Getting 10.4 Server to work with AD

Eric Xserve

I have a simple request. I am able see my AD user accounts on my X-serve via my workgroup manager as i have configured my AD plugin in Directory acces to connect to my AD 2003 Server.
I need to get to the next step now. How do i let my OS X clients 10.3 and 10.4 get authenticated to the user accounts via LDAPv3 and access my home folders via AFP. Home folders are to be stored in X-serve.
I seem to face issues when i try to create a network mount. My request is simple. USers need to access home folders stored in the X-serve. They need to be authenticated by the X-serve who has got users accounts pulled from AD.
I've come up to this level already.
1) PC clients cannot access OS X server shares using Domain accounts. The PC can connect the the file shares using the local account created on the OS X Server.
2) Mac clients when authenticated by AD or otherwise, cannot share volume via SMB. The can only access the OS Server share's via AFP. When connecting via AFP the kerberos window pops up and you can authenticate.
3) Mac clients can be authenticated by OS X server that is configured as connected to a directory system. The home directory is stored locally.
What i need to get working is PC users need to access OS X Shares using AD accounts. This does not work. The windows box gives a login window prompt with the Domain/User and password prompt.
Also the Workgroup manager shows only 1000 accounts. I believe there are supposed to be more than that. When i go to group, there is the button called Upgrade to legacy or something... Any idea whats that?
Finally, is my approach right? Should i set my OD to connect to directory server or as an OD?
So, if your using 10.4 Server, use dsconfigad -enablesso to create the kerberos principals that you'll need to use AD supplied Kerberos with your 10.4 AFP Server. In 10.3, you had to create the keytab files manually.

Where does the LDAPv3 come in? Authenticate your clients directly from AD and join your Xserve to the AD server. What your trying to do is a fairly advanced topic. Depending on your location, there could be many providers available to help you with this onsite, which is what you'd need.

Also, check this. Go into Server Admin and check to see in the Open Directory heading if Kerberos is running. If your server is running Kerberos and your AD is running Kerberos and you want to use the users and groups on the AD, you will have some issues! :)