Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Fwd: Re: OS X - AD integration tentative solution?

re-send due to '69 date

>Date: Wed, 31 Dec 1969 18:45:41 -0600
>To: email@hidden, email@hidden
>From: Michael Bartosh <email@hidden>
>Subject: Re: OS X - AD integration tentative solution?
>Cc:
>Bcc:
>X-Attachments:
>
>At 6:28 PM +0100 4/29/03, email@hidden wrote:
>>Having followed recent discussions on this list with regard to
>>running MOSX clients in a managed way, whilst authenticating
>>against an existing AD setup; I decided to have a play. I got
>>quite far, and have a summary that i would welcome
>>comment/suggestions on.
>>
>>My setup was a W2K AD, an Xserve with 10.2.5, and a 10.2.5 client.
>>I went the Kerberos route, to avoid AD schema mods since they
>>aren't feasible at a lot of sites. As per Michael Bartosh's recent
>>posts, i followed the Kerb documents in the Kbase (107153-5).
>>However, i could not get AFP service to offer kerberised logins. I
>>created a service principal on the AD, and generated its
>>krb5.keytab. I set AFP to accept Kerb authentication only, and
>>rebooted the Xserve for good measure. I can login locally on the
>>Xserve as a kerb-authed user, but not from a client. A packet
>>sniff showed that the server was not advertising kerb to the
>>client, and i got error -5002 from the client. Am i
>>mis-configured, or is this a bug?
>
>It's misconfigured, but there's also a bug.
>
>In a correct configuration, the server knows it offers kerb auth,
>and the client gets an afpserver/email@hidden
>service ticket, which the server then doesn't consider valid. I
>haven't been able to get it to work, though (specifically with AD).
>
>>To overcome this, i set the home directories on the Xserve to mount
>>via NFS, which seems to work fine - does this have any negative
>>impact?
>
>Security. Performance. Otherwise, no.
>
>>
>>So, i now have to import all the users from AD into Open Directory
>>(pretty simple), create their Mac homedirs (createhomedir -a) and
>>keep them synched (some not too painful scripting). I end up with
>>one set of users, one point of authentication, and two sets of
>>homedirs - not necessarily a bad thing at many of my sites, where
>>the goal is to keep the Macs mostly separate.
>
>Why not simply use smb home dirs?
>
>>Users can, of course mount their W2K shares via SMB once logged in.
>>This all seems quite positive, so before i deploy at a (willing)
>>test site or two, are there any caveats i should be aware of?
>>
>>yours looking to the gurus
>
>
>--
>
>
>http://www.4am-media.com
>Mac OS X Consulting and Training
>Michael Bartosh
>email@hidden
>303.517.0272
>Denver, CO
>
>
>"The surest way to corrupt a youth is to instruct him to hold in higher
>regard those who think alike than those who think differently."
>
>- -- Nietzsche
>
> Think Different.
_______________________________________________
macos-x-server mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/macos-x-server
Do not post admin requests to the list. They will be ignored.


Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.