OS X Server and Active Directory

D

DefUnct_UK

Registered
Im wondering if someone can offer me some guidance with a problem im dealing with.

Ive finally got our company to buy and x-serve with os x server (obviously).

Having never had to set one up before im learning as i go along.

What i need to achieve is this:

I would like our Mac clients to authenticate against the x-serve, which will go to Active Directory to check the logins, however the actual users home directories will be managed and stored on the xserve.

At the moment, i can get the x-serve to read users on the active directory, and i can get my mac clients to link directly to active directory. What i cant figure out is how to get the clients to link to the Xserve, find their home directory on there, and the xserve hanles the login against the AD server.

Any help would be of great help, or if anyone has done this before and knows how to do it, i would love to get some setup steps.

Thanks a lot!
 
Why do you want to do it in this manner? :)

If your Xserve is simply going to be used for data and won't be used for MCX settings in OSX (which would require it to be an OD Master), you can bind your server to AD. If you want to push managed preferences to your desktops, binding an OD Master to AD can be very problematic.

Bind your server and your clients to AD. Change your AD user profiles to reflect the new home location. You'll need to kerberize your AFP service, which is a manual process in Panther. It requires you to create Kerberos keytab files and placing them in the proper directory on your OS X Server. I've done this a few times and it works quite well. You'll also need to join your SMB service to AD by manually editing the SMB.conf file. If your using a version of Panther over 10.3.5, Kerberos authentication to SMB can be problematic. You may have to specify a specific winbind separator in the config file to fix the new glitch in the OS.
 
Thanks a lot!! That helped a greta deal, we will just use the xserve for home directories, that seems the simpler option.

As for the SMB bits and Kerberos, thanks, since i wasnt fully aware of what was required there.
 
Just to clarify, in case I wasn't clear in the first reply... :)

Kerberos authentication to Mac OS X Server in an AD domain is different for SMB and AFP. AFP needs the keytab files created. SMB does not, it simply needs the proper settings added to your smb.conf file. Either way, you'll be binding your server to AD for this to work. Having both server and client connected to AD will give you the best results.
 
100%! :)

Here's your issue. You probably don't want a whole lot of data being shared out over two different connection types. AFP is, when being used in a OS X Server to OS X environment (not that Services for Macintosh stuff that MS is using) a very robust, fast, reliable mechanism to move your data. All of my users have been thrilled with the performance gains they've seen.

Getting AFP to accept AD Kerberos can be a little tricky. This is something I could help you with, but its not really something that you want to do over a message board. :)

Drop me an email and I can help you set this up. miked_AT_District13Computing_DOT_com. Once its setup, properly, I've actually found that the method of AFP accessing the AD Kerberos via local keytab files is more reliable than the easier SMB join procedure. There are a few different ways to Kerberize the AFP service, some yield much better results than others! Not all connection types or authentication methods were created equal. :)
 
You must log in or register to reply here.
Back
Top