AFP548 - Topic: Open Directory / Active Directory Integration

This topic has 15 replies, 11 voices, and was last updated 15 years, 3 months ago by thopa153.

Viewing 13 posts - 1 through 13 (of 13 total)

Author

Posts
January 27, 2007 at 10:41 pm #368119

ryanbe15
Participant

I’ve been tasked with integrating our mac envirionment into our Active Directory environment. What I would like to do is to have an open directory master manage all the mac computer accounts and have Active Directory manage all the user accounts.

To do this i would like to create a trust betwen the OD envrionement and our AD enviroment. So basically when a user logs in the open directory will forward the request to AD for the user information.

Any help or articles will be much appreciated.

Thanks,
Ryan

February 1, 2007 at 7:02 pm #368178

ryanbe15
Participant

Ok cool i got it all working except for one thing…I can’t manage the mac clients. Any clue what i’m doing wrong?

Thanks,
Ryan

February 5, 2007 at 4:54 am #368207

dewats7
Participant

I am familiar with and have successfully implemented the “magic triangle” in a test environment. In my production environment, I already have 13,000 Open Directory accounts and an NT 4 domain controller for about 100 people. I would like to get rid of the NT 4 and possibly upgrade to AD. But I want the opposite of what I’ve seen so far.

I would like to have all user accounts in OD and have AD manage preferences and group policies for the computers. I’ve looked into pGina but this seems to only deal with authentication for logon purposes. It does not seem to be capable of allowing me to add users to windows based groups for security controls on services. I’ve read information on linking Kerberos for cross-realm authentication but it seems that it still requires a user accounts to exist within the AD domain (though I could have misinterpreted what I read – haven’t tested it yet).

Any insight would be great.

February 5, 2007 at 2:15 pm #368210

arekdreyer
Member

[QUOTE][u]Quote by: dewats7[/u][p]
I would like to have all user accounts in OD and have AD manage preferences and group policies for the computers.
[/p][/QUOTE]

We currently can’t manage AD Group Policy Objects from Open Directory.
When we want to manage OD preferences from AD, we simply extend the AD schema, so that it includes the OD attributes and objects. Likewise, it would be technically possible to extend the OD schema to include AD attributes and objects, but supporting GPOs would require more that simply extending the OD schema, unfortunately.

February 5, 2007 at 4:14 pm #368212

dewats7
Participant

I’m not even going to try to go down the path of having OD try to do group policies for WIndows machines. I want to run AD and OD side-by-side, each system managing their own computers. My issue is where the user accounts reside. There’s tons of information about how to have OD pull and authenticate users existing in AD. I can find very little on how to have AD pull and authenticate users existing in OD.

April 23, 2007 at 9:20 pm #368823

freepms
Participant

[QUOTE][u]Quote by: macshome[/u][p]Grab our OD/AD whitepaper. It has everything you need to setup a magic triangle system like this.[/p][/QUOTE]

Might a newbie request a link to that whitepaper, please? Thanks very much!

May 24, 2007 at 9:18 pm #369142

Steve H.
Participant

[QUOTE][u]Quote by: dewats7[/u][p]I’m not even going to try to go down the path of having OD try to do group policies for WIndows machines. I want to run AD and OD side-by-side, each system managing their own computers. My issue is where the user accounts reside. There’s tons of information about how to have OD pull and authenticate users existing in AD. I can find very little on how to have AD pull and authenticate users existing in OD.[/p][/QUOTE] Just wanted to echo this. I am fortunate enough to admin an all-Mac office, but we are headed to dual-platform. I want to have AD handle management of the Windows users but pull accounts, etc. from OD. I’m starting to read the white paper now, but if anyone can point me to some more good info it would be much appreciated!

July 12, 2007 at 1:57 pm #369492

brentm
Participant

To have all user accounts reside in OD check out cross realm: [url]https://www.afp548.com/article.php?story=20070127105017768[/url]

January 10, 2008 at 1:02 am #371038

Dannyv
Participant

[QUOTE][u]Quote by: macshome[/u][p]Grab our OD/AD whitepaper. It has everything you need to setup a magic triangle system like this.[/p][/QUOTE]

Is there an updated version of the white paper for 10.5 yet? I’m having a hell of a time trying to get my OD and AD to talk together so that I can manage the mac users. I had it working in 10.4, but server crashed, and rebuilt it from a clean 10.5.

January 10, 2008 at 5:23 pm #371060

Dannyv
Participant

[QUOTE][u]Quote by: MacTroll[/u][p]It’s not been updated for 10.5.

The current plan is to completely rewrite it for 10.5 to get rid of a lot of the cruft that has built up in the guide.

Having said that… the process is fundamentally the same in Leopard. Where are you getting stuck?[/p][/QUOTE]

I basically did the same thing as I did in 10.4. I can login with a AD user to the server, and to local machines. On local machines I cannot login with an OD user as I was before, or manage an AD user that logs into a machine. I’m pretty sure I have setup the COD properly… I have:
– Bound the server to AD
– Setup the server as a OD Master,
– Created a group called AD2OD first on the local/Default Directory, and now on the /LDAPv3/127.0.0.1
– Added the AD groups I want to add to the AD2OD Group
– Made changes to the AD2OD Group preferences
– Added the server name to the Local machines Directory Utility LDAPv3 with the AD domain name first, and the OD server second

Sound right?

Side note… I remember using the Directory app in 10.5 (on client machine) to search for the OD users and at one point I was able to see the OD users, not AD, and as of right now, I can see AD users, but not OD. The Directory app on the server can see both AD, and OD fine.

January 16, 2008 at 7:21 pm #371135

CostasPPC1
Participant

Well, OK, Ive implemented and AD-OD magic triangle using Mike Bombich’s insructions. I have a 2003 SBS AD and a 10.4 OD Master.
I have a group called ADusers witch holds the users from AD.
I need to have Network Home Folders for these users (Macintosh machines) into the 10.4 Server with login-logout sync.
Ive created the home folders’ share into the 10.4 Server.

I cannot set a user from the “Active Directory All Domains” to have a Network Home folder into the Tiger Server.

Thanks

Kostas

January 16, 2008 at 7:26 pm #371136

CostasPPC1
Participant

Ive read a similar post here [url]https://www.afp548.com/forum/viewtopic.php?showtopic=18754[/url]. How do you set the Tiger Server location of home folders into the Windows Server (correct path)?

December 21, 2009 at 11:35 pm #377708

thopa153
Participant

Hi, I’ve been trying to get the magic triangle to work for while now. I’ve got as far as integrating the users from AD in to OD, AD users can now login to our OS X client machines and can be managed in workgroup manager. I am able to set a home directory in windows for the users using “Active Directory users and computers” to the OS X server we are running to host the home directories and using GPO am able to redirect my documents etc. Where it is all falling apart is when the users login to a OS X client machine using AD as authentication their home directory isn’t there, it isn’t even created where it should be on the server! I’ve been struggling with this for days now any help would be really good. We are running OS X server 10.5 and Windows 2003 server.

Many Thanks

Phil
Author

Posts