[superrcat]

[QUOTE BY= hetjan] Can I bind a server to AD so that the server and the Mac OS clients authenticate the username and password to the AD server while information such as home directory, print quota etc. are in OpenDirectory?

Are there any other variations on this theme that I can use? Any published examples?

A.[/QUOTE]

The clients can not use the authentication search path of the server, so each client would need to be configured to search AD for authentication information (either from the AD Plugin or LDAPv3 Plugin).

Using the AD Plugin, some of the attribute values for the user are automatically generated (either from data within AD or some default value the AD Plugin uses if no value from AD is available).

Using the LDAPv3 Plugin, you could statically map the attributes to a variable with something like #/Users/$sAMAccountName$.

If you are using OD to manage client computers without the need to enforce authorization access to those computers, there isn’t really a demand to bind the OD server to AD (unless you want to manage the server with your AD account). The only benefit binding the OD server to AD is to allow you to use AD for authorization, such as login restrictions for particular users (by adding them to an OD group) or using AD for authentication for services hosted on the OD server.

[superrcat]

[QUOTE BY= John G] Is there an easy way to go about doing that? I’m not too familiar with command line, but am trying to become moreso.

Thanks!
John[/QUOTE]

You can print out the manual for dscl from Terminal with:

man dscl | col -b | lp

[superrcat]

[QUOTE BY= jkonrad] I am now using inspector and the MCXsettings directly. I’ve changed the url to “smb://server/sharepoint” and it still will not mount at logon.

After logging in the student can use “Connect to Server …” from the finder and type the exact url and they will mount the share without being asked for their username and password.

Any ideas? I’ve also tried the url with the IP address of the server in case it’s a DNS thing. Still no dice.

I know the student is connecting to the OD server and getting MCXsettings becasue I can change other preferences and the changes are reflected on the next login (like allowed programs)[/QUOTE]

The reason why this occurs is because SecurityAgent is trying to mount the SMB share before the Kerberos ticket cache is initialized. Since a Kerberos ticket is not available at the time of the mount attempt, the authentication type falls back to LM/NTLMv1. A lot of sites have security policies in place that only allow NTLMv2 or better for an authentication type. With those policies in place, the mount attempt fails during log in. By time the log in completes, the Kerberos ticket cache is available. This would be why a user can then mount their share without re-prompting for credentials.

This is resolved in Tiger and was not a simple fix.

[Author]

Posts