Mac OS X Server as a front-end to AD

[Anonymous]

In trying to resolve an AD CPU usage problem (see my other post today), the question was asked of me whether it is possible for AD to supply user/authentication info to OSXServer, and for OSX clients to auth against OSXServer, instead of against AD.

So, use the AD plug-in in OSX/OSXS 10.3.x to bind only our Xserves to the AD domain, and for clients to be bound only to OSXS through Open Directory/LDAP.

I have had it working okay with the clients both to both AD and OD, obtaining user data from AD and Mac-specific info from OD. And I don’t see a problem in binding OSXS to AD. The problem is — can OD “re-publish” AD user information to OSX clients. Can OSXS make AD users visible to OSX via OD/LDAP, without OSX accessing AD directly?

Client <—–> OSXS <—-> AD

I didn’t think that OSXS could make a network directory source available as its own network-visible directory source; that you can use a network data source on OSXS as if they were local accounts, but not as if they were OSXS network accounts.
[/list]

[sketch]

This is an idea I toyed around with as well to avoid integrating 180 clients machines, but I honestly don’t see how it could be done. The primary concern to me is how would kerberos single sign-on work when connecting to shares. All of our storage is hosted off Windows 2003 servers, and we’re certainly not going to even entertain the idea of managing 2 sets of group permissions.

[Author]

Posts