I think I have read almost all tutorials now regarding AD integration. But let me first describe what I want.

We have an AD setup in-house which seems to work well enough for the windows clients. I have an XServe G5 connected to a RAID which I would like to use as home server for our ibook and powerbook users. They are going to get mobile homes. The simple way would be to put the servers path into the UNC of AD and simply let all mac clients authenticate using the AD plugin. The problem is I have a really hard time to convince the AD admin to change that entry.

We are talking about 10 users here and just creating OD accounts for the m is okay for me but I don't want them to run to three different people just for passwords (AD, NIS, and me for OD). So the solution seems to be to let them get their user from OD and then direct authentication to the AD KDC.

Now I would like to have a Howto do that. I already killed my setup in an attempt. I tried putting the AD server as LDAPv3 server in. A broken entry in Directory Access' LDAPv3 plugin has made the server unsuable (DirectoryService unexpectedly quitting every few seconds, after kerberosautoconfig starts it); I can't even sudo anymore ... new install tomorrow.

Thanks,

Leo.

Have you seen this link here? It sounds to me like you are looking to create cross realm authentication.

http://www.4am-media.com/sso/#unix

---

David

That was a great hint I have not dared to try before ...

Anyway, I have setup the kerberos cross auth and now I can login a user with his AD password. Using Cmd-K in Finder and trying to mount afp://server/Users/username will promptly mount the directory. However, it looks like the user does not get a ticked upon login as I /Network/Servers/server/Users is mounted as guest as I can see from Server Admin. I tried setting up /etc/authorization as in some tutorials explained but with no positive results.

Any more hints?

I did a few more tests. I am sure the kerberos stuff works. After I have logged in klist displays a tdg and as described Cmd-K mounting works flawlessly. However, looking up users with lookupd -d and userWithName: leo shows home: /Users/leo which indicates that the home directory somehow gets lost in the process.

With WGM on the Xserver I do see smb://server/Users/leo as the home. This is very strange. Is the home directory in AD on Windows Server 2003 in some different attribute? I found it in SMBHome and something like (I don't have access at the moment) dsAttribute:HomeDirectory.

Leo.

A long fight but now I know the pitfalls ...

The main problem all way long was that the home directories were not seen and mounted. The important part is to put all mac computer accounts in AD into the Pre-Windows 2000-Authentication group so that the AD plugin can read all users attributes. After that is done it works like a charm.

The kerberos stuff above is then a nice side thing to be able to host the home directories on an afp volume on an xserve with single sign on.

With this type of setup though, you don't necessarily need a Mac OS X Workstation to be bound to AD. It can sort of work the other way where you can bind WINXP/2000 workstations to AD and then use the trust realm off of OD Servers to authenticate them. This should then create a trust between the realms for the users:

userjoe@OD.COMPANY.COM --> userjoe@AD.COMPANY.COM

Basically you can move the OD Server to the top spot in the authentication mechanism and have AD workstations use OD for logins but still be managed by the native AD Directory Service. It does get convoluted though... Not quite as nice as plugging OSX Client/Server into AD Services.

---

David

Nice idea, but thats not an option here. I am an appendix sort of to the rest of our infrastructure, trying to integrate the macs better.

While playing around with my testmac I found that after reboot the user logging in does not get his kerberos ticket and thus the afp mount fails. It may have to do with me playing with edu.mit.Kerberos so I will replace it with the default (is re-binding the client with AD enough?).

This is not a big issue, as the user with a mobile home can mount the home dir and then the home synchronization works just fine. It would just add to the happiness of the users (esp. my boss :-).