMac v5 is not supported on OS X 10.7, Lion. If you have already upgraded to Lion, the incompatibility can cause a situation preventing you from logging in to any account. To remedy this situation, please follow these steps:

NOTE: If you do not feel comfortable performing these steps, please contact our Support Specialists for further help.

1. Restart the computer holding down the Command+S keys. This will start the system up in Single User mode.

2. At the prompt type the following commands (these commands will be listed above the prompt just in case you need to reference them):

   /sbin/fsck -fy    {hit the return key}

   /sbin/mount -uw /    {hit the return key}

3. Modify the /etc/authorization. At the prompt type

   vi /etc/authorization    {return}

This opens the file in the vi editor.  Then type:

   /AMHomeDirMechanism    {return}

This searches for the first occurrence of AMHomeDirMechanism (case-sensitivity is important).

do this:

dd     (don't press return, this deletes the line the cursor is on)

n     (don't press return, this searches for the next occurrence of AMHomeDirMechanism)

until there are no more occurrences of AMHomeDirMechanism (vi will say "E486: Pattern not found: AMHomeDirMechanism"). Depending on the version, there will be 3 or 4 occurrences.

Then:

   :wq    {return} (This saves the file).

(NOTE:  You may see "E138 Can't write ciminfo file $HOME/.viminfo!".  If so, please hit the return key, then continue.)

   exit    {return}

This last line allows the boot to continue, and you should then be able to log in and INSTALL ADmitMac v6.

Updated 11:00 am, July 20

OS X 10.7, Lion, was released Wednesday morning, July 20.

PKard v1.0.1 is supported on OS X 10.7, Mac OS X 10.6, and Mac OS X 10.5.

ADmitMac v6 and DAVE v9, announced today, will support OS X 10.7 and Mac OS X 10.6. Customers with a current Support & Upgrade Agreement will receive these upgrades at no additional cost, and will be emailed the upgrade information this week.

DAVE v8, ADmitMac v5, and ADmitMac PKI v3.1 are not supported on Lion. Upgrading your OS with these products installed can result in the inability to log in, error messages during boot, or errors during any attempt to configure. Prior to upgrading your Mac to OS X 10.7, Lion, unsintall your Thursby product using the provided uninstaller (/Library/Application Support/productname) to prevent these issues.
If you have already upgraded, and you cannot log in, please see this FAQ.

ADmitMac and DAVE have been tested and found to work properly with Network Appliance Filer v5.3 and above. We do provide support for the latest public release of DAVE and ADmitMac when used with the latest supported versions of Network Appliance Filer.

The smbclient allows clients to connect to Samba as a server and the smbmount connects to the Windows computers as if Samba is the client. We've done extensive testing with DAVE Client connecting to Samba as a server and we support this type of connection. Unfortunately, smbmount is only available with Linux and DAVE does not support this connection at this time. In the future, we may work with the developers of Samba to test smbmount with DAVE Sharing to allow the two products to function together completely.

There should be no problem accessing files copied using one method and accessed using another as long as the file does not store important information in the resource fork.

However, if the file being accessed does store important information in the resource fork, you may have trouble using the file with DAVE/ADmitMac if it was copied there using Apple's SMB. Likewise, Apple's s SMB cannot read the resource fork data of a file copied using DAVE/ADmitMac. DAVE and ADmitMac store the resource fork data on the server using the same specifications as Microsoft's own Services for Macintosh (SFM). However, Apple's SMB stores the resource fork information on the server in a more UNIX-like format which does not conform to Microsoft's SFM.

What this means is that if you copy a file with a resource fork to a server with DAVE/ADmitMac, you may only be able to access that file with DAVE/ADmitMac. If you copy a file with a resource fork with Apple's SMB you may only be able to access that file with Apple's SMB.

If you are trying to migrate from Apple's SMB to using DAVE or ADmitMac, we have created a script that can convert the resource forks of files copied using Apple's SMB into the format that DAVE and ADmitMac uses. Here is the link to a page with more information as well as a link to download it:

http://www.thursby.com/converter

DAVE will communicate through firewall software if the software is configured to allow traffic to and from the ports DAVE uses. DAVE uses ports 137, 138, 139 and 445 using TCP and UDP. Another solution is to allow all TCP/IP traffic from a particular IP address (in this case the IP address of the Macintosh) to go through the firewall.

Here are links to pages on Microsoft's website with information on configuring the built in firewall for Windows XP:

If you are using Windows XP SP 1:
How to turn on or turn off the Internet firewall in Windows XP
http://support.microsoft.com/kb/283673/

How to manually open ports in Internet Connection Firewall in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308127

If you are using Windows XP SP 2:
Description of the Windows Firewall feature in Windows XP Service Pack 2
http://support.microsoft.com/kb/843090

Unfortunately, DAVE or ADmitMac will not work where Samba is the WINS server. Our engineers have determined that this is due to a problem with Samba's implementation of WINS. This issue does not occur using Microsoft's implementation of WINS. Our engineers have reported this bug to Samba as Bug ID 476.

Some options are:

1. Configure DAVE or ADmitMac to use a different WINS server (a Windows computer running WINS).
2. Disable WINS. This may allow you to browse machines in the same subnet. Machines outside the subnet require that you connect manually by IP address or DNS name.