Augmented users with network home directories – making them PHDs?

Hi Guys, I've been poised with the project of trying to get all of our Macs to let users log in with their AD credentials so we don't have to keep two separate user databases, and so we can provide a centralized password change service, etc. We still need to apply some basic policy to these users, so the magic triangle seemed like a good solution. Following Arek's excellent guide in the OS X Directory Services 10.6 book, I created a test environment and I started with a fresh install of snow leopard server. I ran all the updates and then I bound the server to AD, kerberized the services, and then configured the OD master. All went as expected. We're in a disjoint namespace here though, so I followed the instructions in [url=http://support.apple.com/kb/HT3795]this[/url] article and made the necessary edit to the AppleFileServer plist to use the correct principal. All other services seemed to update automatically. What I didn't know was the bosses also wanted to have two separate home directories for our Mac users. One on the windows server for the windows machines and one on the Xserve for the Mac machines. To do this, I edited the augmentconfiguration to allow for the home directory attributes, and then I augmented a test account record and provided the NFSHomeDirectory and HomeDirectory attributes per Arek's guide. I then created the home folder using createhomedir and everything went smoothly. On the client machine, I bound it to OD first, then AD (unchecked all of the options except default user shell). I then logged in with the test augment user. Success. Everything loaded, there was an active AFP session listed in Server Admin, running klist in terminal showed the tgt from the AD controller and the afpserver ticket from the Sserve in the correct AD realm. Trying to access another service on the Xserve like SMB presented me with the list of shares without having to re-authenticate, thus telling me SSO was working correctly. Here's where things got tricky, and here's where I need your help... Ideally, we'd like to make these augmented users' network home directories also PHDs that sync in an effort to put less strain on the Xserve at peak login times. I created a new computer group, added the test client machine I've been using as a member, and set the following Mobility settings for the group: Account Creation >> Creation >> Always >> Create mobile account (and all sub checkboxes) Create Home Using: network home... Account Creation >> Options >> Never Account Expiry >> Never (for now) Rules >> Preference Sync >> Never (for now) Rules >> Home Sync >> Always >> Default options for now Rules >> Options >> Always >> Sync in background manually and show status I then edited the preference manifest for "Mobile account and other options" for the group to include the Synchronization URL for the share. It's something like afp://macmini.subdomainhere.rmu.edu/StuDirs/%@ I then tried logging in as the augmented user again. It prompted me for the mobile account, I created it, and it seemed to sync on [i]login[/i]. The problem is, on a [i]manual sync or logout sync[/i], it's asking for the password of the test account. klist shows no cached tickets for the account either. Why are the tickets generated and cached correctly when I log in as this augmented user just as a normal network user, but as soon as I enable mobilty options, SSO seems to break? I've also tried using the AD connector to create the mobile account rather than MCX and only specified the Synchronization URL via MCX. That also didn't work. Thanks so much. Any help would be much appreciated. If I'm going about this the complete wrong way, please tell me. I'm certainly new to incorporating multiple directory services. Mike Boylan RMU IT :: Mac OS X http://mikeboylan.com @mboylan on Twitter