Articles August 20, 2004 at 6:27 pm

AD-OD Integration Whitepaper – Updated

A detailed overview of how to integrate OS X clients into an Active Directory environment while still retaining the ability to manage the clients with the OS X Server tools.

Now up to version 1.4. Lots of changes including a section on troubleshooting. Grab the AD Integration pdf here.

No Comments

  • Crap! I usually check those, as with all things AFP it’s in the downloads

    Hey at least I made it link, even if it doesn’t go anywhere.

    Changing the world, one server at a time.

    Joel Rennich

  • Hmmm… I like that!

    Breaking my server to save yours.

    Josh Wisenbaker

  • Please post specific problems in the forum.

    Changing the world, one server at a time.

    Joel Rennich

  • AllanMarcus

    Great white paper, but I have a few comments and questions.

    1) On page 3 you recommend "make sure the munge the original set up to
    that the kerberos KDC does not start on the OD master". Can you please
    expand on this? What do you mean "munge the setup"

    2) If I read the paper correctly, you recommend NOT joining the OD to the AD
    (page 7). I think I understand that. The OD groups then will just have the UID
    of the users, and it will be up to the client to resolve those UIDs, right?

    I actually plan on using the info from this article to integrate our Corporate
    KDC (hacked /etc/authorization file), and NIS directory (where
    mounts.byname supplies home dir info), and diskless booting. I will present
    at the O’Reilly Mac Os X conference. I will definitely give afp548 credit!

  • fherbert

    Thanks for the great article joel… I have managed to get all users authenticating from the AD Server, Used the OS X Server as the base for home directories and also using it to control os x client preference settings using workgroup manager.
    Is it possible to be able to use the postfix mail server on the os x server to accept mail for users in the AD. I have tried using workgroup manager and changing to the AD list and enable mail but all I get is an error…. Is it possible?? I have read the sso article by 4AM media but I am not sure if this will do what I need.


    • fherbert

      Forgot to mention, we only have windows server 2003 – NO exchange server….

    • fherbert

      I have followed the instructions for SSO and created three users, pop, imap
      and smtp. I have updated the /etc/MailServicesOther.plist to include the three
      when trying to login with webmail, the mail log reports that "Mail has not
      been enabled for user test"…. where do i need to enable the mail for this

      I have tried using workgroup manager, but always get the following 2 errors:
      "Error of type -14137 on line 237 of"
      "Error of type -14140 on line 3075 of"

      • so mail’s a bit of a bugger here.

        You need to write back to the AD system to get mail prefs to work. There
        isn’t a real good way to do this and use the AD plugin.

        I’ve seen people do this by using the LDAP plugin and then static
        mapping the mail attribute… but that was kind of messy.

        If you want you can use a 3rd party mail system that can handle ldap and
        krb. Cyrus is a good bet, just not the one that Apple shipped.

        Changing the world, one server at a time.

        Joel Rennich

        • fherbert

          Thanks for the reply. I would like to give it a go….
          I have had a quick look in the /Library/Preferences/DirectoryService directory and I suppose that if I was to try modifying the ldap plugin mapping, then DSLDAPv3PlugInConfig.plist would be the file to look at??

          Looking inside this file, there is two mail sections, below is the 2nd:

          <key>Native Map</key>
          <key>Standard Name</key>

          So any pointers on where I would start adding/changing to try and get mail working??


  • That’s because it’s a kerb realm, not a DNS domain. The caps are so you
    can tell they are different.

    Breaking my server to save yours.

    Josh Wisenbaker

  • fherbert

    I have setup the OS X server as OD master and also to house the home
    directories.. that all seems to be working fine. However, since i have the tape
    backup on the os x server, i would like to backup some directories that have
    pc app only data on them on the ad server, whenever i try to connect to the
    ad server i am informed of having the wrong username and password….

    Inspecting the logs gives something like this:

    mount_smbfs: No credentials cache found krb5_cc_get_principal

    mount_smbfs: tree connect phase failed: syserr = Permission denied
    mount_smbfs: could not login to server MYADSERVER: syserr Permission

    Now, i have tried logging in using the AD administrators user name and
    password and other ad users, all with the same issue…
    How can i mount file shares from the AD server???

    PS. I have tried running mount_smbfs from command line but get the same