[velo2k77]

I did some searching and discovered that the new Intel Xserves are 2 inches longer than previous g4 and g5 Xserves. I guess that the extra inch on each end makes it unsuited for center (2post rack) mounting? I really like the casing of the old ppc xserves.

[url]http://chuck.goolsbee.org/archives/126[/url]

[velo2k77]

It looks like your user authentication is working but your kerberos isn’t fully configured. Did you join your mac servers to the kerberos domain? Did you create kerberos trusts from your windows 2003 server to your mac servers?

You may need to join your mac servers to the kerberos domain and create kerberos trusts from your win2k3 server to your mac servers.

If you bound your mac clients to the AD domain then they’ll get a kerberos ticket from the KDC (your win2k3 server) which will allow them to access kerberized services on the win2k3 server but until the mac servers are joined and trusted to the kerberos domain then the KDC won’t give out tickets to access services on the mac servers.

Mac OS will try a kerberos connection first then if that fails then it will try a standard username/password conection. The same behavior will be exhibited by windows clients until the mac servers are trusted by the KDC. Joining the kerberos and creating kerberos trusts have to be done separately from just joining the domain for user authentication.

I am assuming that you’ve given your AD users/groups access to needed network shares on the Mac servers.

Thanks, Richard

[velo2k77]

Fantastic, I finally got a chance to try that out in my test environment. Your suggestion worked great, now to deploy it in the real world.

Thank you to MacTroll,
Richard Bezanson,
Jordan School District

Oh, and I noticed that I probably should have posted this in the questions and answers section. Sorry about putting this post here.

[velo2k77]

We currently have 59 sites each with their own local open directory domain. The only client stations being managed are labs. The lab stations login with a local user then obtain mcx settings from a group on the local domain then more mcx settings from the upper domain. Eventually we may be connecting the whole thing into an active directory which will have the massive bulk of our users.

[velo2k77]

Thanks, I’ll look into trying that. I was looking into nesting our admin users withing the lower odmaster’s groups, but I like your idea better.

As far as why our directory is setup in it’s current way, I believe a previous admin was looking to compartmentalize the domains and give each site the ability to manage their own local directory without being able to monkey with upper level directory users, groups and mcx settings. We are currently mixing computer list mcx settings from the upper domain with group list settings on the lower domain.

Our client’s directory access authentication settings are as follows:
/Netinfo/DefaultLocalNode
/LDAPv3/localodmaster
/LDAPv3/odmaster

Me and the current co’admins have looked into demoting the lower level directories back to stand alone then making them replicas but have yet to pursue that course of action further. It’s a curious setup but so far it works.

Thanks

[Author]

Posts