How to kerberize your OS X Server when using AD for authentication.
I was going to write up my own, but Michael has done a great job of documenting all this and there’s nothing I can add. For what it’s worth I prefer the Unix-centric method halfway down the page.
We have an Active Directory on our Windows 2003 box. We have four stand-
alone Panther servers. We do NOT have an open directory server. The
10.3.5 servers are all bound to the AD and serve AFP home directories to our
10.3.5 clients just fine. With modifications to the /etc/SMB.conf that are well
documented in Michael Bartosh’s O’Reilly article, they serve network Home
folders to our Windows XP clients. We even have single sign-on working with
AFP, thanks to the above mentioned Michael Bartosh SSO instructions and
Aaron Rosenblum’s article at http://www-personal.umich.edu/~arosenbl/
SSOStuff/ODAuthAuthzAD.html
What we don’t have working is AFP shares (not the home directories) that
respect group permissions of local to server groups or AD groups. If a user
logs in with a network home directory and mounts a share (connect to server
dialog) the user privileges are respected, but not the group. For example, a
user (John) is a member of group (Faculty) and permissions on the share are-
owner – admin (not the network user) read/write
group – Faculty (network user is member of group) read/write
other read only
The user will mount the share as read only, ignoring his group rights to read/
write.
We thought, boy that is strange and unfortunate, but it isn’t a show stopper,
because the same shares, when connected to with SMB, do respect the group
privileges.
Unfortunately, we didn’t anticipate users with bunches of legacy documents
that do not have file extensions or are otherwise inaccessible or inexecutable
when they are shared with SMB.
Has anybody seen this? Anybody have a solution?
I can’t quite grok all of the in-and-outs of your situation, but I often put
user’s documents in a read/write OS X disc image on SMB/Win servers to get
around filesystem issues.
Not sure if this will work for your situation, though…
bcirvin
—
Professional Services/Training
MacOutfitters of Cranberry, PA
“Fixing my mistakes, one server at a time”
Ok, here’s more of a general question…
So, I want to Kerberize a server and it is running an Open Directory Master. It
is not bound to Active Directory and it is listed as a stand alone Windows
server. These were the best practices, as I understood them.
It appears that we will be buying an Xserve RAID for my Xserve (YAY!) and I
will want to kerberize AFP and SMB, so that it is used seemlessly across
platforms here (Windows XP and Mac OS X). I’ve been told that if you bind
your OD Master to AD, that you leave it in an odd state, causing Software
Update to malfunction, which, of course, I don’t want. So how do I go about
getting the computer password in this case? Would I bind it to AD, kerberize
it, and then unbind it?
I know there’s documentation about Xrealm as well, also by Michael Bartosh,
but that seems far more difficult, risky, and may not be what I need. Though,
we are contemplating moving all of our Mac home directories to the Xserve
when we get the RAID as well, but we’ll be leaving the PC directories on a PC.
Any advice/best practices? I don’t mind putting effort into these things, but I
also don’t want to kill the server! 🙂