[s_groening]

You could opt for a setup involving mobile accounts, which are OD controlled Macs with OD users allowed to login with local home directories instead of server based home directories.

Setup a computer group to contain your individual computer accounts and setup the desired login preferences directly from WGM.

MCX is then active on the computers, allowing you to force change of passwords, group memberships, print quotas etc.

If you wish, you can let users replicate/syncronize data towards the server based on either a selection of folders or the entire home directory (which seems to defy your purpose, though).

[s_groening]

I rely solely on IPP for my printing needs, as this protocol supports the distribution and ‘locking’ of print drivers from the server to the client.

With LPR or Bonjour-printing the user is able to change the print driver for an incorrect one of his own choice, whereas IPP supports the download of drivers from the server to the client without enabling the user to override this choice on the client.

The only problem I’ve discovered so far is the need for users to enter Page Setup and choose the correct printer to be sure the formatting is done according to the PPD from the server.

[s_groening]

This really does sound like a DNS issue.

If either your host file or DNS service do not enable you to do forward as well as reverse lookup of if addresses (DNS -> ip or ip -> DNS) you’ll experience trouble like this … -Sometimes you’re able to lookup the DNS name, sometimes you need to rely on the ip address (which is supposed to work at any point) …

[s_groening]

The SHA1 value that’s found in the LKDC’s realm name comes from the self signed SSL computer certificate, that’s created during installation. Therefore this gets cloned along with the keychain as the image is used to restore another computer, and thus the LKDC’s realm name reflects that.

[s_groening]

Hi,

I am at the moment working on an OpenLDAP-based OS X Server replacement running on Linux. Apple’s OpenDirectory is basically OpenLDAP + MIT Kerberos 5 + Cyrus SASL2 in a fancy armour, however, Active Directory is itself pretty standard compliant (at least at its core) so you should be able to mold the apple.schema onto it…

However, it is at the same time very dependent on the samba.schema which in turn resembles a sub set of what is to be considered the Active Directory schema, since it emulates the capabilities of the Windows NT4 domain structure.

I would think that it is possible to load an .ldif of the apple.schema file but I wouldn’t expect it to be easy… OpenLDAP is by far easier, I guess, since it can use the schema files directly.

There is one project that comes to mind, though. An effort by Gordon Shukwit to port the apple.schema to Active Directory. [url]http://www.shukwit.com/files/ADintregration7-31-03.dmg[/url]

It has not beem updated since sometime of 2003, but you might want to take a look at it anyhow!

Best regards,
Søren Grønning

[s_groening]

I for one would love to get in touch with those guys you met at WWDC 2006… I’d really like to secure our printing solution this way!

[s_groening]

Yes I do run 10.4.8 and yes I did the ‘dsconfigad -enablesso’ bit as root before Kerberized SSO started working and I DID place the AD domain at the top of the list in Directory Access’ ‘Authentication’ tab.

I have bound and unbound the server from the AD and setup SSO repeatedly with the same results every time….

The service principals seem screwed up some how…

I fear that I’ll have to manually create users and principals on the AD server for my Mac OS X servers (we do have the exact same problem wit two servers), collect and combine those to new keytabs, the problem being that I have no administrative rights over the AD servers….

//Søren

[s_groening]

Have you entered your AD DNS ip-address as the only specified DNS server in your network preferences on the Mac OS X Server?
Also, do not create the computer account manually on the AD server, dsconfigad (AD plugin) will do this for you.
Furthermore, make sure that you attempt to bind as an AD ‘Domain Admin’

[s_groening]

have you remembered the ‘winbind separator = +’ statement in your /etc/smb.conf ??

This seems to have solved this issue for me…

[s_groening]

Now, for some insane reason, it seems to work nicely….
Having followed the preveously mentioned advice for the setup sequence, PLUS adding ‘winbind separator = +’ in /etc/smb.conf, I now have true SSO working with Tiger Server 10.4.2 and W2K/XP clients!!

I swear this was originally added to /etc/smb.conf as well, but only this time did it kick in… -Restarted the smbd process and ‘wooomp there it is’…

Now all I need is to be sure that the setup is stable.

[s_groening]

I simply copied every single non-sensitive file (e.g. administrator’s login.keychain and customized dock prferences) from the home directory of the administrator that originally installed the apps to the user template….

This makes in some what tiresome to create the user home directories on the Xserve serving these, however, the side effect is that there seem to be no problems with the apps in question, InDesign, Illustrator and Photoshop run just fine and Word seems to forget about its problems as well…

Though hardly ideal, it does make the setup usable.
Lokk at this thread sa well: http://discussions.info.apple.com/[email protected]@.68b874c3

[s_groening]

I tried this:

“Hi
I have a very similar setup 2wk3 DC’s and 2 Xserve G5’s and a PowerMac G5 2 AD and 1 OD and noticed this problem too. Its a matter of the order in which things are done. I fixed this on the AD bound Xserve and Powermac by doing the following.

Unbind it and remove it from the domain.
Confirm your time sync on the AD and its.
Use the windows services part of server admin to join it as a domain member.
Stop and start windows services
Use the AD plugin to rejoin the domain.
run dsconfigad -enablesso
See there’s now a realm at the bottom

After doing this both the Macs and PC’s were getting
access. I assume by Kerberos but I will verify that
when i get a chance. Only the macs were get kerb afp before this.

I was busy doing something else at the time.

Cheers
Phil”

and it seems to work okay… but Windows users do not get permission rights of their own files…

[s_groening]

This seems to be going on and on and on….in the samba log file on the xserve g5:

[2005/09/13 20:00:56, 0] /SourceCache/samba/samba-92.9/samba/source/tdb/tdbutil.c:tdb_log(725)
  tdb(/private/var/samba/sessionid.tdb): tdb_reopen: open failed (Too many open files in system)
[2005/09/13 20:00:56, 0] /SourceCache/samba/samba-92.9/samba/source/smbd/server.c:open_sockets_smbd(437)
  tdb_reopen_all failed.

[s_groening]

I do not have access to the samba log files at the moment, but I have seen the ‘failed to verify incoming ticket’ message, which led me to speculate about Kerberos…

I will return as soon as I am back at work. Thank you for your advice this far!

[s_groening]

Short answer: there is no *really* easy way to do this.

However, setup your Xserve RAID with Mac OS X Server 10.3.9 (assuming you have no licences for Tiger) and import your users.

In case you use a natively formatted user import list (that is a non-ASIP 6.x XML import file) you should be home free as long as your file includes ‘user id’ information, since this would give any user on your existing 10.2.8 installation the same ‘unique id’ or ‘user id’ and thus give them correct ownership of their home directories, which you can easily move to the Xserve RAID by booting up your old server in FireWire target mode…

Pretty simple, all in all, and without the hazzle of assuring correct ownership preferences for files and folders!

[Author]

Posts