Tips September 7, 2004 at 8:17 pm

Single Sign On for AFP using AD

How to kerberize your OS X Server when using AD for authentication.

I was going to write up my own, but Michael has done a great job of documenting all this and there’s nothing I can add. For what it’s worth I prefer the Unix-centric method halfway down the page.

No Comments

  • We have an Active Directory on our Windows 2003 box. We have four stand-
    alone Panther servers. We do NOT have an open directory server. The
    10.3.5 servers are all bound to the AD and serve AFP home directories to our
    10.3.5 clients just fine. With modifications to the /etc/SMB.conf that are well
    documented in Michael Bartosh’s O’Reilly article, they serve network Home
    folders to our Windows XP clients. We even have single sign-on working with
    AFP, thanks to the above mentioned Michael Bartosh SSO instructions and
    Aaron Rosenblum’s article at

    What we don’t have working is AFP shares (not the home directories) that
    respect group permissions of local to server groups or AD groups. If a user
    logs in with a network home directory and mounts a share (connect to server
    dialog) the user privileges are respected, but not the group. For example, a
    user (John) is a member of group (Faculty) and permissions on the share are-
    owner – admin (not the network user) read/write
    group – Faculty (network user is member of group) read/write
    other read only
    The user will mount the share as read only, ignoring his group rights to read/

    We thought, boy that is strange and unfortunate, but it isn’t a show stopper,
    because the same shares, when connected to with SMB, do respect the group

    Unfortunately, we didn’t anticipate users with bunches of legacy documents
    that do not have file extensions or are otherwise inaccessible or inexecutable
    when they are shared with SMB.

    Has anybody seen this? Anybody have a solution?

    • I can’t quite grok all of the in-and-outs of your situation, but I often put
      user’s documents in a read/write OS X disc image on SMB/Win servers to get
      around filesystem issues.

      Not sure if this will work for your situation, though…


      Professional Services/Training
      MacOutfitters of Cranberry, PA
      “Fixing my mistakes, one server at a time”

  • Ok, here’s more of a general question…

    So, I want to Kerberize a server and it is running an Open Directory Master. It
    is not bound to Active Directory and it is listed as a stand alone Windows
    server. These were the best practices, as I understood them.

    It appears that we will be buying an Xserve RAID for my Xserve (YAY!) and I
    will want to kerberize AFP and SMB, so that it is used seemlessly across
    platforms here (Windows XP and Mac OS X). I’ve been told that if you bind
    your OD Master to AD, that you leave it in an odd state, causing Software
    Update to malfunction, which, of course, I don’t want. So how do I go about
    getting the computer password in this case? Would I bind it to AD, kerberize
    it, and then unbind it?

    I know there’s documentation about Xrealm as well, also by Michael Bartosh,
    but that seems far more difficult, risky, and may not be what I need. Though,
    we are contemplating moving all of our Mac home directories to the Xserve
    when we get the RAID as well, but we’ll be leaving the PC directories on a PC.

    Any advice/best practices? I don’t mind putting effort into these things, but I
    also don’t want to kill the server! 🙂

Leave a reply

You must be logged in to post a comment.