Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

OD and AD Integration with leopard?

Can a Leopard server be correctly integrated with and AD domain? I am loosing the faith?

I have a AD domain with windows clients attached and would like to add in a leopard server and mac clients into the setup. The aim is to have users log on to any Windows or MCX workstation and get their work? So basically AD is already (and will continue) to host authentication details and I wish to use the xServe to store home directories?

This is what I understand:
1) The Leopard Server must be in workgroup mode form install
2) Once installed bind to the AD domain
3) Import the user form the AD server into the OD server
5) Group these up as necessary
6) Set share points for home directories and apply acl's for user groups
7) Set home directories (Not quite sure how this would work)
8) Bind new mac clients to AD server then OD server?

The problems I am having are:

1) Why import the user from AD, now two sets of users exists? If a users forgets his/her password and I reset it on the AD server will it need resetting on the OD server too? Surely this is doubling your work?

2) Where would I set home directories? On the AD server under account prefs? If I set the home directories for the users on the OD server only the mac clients will pick up the settings?

3) Why cant I just set up a server in advanced mode and have an OD Replica server set up, I want to have authentication controlled from one place, i.e. the AD server and use the xServe for storage, so why can't users auth against AD and use SSO to auth against xServe to get their work?

Any help would be greatly appreciated, thanks for your time.

Regards,
r00tb00t

Message was edited by: r00tb00t

PowerMac G5, Mac OS X (10.4.7)

Posted on May 12, 2008 11:13 PM

Reply
5 replies

May 13, 2008 8:08 AM in response to r00tb00t

Hi

3) Import the user form the AD server into the OD server


Why? All you want to do is to browse the AD's directory node for users and/or groups, create a group in the LDAP node of your OD Master and drag selected Users or Groups from one node to another. You won't be creating them or importing them. The LDAP node group will be 'aware' of those users. Generally I would either use existing AD Groups and drag that group into the LDAP group. Apply managed preferences from there.

2) Where would I set home directories? On the AD server under account prefs?
If I set the home directories for the users on the OD server only the mac clients will
pick up the settings?


Its up to you. Is there any need to have home folders hosted on your Mac Server? If it does not have the capacity or any means of backing them up then leave them where they are. Mac Clients bound to AD and OD will be authenticated at the AD first, find their home folders and then be referred to the OD for anything else. This is provided clients have the AD and OD directories set in that order for Authentication and Contact information using the Directory Utility and the Mac Server has been bound to AD correctly and is an OD Master with Kerberos not running.

If all the capacity is hosted by the XServe then for Users Home Directory Profile information on the DC key in the path to where that folder is being hosted. Make sure AFP and SMB are enabled and that the folder being used is set to Automount. The path should look something like this: \\network\volumes\users\. A simple way of finding out what the pathname is is to browse for it first on the AD and see what pathname is returned. Users when authenticated should be re-directed to the where the folders are to be created. Provided OS X Server is configured correctly users home folders should be created there.

3) Why cant I just set up a server in advanced mode and have an OD Replica server set up


If you mean 'can I make XServe a Replica (BDC) for AD', then no you can't. If the DC is a Windows Server, OSX Server can function as a Domain Member only. If you have an OD

May 13, 2008 11:27 AM in response to Antonio Rocco

To continue:

If you mean 'can I make OSX Server a Replica (BDC) for AD', then no you can't. If the DC is a Windows Server, OSX Server can function as a Domain Member only. If you have an OD Master/Replica relationship then the Master would be the PDC and the Replica would be the BDC. They would have to be promoted to those roles first in the SMB Service. They don't automatically become PDC and BDC just because one is a Master and the other is a Replica.

Of course these are not definitive answers and there may well be others who have managed to do this in other ways?

Mike Bombich has an integration paper outlining how to achieve a lot of this. It is for 10.4 Server but you may find it useful:

http://www.bombich.com/mactips/activedir.html

Hope this helps, Tony

May 13, 2008 11:52 AM in response to r00tb00t

Finally:

Can a Leopard server be correctly integrated with an AD domain


Yes, absolutely. In fact its easier to do this with Leopard compared to previous versions. I've successfully integrated OD into AD numerous times using a variety of methods. Problems I've seen are mainly to do with how well the AD has been configured. Some sites have had no Reverse Zone configured. Some PC Admins seem to think this is standard practice? Maybe for a purely Windows environment it is? Successful OD integration will falter of not work at all if you don't have it.

You might want to look here for further assistance:

http://www.macwindows.com/AD.html

Hope this helps, Tony

May 15, 2008 4:22 AM in response to r00tb00t

Thanks alot for all your replies and fasinating information. I started this post based on another post I was taking part in. This is what I have done (I formatted my xServe and removed my AD Domain and created a new one for a fresh start):

1. Install OS X Server in Workgroup Mode (but I ended up promotting it to advanced mode)
2. Verify DNS settings (all good!)
3. Bind to Active Directory with Directory Util
4. Bind my OD server to AD server as a directory system
5. Verify with dscl that the xServe can access AD correctly (all good)
6. Set up shares with Server Admin and SMB

This is where I am stuck. Everything is fine, I had some issues with the SMB service not getting authentication from the AD Server instead asking for local details but that is fixed now. All I'm having troubles with now is ACL issues:

After making a share point (staff for example), it has:
Owner (My Domain\Domain Admins) - Read & Write
Group (My Domain\Staff Group) - Read and Write
Other - Read

but its not quite right. Making a user in AD and settings his/her home directory creates the directory on the xServe fine, but that also has bizare permisions; selecting "Get Info" on a users home directory on the xServer shows all settings for permissions as "custom" and cannot be changed from the xServe?

I have been fiddling around for about two hours, at one point I got it working, then not working, then working again etc. You can see where this is going! How should I have this set up?

Thanks for your time.

Regards,
r00tb00t.

May 15, 2008 7:07 AM in response to r00tb00t

Hi

As far as I know only POSIX permissions are applied to home folders after creating them. For example if you had a user called Any Body (long name) anybody (shortname) and created a home folder for that user the standard POSIX permissions model would automatically be applied. These would be:

Owner : anybody : Read/Write
Group : admin : Read Only
Others : none

I don't think ACLs would be applied in that case unless you (as an administrator or teacher for example) needed to apply them to exam the contents of the user's desktop or documents folder to either tidy up or assess coursework. Is this what you mean?

To preserve User's default privileges over their own home folder preventing others from logging into that account you could apply an ACE over and above what has been set for that user using the standard POSIX model.

Define a group consisting of teachers and/or administrators (can be a single user if you wish), drag selected users to it, go back to Server Admin > File Sharing, select the folder used for creating and automounting home folders which has been shared and add the group (or user) to the ACL window just above the POSIX window, propagate permissions from their. This will preserve individual home folder users' privileges and allow access for those defined in that group or for that user.

You can do this all via the command line or use the interface, there is more than enough scope to achieve what you want.

I'm guessing you may already know this? Both permissions models apply in OSX Server. Standard POSIX as well as Access Control Lists (ACLs). This has been the case since Tiger Server (10.4). The ACL Permissions model overrides/supercedes the standard POSIX model as well as acting in conjunction with it. In some cases you could have the overall effect of both permissions models being applied to a sharepoint.

For a good explanation of how the permissions models work:

http://discussions.apple.com/thread.jspa?messageID=648307&#648307
http://discussions.apple.com/thread.jspa?messageID=1535247&#1535247

This is a link for a recent thread you might find useful?

http://discussions.apple.com/thread.jspa?threadID=1428118&start=15&tstart=30

Tony

OD and AD Integration with leopard?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.