Apple Event: May 7th at 7 am PT

Learn more

Add to your calendar 

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: linedpaper
linedpaper Author
User level: Level 1
10 points

Link login?

Hello,

I am running 10.6 server and all of my users are on 10.6 as well. We run MS Active Directory as we are in a mixed environment. I have my Mac laptops backing up to Time Machine on the xserve and we also use RADIUS authentication for our wireless. My question is this: Is there a way I can link all of these logins as they are all the same? When a user logs into their Mac, they are using their AD username, which is the same for their Time Machine backups and also the same for them to connect to the wireless via RADIUS authentication. For my Windows users everything works together, but for the Mac users each login is separate. The issues really arise when someone's password expires and they are required to change it. The user updates and logs in with their new password, but their Time Machine backups stop running and they can't connect to wireless until they update in these locations as well, and they can't update their own Time Machine info as they don't have access to change those settings, leaving a lot of extra work for me. Any help will be greatly appreciated.

Tim

Mac OS X (10.6.4)

Posted on Sep 28, 2010 2:47 PM

Reply
3 replies
User profile for user: Camelot
Camelot
User level: Level 9
54,339 points

Sep 28, 2010 4:31 PM in response to linedpaper

Yes, what you want is entirely possible - you can either have the Macs authenticate against AD, or setup a Golden Triangle where the XServe slaves off the AD directory rather than runs its own.

You may have migration issues, though - this is something that's easier to setup from scratch than it is to try and migrate users from one directory system to another, especially since the username already exists in AD. If you can deal with the one-time pain of moving each user's data then a Golden Triangle would be the way to go.

It's not a trivial, one-click process, though. It's covered in some depth in the Server Administration Manuals.
Reply
User profile for user: Gordon Davisson
Gordon Davisson
User level: Level 3
520 points

Oct 3, 2010 9:00 PM in response to linedpaper

No, leave the clients bound to AD (you might also want to join them to OD, but it'd be for policy & preference management, not authentication). The preferred way to get single-sign-on authentication is with Kerberos; both Macs and Windows use it when they're joined to a domain, but I don't think it can be used for either 802.1X (wireless auth) or Time Machine backup.

There is, however, a way to get much the same effect for 802.1X: switch from a user authentication profile (what your users probably have now) to a login window profile. Then the login window will use the same name & password for both logging into the computer and authenticating to the network. The relevant setting is in Network preferences -> Airport (or whatever the relevant service is) -> Advanced button -> 802.1X tab -> use the "+" button at the bottom to add a Login Window Profile. I haven't used this, so I don't know precisely what settings you'll need, but in principle it should solve the problem.

Time Machine is a more difficult problem. The issue here is that it runs independently of who happens to be logged in (if anyone), and hence cannot piggyback off the active user's authentication info. Unfortunately, I don't know a way around this one.
Reply

Link login?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up