[dusty28]

[QUOTE][u]Quote by: CostasPPC1[/u][p]You are using a .local namespace?[/p][/QUOTE]

Hi CostasPPC,

I have not configured anything to explicitly use the .local namespace. Some services seem to automagically configure themselves to use .local.

Are you aware of any issues that may be due to improper use of the .local domain.

All domain machines will have a DNS record (served by my Win 2003 server) As far as I can tell, all hostnames are resolving properly…. but there could be a problem I am unaware of.

[dusty28]

So I thought it might be usefull to go through exactly what I am doing, and maybe someone could explain where I am going wrong:

I have been ising the [quote]AD/OD Integration[/quote] guide found here [url]https://www.afp548.com/filemgmt_data/files/AD-OD-2.1.pdf[/url]

The steps outlined by this guides Methodolog are:

[b]Configure the DirHost system:[/b]

The guide assumes that you will be using an OS X server to host the networked home directories of your users. Since I will be using the pre-existing network user directories that are on my Windows File server for my Home Direcories, I assume I can skip this step

[b]Create Home Sharepoint:[/b]

Again, I assume I can skip since these folders are already created on a SMB server that is joined to the AD Domain

[b]Configure AD Users:[/b]

All of my users already exist in the AD database. I would to do authentication against AD, and then have users account settings pulled from OD when the log into a Mac workstation. Since the guide really only explains how to map an AD user account the a Home Directory stored on a Mac Sharepoint, I assume that I can mostly skip this step.

[b]Configure Open Directory:[/b]

This is the start of where I run onto problems. I am starting with a fresh install of 10.4.3 server. I then immediatly run updates to 10.4.11.

When I am installing OS X I choose the “Standalone server” setting with all services turned off. After running updates, I use the server admin tool to turn on Open Directory services by Promoting the server to an OD Master.

I then use the Directory Access tool to join that server to my AD Domain. After I bind to the AD Domain, an information window pops up informing me that if I want to bind Kerberos to the AD domain (which I belive I do!) I have to: use Server Admin tool and select open directory, then select the settings pane, go to the General tab and click the [quote]Join Kerberos[/quote] button… the only problem is that button is missing. The only button that is availible to me is the [quote]Add Kerberos Record[/quote] So I am not sure what is going on here.

So ignoring that problem and moving on. I can know see my AD users in Workgroup Manager. I created a new group under /LDAPv3/127.0.0.1 and added AD users as members, however I can’t seem to manage individual users MCX settings, nor are they able to login on the Mac Workstations.

I have bound the Workstations to Active Directory and LDAP and moved AD to the top of the search path list for authentication and contacts.

[b]Kerberos Hamstring[/b]

I have also followed the instructions found here [url]http://support.apple.com/kb/TS2250?viewlocale=en_US[/url] to modify the OS X server’s Kerberos settings to use the AD Kerberos. Dont think it helped anything.

UUUGGGHHHH!

[dusty28]

Hi s_groening and MacTroll,

Thanks for the replies.

[QUOTE][u]Quote by: MacTroll[/u][p]A few things here…
Point this at an OD Master, it’ll suck all the schema files out and create an import file for AD. This is by far the most painless way to do this.[/p][/QUOTE]
Unfortunatly I don not have an Open Directory server (nor an xserver, as mentioned) that I can pull a schema from. It sounds like a great solution if I had one. 🙂

It was actually my apple rep that pointed me to this website. I am still hoping there is someone out there who can tell me where to find the specifics on how to do this.

I guess I can maybe clarify by staring small. The first thing I would like to implement is to lock down which network logons are allowed to work on each computer. In WIN AD, there is a “Log on to” button under the user object that lets you define a list of which computers that user is allowed to have access to.

I tried adding only one OS X computer to a test users “Log on to” list, however that user still could log into any machine joined to the domain. I assume that the AD Plugin is not looking at the win AD schema to determine if the user has access or not.

What schema changes would have to be made to implement the AD “Log on to” list?

Thanks again.

[Author]

Posts