Can you do AD and OD with MCX from WGM?

[macdojo]

A previously reliable source from Apple is telling me that if I want to impose MCX at the user level, I cannot do it by binding my Xserve to the AD domain, since this means it cannot be an OD master. Instead, he is suggesting bind clients to both OD and AD via LDAP in order to get the AD user/account list. Then manage from there. Can anyone corroborate this thinking?

[macdojo]

OK, so if I am comfortable doing MCX by group, should I use the AD plugin or the LDAP approach? Based on trial-and-error, it seems like I cannot simultaneoulsy be an OD master and do AD binding because the AD only seems to work if OD has me “connected to a directory system.” Yet, when I am not an OD master, MCX breaks. So I’ve been trying to get my user records in to WGM by LDAP, but cannot seem to get it right either. The last is most likely a mappings issue, since LDAPper works fine with my auth and search base. Jeez, any help would be good. Here’s what I want: MCX by group (or computer), which would require the ability to see my AD users & groups.

If I start as an OD master and then configure the AD plug-in, I can bind but cannot add the node in WGM.

If I start as “Connected to” I can bind and see all my records (up to 1000) in WGM, but MCX won’t work. If I try to promote the server to an OD master at this point, I end up breaking the AD node and cannot auth to OD either, unless I create another admin account and auth as that.

Working on some things…

[macdojo]

OK, Joel! That worked. You’re the King. Where do I send the bottle of Scotch? But wait there’s more…

Flushed with success I ran to the IT guys only to have them tell me that they don’t want to manage 2 directories, ie adding a user in AD requires adding one in OD. So, we’re talking schema changes, right?

Thanks again

[Anonymous]

I have got a OSX 10.3.5 server and clients,and Win2k3 server using AD. I am using Extreme Z-IP to make Win2K3 Server use AFP 3.1 so home directories and user/security group info are on win2k3 server in AD. This works great, log in to mac and home directories etc show up fine. Now I want to use Mac server as Open Directory master to deal with workgroup/management settings on mac clients. Everything is set up seems ok, but the client when logged in as a user does not have any security settings applied, the just get their home directory. In directory access on server and client I have configured AD Plugin to bind to AD domain, and LDAP v3 to bind to Open Directory. I’m stuck here can’t seem to get client to talk to workgroup manager/open directory

[mjp]

[QUOTE BY= Nald0z] I have got a OSX 10.3.5 server and clients,and Win2k3 server using AD. I am using Extreme Z-IP to make Win2K3 Server use AFP 3.1 so home directories and user/security group info are on win2k3 server in AD. This works great, log in to mac and home directories etc show up fine. Now I want to use Mac server as Open Directory master to deal with workgroup/management settings on mac clients. Everything is set up seems ok, but the client when logged in as a user does not have any security settings applied, the just get their home directory. In directory access on server and client I have configured AD Plugin to bind to AD domain, and LDAP v3 to bind to Open Directory. I’m stuck here can’t seem to get client to talk to workgroup manager/open directory[/QUOTE]
ey guys, thanks for article on ad-od integration. I have a problem similiar to this one. I have a 10.3.7 od master not configured for ad, I have mac clients that are setup to access ad and od. when a client logs in the client to od it gets a managed desktop, when they log in to ad on the client machine they get their home directories all good ad is first in access then ldap os next. From the client machine i have authenticated to both directories and used wgm to add ad users to od groups but yet when my ad user logs in they dont get a managed desktop.

I am not sure what is going wrong, but if you have any suggestions please…..

[mjp]

okay then so dont shoot me down but what is mcx?

As I have the client bound to both. (i have only been working on apple systems for a couple of weeks)

thanks

Mal

[Anonymous]

[QUOTE BY=macshome]Just make your server an OD master. Don’t bind it to AD. Bind the clients to both and run WGM from a bound client, create your OD groups, hit command-d to see the AD users and then drag them to the OD groups.

Or you could just manage by computer and forget the groups altogether if you don’t need the flexibility.[/QUOTE]
I want only computer-level management, and I want my server to be bound to our Active Directory. Are you saying that this might be possible, or am I mis-reading?

[mjp]

thanks for the reponse, I thought it meant something like that. The client machine is doing some wierd stuff. Some preferences work and some dont for example the applications i restrict access to give the no access message when clicked but the dock is not showing the custom version. This only happens with a ad user if i log in with the a od user (both users in the same group with the same preferences) it all works like it is supposed to.

Same with computer lists if i make a change it seems to forget the change, eg i initially tested the computer lists (defined new list added test machines mac address) with the login option show user list but this was not such a good idea as there is alot of ad users and browsing the list takes awhile so i changed it back to show name and password and evry 2nd or 3rd restart it defaults back to the list option. Is this a issue with ad or shoudl it all be working correctly. I am starting to think I may have missed something or my system just does not want to play nice.

any ideas? agian

cheers
mal

[steve]

I’ve just read through this thread and also the AD/OD Integration white paper. I’m still a little unclear why you would _not_ want to bind your OS X Server to AD.

We’ve got a test server set up. It’s bound to AD _and_ serving as an OD Master… so we can manage the OD groups directly from WGM on the server.

In our case the server doesn’t have any other services turned on, and we’re not looking at implementing network home folders yet.

The white paper states that not joining the server to AD “keeps the directory service configuration on the OD Master simpler. Plus it makes it easier if you would like to set up cross-realm authentication between the OD realm and the AD realm.”

So… I’m not sure I understand exactly what the “cross-realm authentication” statement is telling me. And, are there other issues that may occur if I leave the server bound to AD and acting as an OD Master? Is something likely to go wrong that I just haven’t encountered yet?

Thanks for any additional details you can provide.
Steve

[Author]

Posts