Douglas:
I have ~100 10.3.3/5 boxes/users authenticating against AD. Their home dirs are hosted on a w2k3 server and mount upon login. The authentication method is kerberos. Nothing needs to configured on the client side other than the AD plug-in.
See: http://www.macdevcenter.com/pub/a/mac/2003/12/09/active_directory.html
specifically:
Best Of Class Single Sign-On support: Because of its automatic kerberos configuration (on joining the domain, a Kerberos configuration file is generated for the domain in question) users that have signed into a domain do not have to re-authenticate in order to mount shares from other member servers in the domain.
confusion: http://www.afp548.com/articles/system/adplugin.html
makes it seem like you need to do something else (specifically step #5) to get this to work but this doesn't seem to apply (at least in my environ.).
hth,
john
Douglas M. Long wrote:
Yes, I agree, 10.3 is much easier, although in a 2k3 environment you will have problems mounting home drives on a 2k3 server because the mac samba client only use plain text passwords (whereas 2k3 disallows this by default). You can either allow it, which i wouldnt suggest, or mount your home drives on a machine other than 2k3. There is some speculation that 10.3.6 has some improvements in the way samba authenticates, but it is has not been confirmed yet. 10.3.6 is supposed to be out sometime within the next 30 days, if i remember correctly. If you do figure out how to mount home drives on a 2k3 file server with kerberos please let us know.
________________________________
From: [EMAIL PROTECTED] on behalf of Depp, Dennis M. Sent: Fri 10/15/2004 7:23 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Macs, LDAP Source
Brian,
You might want to look at upgrading to 10.3. Apple has improved on the AD info for 10.3. I've played with it a bit, but not enough to know if the fault tolerance is there or not.
Denny
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, October 14, 2004 10:18 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Macs, LDAP Source
My asst managed to get OS X 10.2.SomeInt to authenticate to the AD here. I typed in my username and password and it was just as fast as logging in from an nt class box. Aside from the various implementation issues on the mac side, I have this dilemma:
The Mac's are not actually AD aware - they just need an LDAP source. I could buy this cool program called ADmitMac which creates domain accounts for the Macs and emulates an NT box as far as user mgmt goes on the Mac. Cool, but, the quote was nearly as much as I paid for the OS X licenses. So, anyway, the mac needs a explicit dns hostname for ldap. I could give it one DC, but, if hat DC goes down, all my macs are F'ed. So, what I did is setup a round-robin with all the DCs in the site the macs are located in.
I'm not totally satisfied with this workaround. It just seems sort of half-ass to me. It requires a certain degree of management, and if one of the DCs is down, a portion for the macs will need to be rebooted until they receive a referral from the DNS server in an order which includes a working DC first. Whilst I am not totally happy 100% with this solution, I don't have a better idea - anybody? I remember hearing about NLB for LDAP, which I think might do the trick, I've never used MS NLB - does it apply to this situation?
Thanks.
--Brian Desmond
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
Payton on the web! www.wpcp.org <http://www.wpcp.org>
v - 773.534.0034 x135
f - 773.534.8101
List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
-- John Singler Systems Administrator School of Veterinary Medicine, University of Pennsylvania 3800 Spruce Street Philadelphia, PA 19104-6044
ph: 215.573.6525 fx: 215.573.8777 List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
