A detailed overview of how to integrate OS X clients into an Active Directory environment while still retaining the ability to manage the clients with the OS X Server tools.
Now up to version 1.4. Lots of changes including a section on troubleshooting. Grab the AD Integration pdf here.
Crap! I usually check those, as with all things AFP it’s in the downloads
section.
Hey at least I made it link, even if it doesn’t go anywhere.
—
Changing the world, one server at a time.
Joel Rennich
http://www.afp548.com
Hmmm… I like that!
—
Breaking my server to save yours.
Josh Wisenbaker
http://www.afp548.com
Please post specific problems in the forum.
—
Changing the world, one server at a time.
Joel Rennich
http://www.afp548.com
Great white paper, but I have a few comments and questions.
1) On page 3 you recommend "make sure the munge the original set up to
that the kerberos KDC does not start on the OD master". Can you please
expand on this? What do you mean "munge the setup"
2) If I read the paper correctly, you recommend NOT joining the OD to the AD
(page 7). I think I understand that. The OD groups then will just have the UID
of the users, and it will be up to the client to resolve those UIDs, right?
I actually plan on using the info from this article to integrate our Corporate
KDC (hacked /etc/authorization file), and NIS directory (where
mounts.byname supplies home dir info), and diskless booting. I will present
at the O’Reilly Mac Os X conference. I will definitely give afp548 credit!
Thanks.
Thanks for the great article joel… I have managed to get all users authenticating from the AD Server, Used the OS X Server as the base for home directories and also using it to control os x client preference settings using workgroup manager.
Is it possible to be able to use the postfix mail server on the os x server to accept mail for users in the AD. I have tried using workgroup manager and changing to the AD list and enable mail but all I get is an error…. Is it possible?? I have read the sso article by 4AM media but I am not sure if this will do what I need.
Cheers
Francois.
Forgot to mention, we only have windows server 2003 – NO exchange server….
I have followed the instructions for SSO and created three users, pop, imap
and smtp. I have updated the /etc/MailServicesOther.plist to include the three
users.
when trying to login with webmail, the mail log reports that "Mail has not
been enabled for user test"…. where do i need to enable the mail for this
user??
I have tried using workgroup manager, but always get the following 2 errors:
"Error of type -14137 on line 237 of UserMailPluginView.mm"
"Error of type -14140 on line 3075 of PMMUGSearchController.mm"
so mail’s a bit of a bugger here.
You need to write back to the AD system to get mail prefs to work. There
isn’t a real good way to do this and use the AD plugin.
I’ve seen people do this by using the LDAP plugin and then static
mapping the mail attribute… but that was kind of messy.
If you want you can use a 3rd party mail system that can handle ldap and
krb. Cyrus is a good bet, just not the one that Apple shipped.
—
Changing the world, one server at a time.
Joel Rennich
http://www.afp548.com
Thanks for the reply. I would like to give it a go….
I have had a quick look in the /Library/Preferences/DirectoryService directory and I suppose that if I was to try modifying the ldap plugin mapping, then DSLDAPv3PlugInConfig.plist would be the file to look at??
Looking inside this file, there is two mail sections, below is the 2nd:
<dict>
<key>Native Map</key>
<array>
<string>mail</string>
</array>
<key>Standard Name</key>
<string>dsAttrTypeStandard:EmailAddress</string>
</dict>
So any pointers on where I would start adding/changing to try and get mail working??
Cheers
Francois
That’s because it’s a kerb realm, not a DNS domain. The caps are so you
can tell they are different.
—
Breaking my server to save yours.
Josh Wisenbaker
http://www.afp548.com
I have setup the OS X server as OD master and also to house the home
directories.. that all seems to be working fine. However, since i have the tape
backup on the os x server, i would like to backup some directories that have
pc app only data on them on the ad server, whenever i try to connect to the
ad server i am informed of having the wrong username and password….
Inspecting the logs gives something like this:
mount_smbfs: No credentials cache found krb5_cc_get_principal
mount_smbfs: tree connect phase failed: syserr = Permission denied
mount_smbfs: could not login to server MYADSERVER: syserr Permission
denied.
Now, i have tried logging in using the AD administrators user name and
password and other ad users, all with the same issue…
How can i mount file shares from the AD server???
PS. I have tried running mount_smbfs from command line but get the same
result.