[topcat]

Well, it all seems to be working for me. Like Mactroll said, when bound to AD, then making an OD Master, its seems to sort kerberos out

So now I have my client bound to AD and OD, and have my AD account with an OD group with managed preffs. I can now login on the client wsing my ad credentials, then have sso for smb shares, and can sign in to teh wiki/blog off teh 10.5 server via AD credentials.

All very good so far. 10.5 server seems to be much earlier versions so far!

Thanks for your help

[topcat]

oh, one more thing. I may sound like an idiot asking this, but dsconfigad -enableSSO is done on the client right? so i guess i would need to do this on every client that needs ad sso?

[topcat]

cool, thanks.

So, im basically doing things kind of right.

The 10.5 server od doc seems to say that the server should be bound to ad before creating the od master though?

Also, by disable the KDC, i imagine you mean to rename the attribute under config in the workgroup manager? Once this is done, then if i have a wiki/bog under web servers on the 10.5 server, will ad users need to authenticate when editing their blog?

[topcat]

Thanks for pointing me towards radmind, it looks v good.
I still think its a shame though thatthe teachers will have to update to ARD3, but see or need no new features. I wish Apple would make it so newer versions of ARD work with the older client version to do what the older clients used to be able to do, but just need the clients upgrading if you want to use the new features.

So what I want is to upgrade all the clients to version3. Then the ARD2 people can still do what they do, but I can use ARD3 to do the more advanced stuff. Im not sure if I can twist their arm to get ARD3 when they dont want or need it.

[topcat]

Thanks, we have only just got ARD 3 and had yet to look at the new features. Just tried the software updates, and it works quite well, although it makes the server remote update service a waste of time.

The trouble I have now is that in order to use the software install part of ARD3 you need ARD3 client installed on the clients. If I were to do that, the teachers that use ARD2 to teach with can not use it anymore without upgrading, and they have no budget to upgrade to v3, espesially as they would see little benefit.

Also it seems v overkill for teachers to have all the features of ARD3, and a security risk letting them have access to it. They only use the remote control, observe, and share one screen to many. Do you know of any software that will only do these parts of ARD? I wish Apple would create a ARD light for this purpose, I know they pitched it as software to help teachers with version 1, and now the teachers have bought into the idea, it has become much too much for them in terms of money, and stress in security!

[topcat]

I thought Safari was, but I cant find much about it, or where I may beable to get it to work with IIS, or even what version of IIS I would need!

[topcat]

i tried again binding the xserve to AD, and it was v v fast browsing ad users in WM, v nice compared to the magic triangle way that takes around 40 seconds to find each ad user. The trouble is, after binding the xserve to AD, no logins worked from the clients. The OD accounts didnt work, and although the AD accounts logged in, they didnt see the server so had no preffs set.
So for the moment, it looks like binding the server to AD isnt a great thing to do!

[topcat]

I am running 10.4.2 server and client.
I have just signed in on a client using AD and used the Kerberos app in system/library/coreservices. This app has one item in the ticket cache list, which is my AD email address. Bellow are a list of my tickets, there are three of these.
The first two are
krbtgt/[email protected]
krbtgt/[email protected]

and the last one is like:
[email protected]

So, it looks like I am getting tickets from the corect places, but if i load up safari, i am still asked to login.

[topcat]

yes i have, I would not have got this far if it wasnt for your whitepaper.
I thought I was right not binding the server to AD, but your previous reply suggested that the server was bound, I didnt think you ment to do it on a client.
So thats how we have it setup, just like in the whitepaper. xserve in not bound, its just a normal OD master with some OD groups in. A client is bound to both AD and OD. logged in on client using 127.0.0.1 and local username/pass. Loaded WM and connect to xserve. Then can browse the AD too and drag AD users to the OD groups. Im sure that is right. It works, its just long winded and crashes WM a lot.

Our xserve is running 10.4, so it would be nice to bind it to AD, but after trying it, it doesnt seem to work. I think I will stick to not binding it. Thanks again. If it wasnt for this site, I would be v stuck!

[topcat]

Sounds good about adding AD groups to an OD group, that would be great, just what Im after! Do you have any knowledge on when this may be done, will it be in the 10.4.3 or not until 10.5?

As for connected to my OD in WM and dragging AD users accross, I am unable to do that as teh server is not bound to AD, so cannot see any users.
I have been using a special client machine to do the user moves as I had read in a numbert of places not to bind the server to AD. Should it be bound?
Thanks for all your help!

[topcat]

thanks, i have moved the xraid to a windows server now as it makes things more simple.
Im still having trouble working out how to setup group policy though.

[topcat]

Thanks for your help.
What I have done is give up on any management of storage on the mac side. I took the fibre card out of the xserve and moved it into one of our windows servers. I now dont need to worry about the windows side saving onto a mac share, much better.

[topcat]

I think Im almost there now. I can now login using a AD username and ity mounts the windows home folder as the os x home folder!

To do this I had to get teh clients pointing to AD and OD, then I edited the Kerberos hostname in WM so that it doesnt conflict with the Windows side. I then have to login locally on a client mac with admin tools installed. Connect to 127.0.0.1 with the local acount. Then browse the OD, create a OD group, assing preffs, and the drag users into it from the AD draw.

This is very long winded, but it works sometimes. WM seems to crash a lot, sometimes not show the AD users, or say it cant browse the OD or AD. After a restart it seems to be OK again.

I really dont think this will be OK in a live enviroment though!

The other problem is that I have no idea how to quota AD users homes when their homes are smb shares on the mac.

[topcat]

Thanks for your help.
At our college we have a mixture of macs and PCs and students use both. We used to make them have a seperate username for OD and AD and carry work betrween the two on usb pen drives.
This was a pain for the students and a lot of work for us admins.

What I am trying to do now is have all our macs running 10.4 and logging in using our AD. I want to manage the users in WM, but I will not be able to change the schema.

I have been following this guide:
https://www.afp548.com/article.php?story=20040915152755925&query=active%2Bdirectory

and its very good but I still cant seem to get things working. As far as I can tell from reading up, my login problem is due to a kerberos conflict. I do not have the same usernames in OD and AD, but it still is tempremental which logs in. Im going to look into this conflict this morning.
So following the AD/OD whitepaper on AFP548 I need to have the clients bound to both AD and OD, and when I have got that working, I can setup the preffs for my OD groups, and fill the groups with AD users.

I then will need to to create smb shares on our Xraid and change the mac users AD account for their personal drive to come off the Xraid. The mac users should then be able to log into a PC and their personal P drive mounts off the xRaid, or if they log in a mac, their home folder comes from teh same share on teh xRaid.

Im sure Im doing this right, it just doesnt work!

Anybody know what I may be doing wrong here?

[Author]

Posts