"Seamless" Integration of Mac OS X w/ Active Directory

eexlebots asks: "I work for a small college which has a few Mac OS X 10.2 machines and a fairly standard Active Directory setup. Actual deployment of these clients rides on getting them to authenticate at login to our Active Directory server. Apple has stated that this is possible (easy! seamless!) with Jaguar without the use of an additional Mac OS X server, but I have found the case to be quite different. It is possible, but not without a good deal of nightmarish configuration issues. Documentation? HA! No sign of it anywhere on Apple's site. I'm not alone: at macwindows.com I found a good many people who think that Apple's claims of seamless Windows Network integration to be a bad joke and nothing more. I was wondering who else out there is having this problem, and what they have done to solve it."

Title != message

Active desktop and Active directory are *slightly* different...

Re:Title != message

please mod the parent up since it is a very important point.
I'd like the slashdot team to change/update this story.

Re:Title != message

They both suck, does that make them similar enough?

Re:Title != message

[LordKariya]

This is true. You can't expect the average linux user to understand things like "GUI". I mean, the fact that you can just change the cd in the cdrom drive without typing 400 commands amazes most Linux users. I'd really like to know why the above post was modded as a troll. I'll get you in metamod. Modding down posts you don't agree with is inappropriate.

Re:Title != message

OH, I'M SORRY Piece of SHIT Linux NIS is better? riight.

Re:Title != message

[404+error]

hey i think NIS works across subnets now there's no stopping it!

Re:Title != message

[bursch-X]

WTF??? Which moron has modded the above as flamebait?

Re:Title != message

[tuxracer]

"I'll get you in metamod. Modding down posts you don't agree with is inappropriate." Grow up you whiney bitch.

Re:Title != message

umm maybe they already changed this... but active desktop isn't mentioned anywhere? in the title or elsewhere that I see...

Re:Title != message

Anonymous because I work with the state of Florida DOT and I am behind a dozen firewalls.
I am the tech support for our Public Information Office, and I have installed OS X2 on our systems here in a Dell world with Active Directory and it works just fine.

error

In the title: Desktop != Directory

Active Desktop???

Active Desktop???
Change the title or no one will know what the heck you're talking about.

Confusion on title

[j0217995]

The title was "Seamless" Integration of MAC OS X w/ Active Desktop, but shouldn't be Active Directory, or did I somehow miss the Active Desktop part of things?

Desktop != Directory...

Fix the headline.

Well,

[jcrash]

It isn't exactly in Microsoft's best interest to make this easy for them is it?

Re:Well,

[afidel]

actually why would MS care, you have to pay the per seat liscense for the AD servers regardless of client platform. So what if they lose an OEM OS sale, they still get you per seat and probably for office too.

Re:Well,

[jamespancake]

No kidding. I mean, it's not like Apple has a history of taking forever to write any sort of decent Windows-compliancy-code -- I mean, they managed to get an SMB implementation (in 10.2, finally) for their operating system only a few years after the SAMBA project did the same thing for Unix.

Nevermind that the spec had been released and all that. God, Microsoft just makes things so hard for Apple, don't they?

Re:Well,

[Textbook+Error]

I mean, they managed to get an SMB implementation (in 10.2, finally) for their operating system only a few years after the SAMBA project did the same thing for Unix
The SMB implementation in 10.2 is SAMBA - see /usr/bin/smb*.

Re:Well,

[rve]

You have to actively disable it in Windows 2000 advanced server release if you dont have macs on your network, installed by default and easy to configure. Thats only $4000, not including the cost of the sys admin that you will need to hire.

Active Desktop is not Active Directory

[Alton_Brown]

Guys, please add an UPDATE! 2:02 EST by cmdrTaco it's Active Directory, not Active Desktop.
Today's recipie: Hot Spinach and Artichoke Dip

Re:Active Desktop is not Active Directory

This could've been a brilliant post had you not added Today's recipie.

shit! almost posted non-anonymous! lucky slashdot doesn't allow me to post in 14 seconds :)

THE HORROR

Why would you want to hook up a bastardized BSD box to a windows network... that goes against darwin.. survival of the fittest... like lyle lovett.. HOW

Re:THE HORROR

windows lovett, ... i like bastard BSD

It's Active Directory

[donutello]

Not Active Desktop

Big Difference!

Humans at slashdot truly are stupid

[jaxon6]

It wasn't until this very column, titled Mac OS X with Active Desktop, until I realized how very stupid the humans at slashdot are. I never paid any attention to others who insisted this, but now I'm a believer. I mean, come on! Active Desktop when the text clearly says Active Directory. Jeez, where does slashdot find them? On topic now.. I've seen documentation on Apples's site on how to do it, but it's quite a mess. We currently support Win2k(soon XP) and Linux boxen in the Bio dept. at MIT, because of the kerberos. With the release of Jaguar, Macs become a viable managed platform for us, as opposed to the unmanaged platforms we have to support, such as Irix, NT4, Solaris(although 9 finally supports kerberos). Any success stories and/or caveats will be appreciated by many.

Re:Humans at slashdot truly are stupid

[avandesande]

Yeah, but don't underestimate the hamsters at /. They are pretty brite for a bunch of little rodents.

Re:Humans at slashdot truly are stupid

[jacorrea]

Well we have two things in common, before I read your post I was about to make the very same observation about the very witty and intelligent posting that goes on here, but I'll keep quiet now. I am also at MIT(the Press), we have a 60/40,PC/Mac split and I am trying to dig up as much as possible on this now that we will be able to start our own domains. I have not found any useful information so far but I have faith someone will make it work.

Re:Humans at slashdot truly are stupid

[jaxon6]

We're completely scrapping our domain in order to use WinAthena, which has a few limitations, but they're responsive, and after managing a Win2k domain, let me tell you the headaches saved by having somebody else do it right(key word is right) keep me from going postal on the users.

Re:Humans at slashdot truly are stupid

[jacorrea]

If we were on Campus I would almost definitely go for it but we are just off campus with a crappy T1 so I am planning on keeping everything in house. Except our Web and SQL boxes which W91 will get.

Re:Humans at slashdot truly are stupid

[jaxon6]

What you could do, and what we do, is offload authentication to MIT, but keep the file server local. We've had real good luck with that. And authentication isn't that big a bandwidth hog.

Re:Humans at slashdot truly are stupid

[Anonvmous+Coward]

"It wasn't until this very column, titled Mac OS X with Active Desktop, until I realized how very stupid the humans at slashdot are...Active Desktop when the text clearly says Active Directory. Jeez, where does slashdot find them?"

All humans at /. are very stupid because they made a textual mistake between two like-sounding MS buzzwords? Are you saying that one has to follow MS's fads religiously to not be an idiot? heh.

Now that's funny. Where did Slashdot find you?

Re:Humans at slashdot truly are stupid

I think he said MIT.

Re:Humans at slashdot truly are stupid

I suppose the hobbits and elves on /. are much smarter.

i also...

i've found that you can go into /Utilities/Directory Access and configure the SMB entry, but, for whatever reason, the macs on my domain elect themselves the domain controller and cannot see any machines on the domain. it's pretty annoying.

doing an smb://machinename/ works just fine (thank goodness 10.2 keeps us from having to announce the share on that line anymore), but it's lame that i can't browse the network.

that said, 10.2 works just fine on my simple workgroup based network at home.

Well it's not that hard to fix.

[miffo.swe]

Get rid of that stupid AD and install a real catalogue system like LDAP or NDS. Active Directory is made for Windows and nothing but windows. Making anything else to work with it is very hard and not worth it. What on earth do you need from AD that cannot be solved otherwise? If its just a matter of a few machines there shoudnt be any significant gain in ease of admin in AD. If there are plenty then you should install a MAC server. Microsoft does not and will never play nice with anything else but Microsoft.

Re:Well it's not that hard to fix.

[Telastyn]

because if you use LDAP or NDS you end up with the same nightmarish configuration issues, except now the issues are with the windows machines, which are probably 90% of his clientelle.

(this of course assumes it's impossible to just get rid of the windows machines and they actually need cetralized authentication in the first place...)

Re:Well it's not that hard to fix.

Use LDAP? Uh... Active Directory is an x.500 based directory that uses.... LDAP!!

NDS is also an x.500 based directory.

Re:Well it's not that hard to fix.

[1984]

Sigh. This may not be an option. Ripping out a directory service and replacing it is non-trivial. Getting MAC clients to work with AD may be a pain, but you seem rather blase about switching directory services. It's a shame that posts saying, "Rip it out, dipshit. Why did you install that shit anyway?" aren't actually helpful to people with real world problems.

And, in fact, I'd suggest you audition NIS on Windows (yes, you heard me right). Services for UNIX v3.0 includes NIS (and NFS) server which integrates with Active Directory, so you can have NIS clients managed by the AD infrastructure. It costs $99, and also gives you a nice UNIX shell that you can use to tool around your AD server and a bunch of other goodies. (Having said that I don't anything about OS X, so I don't know how well it plays with NIS, but it's an avenue worth a look.)

Re:Well it's not that hard to fix.

[jmcnamera]

My understanding of AD is imperfect, but I think its a superset of LDAP.

I've run LDAP clients against AD without trouble, but they only did a small amount of LDAP work.

Re:Well it's not that hard to fix.

Not sure about LDAP, but I have yet to see anyone who actually deploys both AD and NDS for living prefer AD.

Re:Well it's not that hard to fix.

[UnrefinedLayman]

What on earth do you need from AD that cannot be solved otherwise?

Group Policy. If there's one thing that is important to an organization with many computers that require support, it's group policy.

Beyond that, there are a large number of reasons. If you've never used Active Directory, then you don't understand the integration it offers that you can't find elsewhere easily.

Re:Well it's not that hard to fix.

[bugpit]

Get rid of that stupid AD and install a real catalogue system like LDAP or NDS.

How on god's blue earth did this get a Score:3, Informative?

"Get rid of that stupid Netscape and install a real browser like Mozilla or Explorer."
"Get rid of that stupid Sam Adam's and drink a real beverage like beer or Harpoon."

What on earth do you need from AD that cannot be solved otherwise? [...] If there are plenty [of machines] then you should install a MAC server. Microsoft does not and will never play nice with anything else but Microsoft.

Ah! I see... if you have lots of PC and Mac boxes, forget about trying to consolidate the management or integrate them, just double the work and the cost! Woohoo!

Scalable IT solutions thru cloning and printing your own money, I like the ring of that.

- Gregg

Re:Well it's not that hard to fix.

IS the crack that good where you are?

Re:Well it's not that hard to fix.

[Textbook+Error]

Getting MAC clients to work
Why do people persist in writing "MAC" as if it was some kind of acronym? It's an abbreviation - it doesn't need to be capitalised!

Would you write "WINDOWS"? Or "linUX"?

Re:Well it's not that hard to fix.

[sbjornda]

Not sure about LDAP, but I have yet to see anyone who actually deploys both AD and NDS for living prefer AD.

I've deployed both in production environments. At the moment I have a slight preference for AD. Group Policy rocks, and the drag-and-drop of NDS never felt intuitive to me. But NDS seems more forgiving to operate and is clearly more mature.

LDAP on *nix, though, seems higher maintenance to set up, with less reward than you get straight out of the proprietary systems' shrinkwrap. (Caveat: I've only played with *nix LDAP it in the lab, not in production.)

.nosig

Re:Well it's not that hard to fix.

[Nezer]

Generally I agree but I have to take issue here:

>>> What on earth do you need from AD that cannot be solved otherwise?

How about OU-level GPO or GPO on *ANY* level other than local.

Aside from simply providing information about users thier passwords and mailboxes, AD also allows group ploicy to be set at levels other than on each desktop. This makes it *really* handy to do things like, say, tell windows NOT to display the last logon name (security risk) or put a logoff user option on the start bar (how many windows boxes get rebooted because logoff and restart are so damned close?) or even allow your whole domain to "send unecrypted passwords to third-party SMB servers" (aka easy, though insecure, samba integration).

Maybe there are other solutions to this type of thing but as far as I can tell the GPO stuff is the only real advantage over other directory services. And when your managing thousands of desktops and servers it really is a major advantage!

Re:Well it's not that hard to fix.

[Proudrooster]

* M$ Active Directory is LDAP!
* NDS v4.0 is LDAP!
* Slapd is LDAP!
* Netscape Directory Server is LDAP!

And they all work with nearly every LDAP client, including Mac's and the Mozilla browser.

* Slurpd is not LDAP, but likes to consume LDAP information.
* Who'sYourDaddy_d and SayMyName_d are not part of Open LDAP, but should be :)
* PerLDAP is not LDAP, but is great for doing LDAP programming.

Now for my Microsoft RANT. Yep, M$ stole LDAP and renamed it Active Directory Services. It appears that no matter how much money M$ seems to amass, they just can't seem to buy a clue and come up with a good idea on their own. It's the same old "embrace and extend" commodity protocols which now seems to be their only strategy.

Also, Microsoft products will read LDIF (LDAP Interchange File), but amazingly enough, M$ products won't write an LDIF file. Yes, you can check in anytime you want, but you can never LEAVE!

Lastly, I tried to use Outlook with OpenLDAP and it crashed (the only client to crash). The only option on my pick list is Microsoft LDAP server. Hmmmmm... what exactly is a Microsoft LDAP server? If anyone finds one of these let me know, I want to see if it can make an LDIF file. However, I could care since, I use Mozilla exclusively as my browser now.

And for anyone out there wanting to implement LDAP, I suggest you do two things...

1. Read the RFC's (they helped me immensely)
2. Get the book, "Implementing LDAP" by wrox.com

M, Go Blue!

Re:Well it's not that hard to fix.

The primary cause of this syndrome is years of braindamage resulting from working with Novell.

Using AD for authentication

[gruntvald]

Step 1: plug into the network

Step 2: login using AD credentials

Step 3: There's no step 3! There's no step 3!

Re:Using AD for authentication

[Bob+McCown]

Step 3: There's no step 3! There's no step 3!

er, profit????

Re:Using AD for authentication

[Jobe_br]

Precisely. It should really be this easy. OS X has a Directory Services manager where you can add the AD server in - LDAP compatibility will need to be enabled, obviously. At that point, you have the login. Setting up home-dirs might be a tad more tricky, but maybe not. I don't have an AD server here to mess with, but it really shouldn't be too difficult, as long as the 'standards compliant' features of AD are enabled.

Cheers.

Re:Using AD for authentication

[tulare]

Actually, we have AD running, along with a bunch of OS X clients. We even had an Apple engineer here last week, and he couldn't figure out how to get the auth to handle such things as creating user dirs. It's a large, ugly mess.

Re:Using AD for authentication

[Jobe_br]

Creating user dirs is a tricky problem. Samba w/ winbind and the PAM auth module is pretty difficult to setup for that, as well.

And, while I understand that having Apple say "its easy" makes you want to blame them, you really ought to blame MS or yourselves for purchasing MS technology. Its really that simple. Folks need to stop complaining about MS and just either suck it up, or not use their tech. If its good, use it. If its not, don't - and don't complain.

OS X is more compatible with Windows than Windows is with OS X. Finito.

Cheers.

Re:Using AD for authentication

[Kunta+Kinte]

It's easy if you do it the other way around.

that is, create the NT user whenever you add a new LDAP user.

Have a OpenLDAP replica running on your Win2k box. Include a Perl trigger, that parses ldapadds and creates a local Win2k user whenever a new LDAP user gets added.

Perl can be used to synchronize the passwords as well, so you don't need Winbind.

checkout http://acctsync.sf.net/ For more info.

Re:KTHXBYE

You sure like being part of the crowd, don't you?

Re:Hypocrites

[MoneyT]

Not really. Apple has been partners with M$ for quite a while now. ANd you do know the best way to win users over is to make it easy to incorporate the new into the old.

Winbind???

Can't you just use Winbind from the SAMBA project to use AD authentication? Just configure Winbind to point to your Domain controller and setup NIS to work with it.

Or am I off base? I've done this on FreeBSD i386 boxes so it should not be difficult, unless Apple has mucked up logins.

Why not Samba?

[bdowne01]

I'm stating this at a very high-level perspective, but I know Samba is an actual component of OS X Server, and it is known to compile and install on OS X perfectly.

So why not use Samba for integration to Active Directory? I'm not perfectly clear on the details of doing so, but I'm pretty sure you can use Kerberos to hook up to an AD domain, and go from there.

Any reason not to try? After all, Unix folk are generally pretty adamant about not reinventing the wheel :)

Re:Why not Samba?

[Twirlip+of+the+Mists]

Any reason not to try?

Yes. It's unnecessary. Active Directory can expose an LDAP interface, and Mac OS X is an LDAP client. The only tricky part is synchronizing the schemas, and Apple's documentation describes how to do that. On paper, it looks really simple. Since I don't have any Windows servers, I can't say whether it's simple in practice or not. The submitter evidently thinks it isn't.

Re:Why not Samba?

[tetra103]

Good thought, but that will only take care of file share permissions. Samba will not take care of workstation authentication.

Chances are their company is much like ours. They have a Microsoft Universe and will ONLY use Microsoft products to manage that world. Unfortunately that's about 90% of the company. The rest of the company consists of individual islands composed of LDAP, NIS and NIS+. Your chances of integrating a non-MS machine into a MS environment is probably more a political battle. Your best bet is to use AD for MS authentication. The MS admins don't know anything else, and use LDAP or something universal to manage all the rest (Solaris,Linux,OS X,...). Then, as you said, use a central Samba server to bridge the gap of file and print sharing to the MS world and vice versa. The only drawback is managing a separate account for each user in two different naming services, but it sure beats the political battle of trying to convince the MS crowd to use something universal. Believe me, that's a losing battle...

Re:Why not Samba?

[afidel]

Well that sounds like anything touched by Microsoft. "On paper, it looks really simple. " but then you get to actual implementation it is anything but simple. I guess that is why I have a job though =)

Active Directory is different than Active Desktop

[Sycraft-fu]

Active Directory is Microsoft's enterprise X.500-like security and authentication scheme. You set it up on a network of Windows servers and the clients all authenticate with those. Active Desktop is putting a webpage on your desktop.

Apple strengths....

[dubious9]

...have always been that their single user experience was good. Mac users don't just like their macs at home, they love them. Apple realized this and catered to that strength. Meanwhile Wintel took over the corporations of america. Besides from schools and maybe graphics/multimedia places, who would implement an Apple network?

Thus it doesn't surprise me that their implementation is unpolished. Polish is, however Apple's strength, so give em hell, and give em time, and they'll come round.

Re:Apple strengths....

Home network have always been a Mac Strong Point.. I have had a Network with multi-computer and printer sharing since 1987..

Kyderdog Dan

Just ask MS to open the API

Couldn't we just ask nicely for Microsoft to open up the APIs for Active Directory?
Oh wait they don't have to since this would involve Security, DRM, Authentication, Innovation, The Butterfly, etc...

Re:Just ask MS to open the API

LDAP and Kerberos aren't open enough for you? What more do you want from them?

Re:Just ask MS to open the API

Agreed. Windows uses very standard protocols (despite what the un/misinformed UNIX nerds believe) and there is nothing wrong with using them. Windows really beats many operating systems when it comes to managing a production USER/APPLICATION environment, so why not take advantage of that?

Re:Just ask MS to open the API

You are smoking crack if you are claiming that AD is just standard LDAP and Kerberos.
In classic MS embrace/extend form they have added numerous "enhancements" that are not standard or open and most definitely not publicly documented. Ask the SAMBA folks about it.
This is a perfect example of the numerous shortcomings and failings of the DOJ settlement.

Re:Just ask MS to open the API

[phoebusQ]

Actually, the API is fairly well published and documented on the MSDN site. I am a developer/admin in a mixed Windows/MacOS 9.2/Linux/Solaris environment, and we manage to integrate fairly well into the active directory system (at The University of Illinos). The objects and behavior are exposed in a decent amount of detail.

Re:Just ask MS to open the API

[jea6]

I'd mod you up, but you are not a detractor...so you'd probably get modded down again anyway.

MacOS X and linux

[rkt]

If someone can make this work with MacOS, I'm sure linux/unix is not far away. Solaris supports LDAP and I'm sure so do a lot of other Unix os... and the fact that Active Directory can be accessed using LDAP queries does make you wonder why we don't have any linux/unix server connecting to Active directory as of today.

Active directory, just like any other MS stuff likes to maintain its own standards and its hard to get inside documentation on it on the web.

Solaris LDAP and linux LDAP implementations have a lot of problems. Its just not ready for Enterprise class networking. I sat on a simple netgroup bug for months before SUN came out with a patch. And linux doesn't even support netgroup as cleanly as Solaris yet.

Its a pain.... if MacOS X can solve all these hiccups ( and if they do manage to come out with a documentation) I'm sure it will inspire the other Unix environments.

rkt

Re:MacOS X and linux

AHEM!
doesnt os X _USE_LDAP_TO_ACHIEVE_THIS ? and isn't
LDAP_AVAILABLE_FOR_UNIX_AS_WELL

this seems just to show that the people talking bout osX and windows dont really have a clue. and by the way: there is documentation on howto setup an mac os X ldap server, for whatever authentication scheme possible, be it active directory or whatever - it's just longer than 2 pages. obviously not in the attention span of osX / windows admins...

Re:MacOS X and linux

[Undertaker43017]

This is actually quite easy, all of my Solaris and Linux machines autheticate to AD, just fine. Never tried with OS X, but it sounds like it might be a bit easier, since Apple has a somewhat vested interest in making it work. I use the pam_ldap and nss_ldap modules from padl.com. Follow the newsgroup thread here: http://www.netsys.com/nssldap/2002/02/msg00031.htm l and the "cookbook" here: http://jaxen.ratisle.net/~jj/nss_ldap-AD_Integrati on_how-to.html

Re:MacOS X and linux

[Ctrl-Z]

I've written code that authenticates against active directory just fine. Active directory is, after all, accessible through standard LDAP protocol.

indeed.

[MrBallistic]

i've found that you can go into /Utilities/Directory Access and configure the SMB entry, but, for whatever reason, the macs on my domain elect themselves the domain controller and cannot see any machines on the domain. it's pretty annoying.

doing an smb://machinename/ works just fine (thank goodness 10.2 keeps us from having to announce the share on that line anymore), but it's lame that i can't browse the network.

that said, 10.2 works just fine on my simple workgroup based network at home.

But About the Content of the Piece...

[spiedrazer]

We have been struggling with OSX's 'seamless' integration with Novell and are having similar results. Our problems may stem more from Novell's supposed "Native File Access" support than with Apple's side of the connection, but it's been just as frustrating.

If Apple really wants to make OSX compatible with the entrenched NOS's out there, they need to hire a few Active "Directory" and Netware engineers and teach them about the MAC as opposed to the other way around.

Re:But About the Content of the Piece...

What sort of issues have you been having with native access? I've been thinking about using novell 6 to integrate Mac, Windows, and Linux clients.

Re:But About the Content of the Piece...

[WebBug]

dunno with N6, but N5 you could enable appletalk, which worked really slick for us for any number of years.

course we now use OS X as our central server and have the Dozer clients authenticate on that, no probs and cheap compared to Novell.

Re:But About the Content of the Piece...

[geethree]

and teach them about the MAC as opposed to the other way around

Once and for all.... it's "Mac" as in "Macintosh", not "MAC" as in "Media Access Control".

Geeze.....

From O'Reilly Press

[wayn3]

Have you tried this?

What is Active Directory?

[Fugly]

I'm not sure what active directory is but I do know that using Jaguar, my machine can browse my windows network and connect to any shared folders very easily.

I also have it sharing folders out to the windows machines though it doesn't give out a listing of what's shared (probably for security reasons). You have to tell it what username, password and share you want to access.

What exactly are you trying to do?

Re:What is Active Directory?

Good explanation. Thanks!

File Corruption with Jaguar and SMB Sharing

[fridgepimp]

I currently work in a smallish office with about 15 workstations and 3 or 4 different file servers. Our workstations are about 70% Mac and 30% Windows. The servers run FreeBSD 4.x, Linux (with a 2.2.x kernel) and Windows 2000/XP. On the FreeBSD/Linux servers we run two different versions of Samba (2.2.x & 2.0.x).

No matter which server we connect to, if we copy files from the Mac to the server using SMB as the protocol, we experience a significant amount of file corruption (it appears to be that there are just chunks of the file that don't get copied). It is repeatable, but doesn't happen every time. This is a serious inconvenience. I should also point out that we did NOT have this problem prior to upgrading to 10.2 (we also have upgraded to 10.2.1).

I've have sent numerous reports with details to Apple with no response.

--fp

Re:File Corruption with Jaguar and SMB Sharing

Ive had the exact same problem...I seems to have to do with wich subnet the smb servers are on and does not happen if the smp servers are on the same subnet as the Mac. Anyone have a solution?

Re:File Corruption with Jaguar and SMB Sharing

[redwoodtree]

No solution, but I've also seen this, especially on larger files. I suspect it might be related to IP issues, especially MTU.

I'm starting to wondering if Apple IP Implementation is kind of screwed up in OS X.

Re:File Corruption with Jaguar and SMB Sharing

[alan6101]

In a somewhat related item, I've noticed that the vpn connection included in 10.2 is very unreliable. You can connect ok, but there are problems with name resolution and routing that appear intermitently. I'm also beginning to wonder if there is a problem with thier TCP/IP implementation.

Re:File Corruption with Jaguar and SMB Sharing

[fridgepimp]

Just to note, all my machines are on the same subnet and workgroup, and I still have the problem.

--fp

Re:File Corruption with Jaguar and SMB Sharing

I HAD the same problem!

I nearly lost the whole content of a gzipped 1.2 Gb archive when I transfered it to a XP machine and back through a simple smb share...

I put it on bad luck at the time... now I'm going to investigate.

Raphael

It relies on LDAP

[fordgj]

10.2 uses a new architecture called Open Directory which is released as open source (yes, the apple license, of course). Open Directory is what allows 10.2 to work with Active Directory. How does it do this? LDAP.

Most likely, the configuration issues are with configuring the AD with the proper schema. When the AD is properly set up, then all you have to do is go into the Open Directory Assistant and create an LDAP service that is configured to use the Active Directory preset. Yes, it's a preset and so there is little or configuration on the OS X side. Once the LDAP service is created, then you select it as an authentication service (in the same utility) and you are done.

Re:It relies on LDAP

[Kunta+Kinte]

10.2 uses a new architecture called Open Directory which is released as open source (yes, the apple license, of course).

It's a modified OpenLDAP.

How nice of them.

Re:It relies on LDAP

[zenst]

Lets not forget that anything standard that M$ adopts then they'll change it and perversify it. AD LDAP - why, well they thought ew thats a standard - peeps can well interoperate with our kit - we'll have none of that here. Soooo they non-standised there LDAP scheame to be non-standard and therfore borked from birth. Kerberous - yip - you guessed it - thats a standard - so they just tweaked it and guess what. Arrrgggghhhhhhh. Why dont you explore using M$'s unix services for windows and use NIS - there's a chance that it might just work. Samba - lol, come back in a couple of years for AD stuff. Unless of course your AD is running in mixed mode then you could winbind away and also stand a chance. Good luck and may the force be with you to balance out the pressure :D

Re:It relies on LDAP

[digrhino]

Actually the tricky bit is getting the OSX home directories to work right. Or at least that's the problem that I and several other people have run into.

Re:It relies on LDAP

[fordgj]

The thing is, the AD has to have the proper information about where the home directory lies. Home directories can be used over NFS or AFP, so you can theoretically forgo an OS X Server box. The problem, as you allude it it, is populating the AD with the correct information.

Active desktop = w00t

[LordKariya]

I use it all the time... That is, I use the "Windows crashed, press this button to restore your active desktop" button all the time.

Re:Active desktop = w00t

[randomErr]

Um, they're talking about Active DIRECTORY, not Active Desktop.

Totally different animal, until IE 7 comes out with Windows Longhorn.

Ummm...did you try Google?

[krove]

Apparently not. By entering "Active Directory under OS X" the very first entry is a PDF by Apple with instructions on page 35 on how to setup clients to authenticate to the active directory domain controller.

Here is the link for the uniniated:
MacOSXwithActiveDirectory.pdf

Re:Ummm...did you try Google?

[Magycian]

Ummm That link is for 10.1. VERY different animal.
I can't seem to find a similar doc on Jaguar. Maybe because Apple has not released it yet?

Re:Ummm...did you try Google?

[giminy]

Hey...you mean we have to read a manual to get this stuff to work? But I want it now!

Joking aside, he still has a point about needing a machine running OS X Server. The ad makes it out that having a Jaguar client will just work, without the need for a third computer...

Re:Ummm...did you try Google?

[krove]

1. Open /Applications/Utitilities/Directory Access
2. Configure LDAPv3
3. Click New
4. Enter in info, making sure you select server type as Active Directory
5. Click on Authentication Tab, switch search to "Custom Path"
6. Click Add, and choose the new LDAP configuration you just made for your AD server
7. Test it out.

I must ward that I have never done this before (only glanced at the instructions). The instructions for 10.2 cannot be all that different from 10.1, so...

Re:Ummm...did you try Google?

[krove]

I don't think this is correct - Mac OS X client has virtually all the same software under the hood: it's just missing a front-end GUI. You can do virtually all the same stuff on the client as the server (just requires all that *NIX knowledge to get at it).

Directory services, however, are fully configurable via /Applications/Utitlies/Directory Access on Mac OS X client.

There are options in there to authentication to an AD server. Check it out!

Re:Ummm...did you try Google?

[hfastedge]

I set up an os 10.0.4 client to authenticate via NIS, and I found that my parent comment is more or less true.

Re:Ummm...did you try Google?

[krove]

The improvments made from 10.0.4 to 10.1 to the current 10.2 release is drastic. Try it with the latest version. 10.0.4 was very weak in terms of any possible integration with Windows (did not even come with Samba). 10.2 has the latest and greatest, and I wouldn't be surprised to find the support there.

Re:Ummm...did you try Google?

[Shagg]

Hey...you mean we have to read a manual to get this stuff to work? But I want it now!

How are you supposed to save Xmas if you have to read a manual first!

Re:Ummm...did you try Google?

[digrhino]

No offence, but if you haven't done this before (only glanced at the instructions) maybe you shouldn't be giving advice? I have done this before and what you have advised won't get you very far as the AD schema you are logging into has to be tweaked a bit, and the appropriate mappings set on the client side. Also doesn't remove the problem of apple's instructions requiring you to have OS X Server.

Re:Ummm...did you try Google?

[extra88]

There's a lot of redundancy in the comments for this article but here's something I don't think anyone has mentioned.

Yes, that PDF was documentation for OS X 10.1. In 10.1 the clients had to connect to an OS X 10.1 Server to authenticate centrally. The 10.1 Server acted as a gateway which connected to Active Directory. No gateway, no authentication.

OS X 10.2 is not supposed to require and OS X Server for AD authentication, it's supposed to be able to talk to AD by itself. I think this is due to the addition of LDAPv3. Previous I think OS X only had LDAPv2.

I haven't had a chance to try it but I've had a look at the documentation. It *may* be possible to follow the instructions for configuring the AD and for configuring the client with only a minor modification. Instead of putting in the address of an OS X Server (one of the steps), you would put in the address of an Active Directory Domain Controller.

However other people have posted that they haven't been able to get it to work, even with the assistance of Apple engineers. Not good.

Re:Ummm...did you try Google?

[Dismal+Jemmy]

The PDF "Active Directory for Mac OS X Server v10.1" still has information that you'll need in order to configure 10.2 machines (client or server) to authenticate via AD. The instructions for changing the schema and adding the right paths for NFS automount (for instance) need to be done on the Windows box, but once those changes are complete then clients can log in to their boxes using AD username/password as soon as Directory Access has been configured to access the server through LDAP. No X server needed, although you can use Workgroup Manager to make changes to your users. You can share home folders off of any file server that's hip to the AD as well, including but not limited to X server.

We're testing this now where I work, and so far the client piece is working more smoothly than using Workgroup Manager to edit the schema (which still throws a lot of mysterious errors of the "Error of type -14131 on line 1047 of UserAdvancedPluginView.mm" variety). We're also not yet having luck pushing out the LDAP authentication setup through DHCP, although it appears to be supported in X.2 server.

And as other folks have noted, Apple support is of little or no help here. There's a lot of useful info from various sources available at macwindows.com - much of it conflicting, but giving some good direction.

We have ONE sole mac

[nurb432]

We are still in mixed mode and using connetix ( what a piece of crap product ) on a 9x mac, to authenticate to the NT side.

I worry that it will die when we go native in teh spring. And no upgrade to 10x in sight due to application issues. fun fun wish us luck !

The answers you'll get from Slashdot..

[joshua404]

I'll save you the time:

"M1cr0s0pht sux0Rz@@!@! Use LiNuX it RAWKZ#(*#@*(#@#@#"

Re:The answers you'll get from Slashdot..

lol, youre probably right

Re:The answers you'll get from Slashdot..

[Otter]

Hardly. Only half the answers are "Well it sucks and you should use LDAP/Samba/NDS/Gentoo." The rest are "I did a Google search and found something, you moron." What, he wants to hear from someone who has actually done this? I hardly think that's necessary once a Google hit has been found.

Too bad about that "Flamebait" mod.......

I'm glad it was Active Directory not Desktop

For a second I thought they were trying to make a rotten apple

Any idea how to take Active Desktop out of windows?

Re:I'm glad it was Active Directory not Desktop

[Zzyzzx]

Greetings!!

Quote:
"Any idea how to take Active Desktop out of windows?"

Answer:
You just have to take the windows off the desktop.

Re:I'm glad it was Active Directory not Desktop

Use the IE administration kit to modify the current IE install to not allow the turning of active desktop on.

RTFM

Read The Fucking Manual

Re:RTFM

[Hornstar]

Wow. Another RTFM post. Brilliant. So, I take it you read the actual Ask Slashdot question then, right? The part where he says he knows how to get it working, and wants to know if it has been this hard for everyone else to do so as well? Did ya read that part? Cause I don't think that ya did.

For reference:
"...It is possible, but not without a good deal of nightmarish configuration issues...I found a good many people who think that Apple's claims of seamless Windows Network integration to be a bad joke and nothing more." So that was the part where he says he knows how to do it. Now this is the exciting part... the ACTUAL question...

"...I was wondering who else out there is having this problem, and what they have done to solve it." Cool, huh? Reading story good! Reflex comments BAD! REFLEX BAD!

Now, you did find documentation on Apple's site so that's gotta be worth some points. +1 Informative to you. Of course, that's not really the point of his Ask Slashdot, so you get a +1 Moron because you can't read and a +3 Asshole because you've used this thread as a vehicle to vent your frustrations at the world. Your Karma is now -1 Idiot. Congratulations.

Now, for anyone else that feels inclined to add RTFM to this discussion, save your breath. We don't care. Post something useful, and if you're not willing to add your name to it, maybe that tells you a little bit about the message you're posting.

Thank god I'm not a moderator or my Dogma would crap on your Karma

APPLE document: Integrating Mac OS X with AD

[scarpa]

You know, slashdot really isn't as good of a search engine as Google.

1) Go to google.com
2) search for "active directory mac os x"
3) click the third result.
4) prof- nah.

Or you can click this link:
Integrating Mac OS X with Active Directory

Re:APPLE document: Integrating Mac OS X with AD

[syntheticsanityOS]

sorry but your link doesn't work

Re:Well, QWZX

Sheesh, yeah, it must be a Microsoft conspiracy. It can't be that Apple's implementation simply sucks. After all, we know that Apple NEVER writes any software that sucks (*cough*Quicktime Player*cough*).

Re:Active Directory is different than Active Deskt

[HaiLHaiL]

Who said anything about Active Desktop?

Do your homework before asking /.

[Aniquel]

A quick google returns this as the first reference: MacOSXwithActiveDirectory.pdf.

Actually, it's not that bad for MS.

[unicorn]

All they lose out on, is the OS License. Which when purchased from a Dell, et al, isn't that significant. When a Mac gets roped into the AD network seamlessly, they still get revenue from a copy of Office so the user can share docs with other users (LOTS more profitable than Windows). Plus a few more CAL's as well, for the file server(s) as well as the exchange server(s). All in all, it's still a good revenue stream for MS.

Re:Actually, it's not that bad for MS.

[stungod]

Unless you have Enterprise Licensing that is. As soon as you install Office for Mac, you have to pay them for an OS license as well. Check the fine print.

The deal is that you're licensing a certian number of "workstations" so as soon as you install Office you've got another workstation added to your network and have a certain minimum configuration you have to buy. Usually it's a copy of Windows (XP now), a copy of Office (whatever flavor you standarize on), and maybe some other standard thing like Project.

So just to add Office to a Mac under MS's licensing scheme it'll cost you maybe $800. YMMV but not by a whole lot.

If you think that's fun, check out setting up a Citrix MetaFrame network. MS's weird-ass Terminal Services licensing scheme almost guarantees you'll be out of compliance unless you just write them an enormous check up-front. It's the most screwed up scheme I've ever seen.

Re:Actually, it's not that bad for MS.

$800??? Your company is getting screwed. The place I work for only pays $230 per PC for Windows XP, CAL access to SQL, Exchange, and SMS, and Office XP Professional.

Documentation?

[brass1]

Well, after spending nearly 3 minutes looking, I found this handy PDF, which tells you to configure the ldap thingy in AD (however the hell you do that). There also seems to be an Active Directory schema option in Directory Access when configuring LDAP servers.

No, I've not tried it as I don't have anything which talks Active[sic] Directory, so YMMV.

On a related manner...

I use AD here at our school. I have often considered moving to Linux or BSD but am terrified at the prospect of having connectivity issues like this.

BTW, is it possible through Samba to get home directories mapped automatically? This is a showstopper for us as our users all have mapped personal and public shares.

Didn't look very hard did you?

[MoneyT]

A quick searc for Active Directory on the Apple website turns up these results:

this

this and the PDF linked to on that page can be found here

There ae also links on Apple's site to third pary sites which deal specificaly with Mac - PC network integration.

Re:Didn't look very hard did you?

[digrhino]

Unfortunately I think he wanted something a bit more helpful then an out of date PDF (10.1 instead of 10.2, yes they are very different) and some marketing crap. Have you ever tried to set up a network off info from a brochure?

Re:Didn't look very hard did you?

[LoudMusic]

That's for Open Directory - essentially Apple's Active Directory for OS X Server. He is not wanting to set up an OS X server on his network, but have his OS X clients connect to his Windows 2000 server using the active directory.

OS X 10.2+ has a gui interface for Samba - this is your best bet for connecting clients to your server. It does not authenticate them through Active Directory, but more the method that a Windows 98 machine will connect to your server.

Active Directory connectivity is "closed source" and I'm sure much coveted by Microsoft. Chances are, you won't be doing something like that with ease.

Re:Didn't look very hard did you?

[stefaanh]

[Redundant]
For all quick Mac OS X Server searches start with http://www.apple.com
then tab "Mac OS X"
then menu item "Server"
then gray bar "Resources"
Which gives:
http://www.apple.com/server/resources.html

Neat. ;-)
AYS

LDAP support != AD integration

[zerofoo]

Just because OS X supports LDAP for authentication does not mean there will be seamless integration with Active Directory.

Active Directory (at least the MS implementation) is like a network-level "registry". It holds everything from integrated DNS records, to DHCP server authorization, users, permissions, replication controls and information....you get the idea.

To participate in most of this, you need to have client side stuff that can take advantage of all of this. OK, you get samba authentication without needing LDAP support on OS X, but who cares...that isn't enough for "seemless" integration.

Can you add users to OS X and have them appear in Active directory?....I don't think so.

Can you get your DHCP server (on OS X) to authenticate itself in Active Directory?...probably not.

Can you get user lists and permissions to replicate into OS X's user list? Maybe...but i'm still not sure about that.

Lastly...can you get a user to log into OS X and have OS X process login scripts replicated to domain controllers? Doubtful...most of the windows login scripts don't apply to the Unix world.

I may be wrong on this stuff. My experience with OS X has been a handful of workstations connecting to a windows file server via samba. It seems that the platforms are too far apart to get this "seemless" integration.

It appears the best you can do is simple user authentication....it might be worth it if the OS X server can get it's user list from the Active Directory machines. Does anyone know if this is possible? I'd love it if a Linux distribution could do that so I don't have to maintain two sets of user lists.

-ted

Re:LDAP support != AD integration

Why would you add users to OS X and have them appear in AD? The point is central storage of accounts. The point is to have OS X query AD for user accounts.

Why would you want to have your DHCP authenticated in AD? You do not need to have OS X DHCP server authenticated. DHCP Server Authentication in AD is Microsoft's attempt to keep rogue MS DHCP servers off the network.

And why for the love of God do you want to have AD login scripts run on your Mac? Last I checked, a Mac cannot run DOS batch files or VBScript.

Nice Troll.

Re:LDAP support != AD integration

[plsuh]

This list consists of items that are irrelevant or unnecessary:

Can you add users to OS X and have them appear in Active directory?

The point of a central directory service is that you create the user records in one place (using the native tools) and all systems can authenticate against them. Adding users to your Mac OS X machine doesn't make sense under centralized directory services. With the correct administrative user login, it is possible for Workgroup Manager to edit user records in an LDAP server using LDAP v3 mechanisms.

Can you get your DHCP server (on OS X) to authenticate itself in Active Directory?

DHCP does not by nature authenticate. DHCP servers can send out additional vendor-specific DCHP packets -- Apple's implementation does this to tell Mac OS X clients where to look for directory services -- but they do not authenticate directly to DHCP. These additional records are ignored by systems that don't understand them. Look into the Mac OS X Server documentation and the /Applications/Utilities/Directory Access application to see the options.

Can you get user lists and permissions to replicate into OS X's user list?

The point of central directory services is to NOT have everything replicate into client systems! :-O When a Mac OS X system that utilizes LDAP directory services for group information it asks the LDAP server, not its own local NetInfo database or BSD-style config files.

Lastly...can you get a user to log into OS X and have OS X process login scripts replicated to domain controllers? Doubtful...most of the windows login scripts don't apply to the Unix world.

You've answered your own question here -- the Windows-based login scripts do not make sense and would not run under Mac OS X. Mac OS X has its own ways of setting up scripts to be run on boot and on login, as well as automatically mounting share points.

Scripts can be run from the /etc/rc scripts or from the /Library/StartupItems folder. On login, there are a variety of options detailed in Apple's docs.

Re:LDAP support != AD integration

[zerofoo]

The point is ease of administration. I like being able to modify DNS records on one server and have them propagate to other servers via Active Directory replicaton.

Same goes for user lists. I can add users to any one of my AD servers (in different physical locations) and have them appear in all the other AD servers.

It would be nice to have that Active Directory integration in OS X. Don't tell me it isn't possible....Novell released their directory services for Linux....why can't Apple develop an Active Directory "integrator" for their server OS? It would probably gain them more customers. (Me anyway).

-ted

Re:LDAP support != AD integration

you write:

DHCP does not by nature authenticate. DHCP servers can send out additional vendor-specific DCHP packets

ummm... you are obviously NOT familiar with DHCP under Active Directory.

http://www.microsoft.com/windows2000/techinfo/ho wi tworks/communications/nameadrmgmt/dhcp.asp

The idea is that nobody can set up a dhcp server w/o having it authenticated in active directory. if that doesnt happen then the "rogue dhcp" server detection kicks in. it'll effectively block active directory participants (ie everyone in your domain!) from getting an address.

furthermore...

The point of a central directory service is that you create the user records in one place (using the native tools) and all systems can authenticate against them.

what the fellow was getting at is that users added on the mac side dont get added to AD. you have to create the id twice (once in the windows world, another time on the mac) unless you want every mac client to connect to active directory using the same id. that would solve the problem but isnt too secure...

Re:LDAP support != AD integration

[plsuh]

zerofoo, you're beating on the locknut with a hammer again :-)

Windows does AD replication because AD is a much heavier weight protocol than LDAP, or indeed most other directory services systems. As such, each W2K server is better off replicating information rather than accessing a central store.

However, LDAP is very light weight. Accessing a single central server for information does not add appreciably to network traffic, even for many machines and users. As a result, it makes no sense to have a copy of the DS database in each server and then worry about replicating changes in one to all of the others. In fact, the AD replication process is actually fairly complex, due to the need for distributed locking and conflict resolution. This is a lot of extra code that really isn't needed.

Most other DS architectures have provisions for replication as needed. For instance, Mac OS X's native NetInfo DS architecture has provisions for cloning the DS database for geographic dispersal (think wide-area networking), load balancing, and redundancy, including the ability to change a clone into a master if the master fails. It also has a multi-level DS architecture so that administrators of the top level domain can delegate authority to lower level administrators for particular sections of the network if need be.

Changes to the top-level domain using NetInfo Manager or Workgroup Manager can be done on any Mac OS X machine, connected to any server in the hierarchy. These changes are then pushed to the clone servers without the need for complex distributed record locking and conflict resolution.

While NetInfo can provide name resolution services to machines that it knows about, it really isn't meant for this and shouldn't be used for it. There are many BIND name server implementations, and any of them can be used interchangably with NetInfo. The DNS system as a whole has provisions for master and slave servers, and synchronizing changes from masters to slaves.

NetInfo doesn't try to handle DNS, really. DNS resolution has a whole different paradigm than directory services lookups. Instead, NetInfo reflects the Unix philosophy of one process doing what it does best, and letting other processes handle what they do best. Linux works the same way. Only on Windows do you get the One Humongous Beast That Does Everything And Guzzles Resources.

--Paul

AD and Unix integration

A disclaimer first: I haven't tried to do this on MacOS X, but just did the same for Linux; you can do it on any unix that supports PAM for authentication.

It is certainly possible, however I wouldn't call this integration a "seemless" one (I didn't use samba for that).

You can extend AD schema to support unix by using AD4Unix package.
After that you need to install nss_ldap and pam_ldap. A good starting point on how to configure these two can be found at Security Focus. You may want to use Kerberos for authentication, as pam_ldap transmits username and password over the network (although with SSL support this data will be encrypted).

Hope this helps,
AC

Re:AD and Unix integration

[Undertaker43017]

Another alternative to AD4Unix (if you don't mind giving MS a little extra money ;) is to purchase Microsoft's Service's for Unix (~$120), which gives you the AD schema extensions and adds the support into the AD user admin screens. AD4Unix is a great product, but I got a little nervous about modifing the AD schema and having some future SP come along and blow it away. At least this way, hopefully, future SP's will see SFU installed and leave it alone. ;) Plus you get some neat extra's like an NFS server for W2K and an NIS server (which you won't need, if you integrate with AD).

Re:AD and Unix integration

I was a bit nervous about modifying AD schema as well, but it worked out nicely (hey, don't forget to make a full backup of the schema master before you start :D).

I highly doubt that MS will do anything to undo AD4Unix schema changes, OTOH I didn't have a choice anyway.

Mac OS X in Labs

[rigmort]

Check out macosxlabs.org. They've got TONS of good info. I'm facing a deployment of OS X this spring and I'm not looking forward to it. Also, read Apple's white paper entitled "Mac OS X with Active Directory" in PDF format at:

http://a1584.g.akamai.net/7/1584/51/7f99c60f0c08bf /www.apple.com/macosx/server/pdf/MacOSXwithActiveD irectory.pdf

The Apple PDF doesn't work for us

[tulare]

As I mentioned earlier, we have Active Directory, as well as a Jag server. We had an Apple engineer here for two days, and not even he was able to get AD-style login-auth to work - the basics like proper mapping and creation of home dirs on network instead of local host and all that. It looks like Apple still has quite a bit of work to do here. On the bright side, I use Cmd-K to logon to any of the network shares, and the perms are correctly handled. But we are looking for a logon screen for OS X that uses our AD for auth, and so far nyet.

From microsoft.com

[Vaulter]

Probable webpage on Microsoft.com:

"This link will let you download instructions on how to use Active Directory for 3rd part OS'es, such as MacOS. By clicking on this link, you agree to the following:

1) I will not redistribute this document
2) I will hyperlink to this document, bypassing this EULA.
3) I will not use the information contained wherein to bypass Windows security settings by authenticating any 3rd part OS via Active Directory ( DMCA )"

Google knows all

[Twirlip+of+the+Mists]

Go to Google. Type "apple.com active.directory" in the search box, and mind the periods. The very first result is a PDF from Apple's site entitled "Integrating Mac OS X With Active Directory." (Just to be clear, that link is directly to the PDF, so don't click unless you're ready to download.) In it you can find step-by-step instructions for setting up both the clients (simple) and the server (complex, but only has to be done once).

Since you said in your submission, "Documentation? HA! No sign of it anywhere on Apple's site," it seems clear that you haven't read this document yet. Give it a try. As I wrote elsewhere, I don't have any Windows servers, but from reading the instructions, it looks like it will be very easy for you to set this up just the way you want it.

Re:Google knows all

[mithras+the+prophet]

That PDF is written for people using:
(a) Mac OS X 10.1, not 10.2 Jaguar
(b) A Mac OS X Server box (read: $1000 OS, $3000+ hardware) to serve the Mac clients.

The questioner is asking about using the most-recent OS X, connecting directly into a Microsoft network, with existing Microsoft servers that have already been paid for. This is something which many people want or need to do.

We all appreciate your efforts to help, but try breathing three times and counting to ten before you disparage the guy and call him an idiot. Your flippant attitude does not actually help anyone

Re:Google knows all

[Twirlip+of+the+Mists]

If you'd read the document, you would know that most of it deals with setting up the Active Directory server, something that is the same no matter whether the client is running 10.1 or 10.2. Setting up the LDAP client in 10.2 is utterly trivial.

Also, the only reason the document refers to a Mac OS X Server is for file sharing among the Active Directory clients. It is not, strictly speaking, necessary. You can just ignore those parts if all you want to do is set up authentication to Active Directory.

While we're on the subject of breathing three times, please read the document and think for a second before responding that my answer was unsuitable.

Your Samba configuration is wrong

[MrResistor]

It's in the Samba configuration. It's something like "OS Level" and it will be set to some number, like maybe 50.

This number is how MS machines determine who is the Primary Domain Controller, basically the one with the highest OS level gets it, unless things are specifically configured otherwise. IIRC, Windows NT 4 has an OS level in the low 30s. Newer versions of Windows have higher OS levels, and server versions have higher levels than workstation or desktop versions.

So, all you have to do is use SWAT, or otherwise edit smb.conf, and set your OS level to some low number, like 1.

This site is a good introduction with lots of useful tips. If you really need to know Samba, though, I highly recomend this book.

Active Directory vs. SMB?

[Andy+Dodd]

What exactly is the difference between these?

Or is AD just the authentication portion of SMB?

I know on RedHat systems, you can choose the pam_smb_auth PAM module to authenticate against a Windows domain controller. Pop in your domain and the server name, pam_smb_auth handles most of the rest. You still need a local entry in /etc/passwd with the user's uid/gid/homedir (It IS possible to get around this with the "nolocal" option, but needless to say it only works for a limited subset of services), but that entry doesn't need a password set, just * (Which would disallow logins normally, in this case if pam_smb_auth clears the authentication, you can log in)

I have this set up on a Linux box at work - At the moment I need to use adduser to create local accounts, but I don't need to give the users passwords - They use their current domain userid/pass.

Re:Active Directory vs. SMB?

[Undertaker43017]

The pam_ldap/nss_ldap route has a couple of advantages over pam_smb, IMO:

No "local" accounts on the *nix* boxes (although it sounds like they might have that limitation fixed, haven't looked at it for a while).

And you can change the users passwords from the *nix* side, as long as you configure SSL/TLS support.

Once again

[haplo21112]

Sometimes rather than doing an exhaustive search it really is easier and I think in many cases proper to just "Ask Slashdot". You are likely to get someone who has already solved the problem quickly and easily, and has the expirence. So give people a break, they are just taking the route that is quickest to a solution. If you don't have anything useful to say to solve the problem they are Asking about...SHUT the F**K UP!

Samba, not OS X, is the answer.

[supabeast!]

Getting OS X working with AD can be done, but you need to do it with Samba. Read the Samba documentation, learn to use Samba, and you should have no problem getting your OS X systems to work with AD. This will require research, effort, and scariest of all, it will require editing text files and maybe even working with the command line, but with some time even a Mac user should figure it out.

Comment removed

[account_deleted]

Comment removed based on user account deletion

It works for me here

[nikkinatlanta]

I'm an IT admin, and we have Win2k running AD on our server, and we have 10+ Mac clients running OS 10.2. The key is, make sure the user accounts and the user alias on the domain controller are the same..meaning, if your user account is named joe smith, make sure the alias is the same. Hope that helps.

A bad workman...

...always blames his tools.

I have a Windows wlan at home (3 windows boxes) and my powerbook running X.2 worked *prefectly*, no problems at all. And setting the PB up was easy.

Seamless integration

[Rinisari]

Our school's network is split about 55% PC, 45% Mac. Our Tech-Coordinator is a Mac obsessive, so everything has to work so that the administration doesn't complain.

I am the sole user of Mac OS 10.2, and as a student, I am very pleased with its ability to access my files on the Windows server. It is truely seamless.

The problem is probably not with Apple

[igotmybfg]

Windows Networking is based on the SMB protocol. I have been using it for years, first in my home network, then at my university. I have had lukewarm results, at best.

My primary complaint against SMB is that it doesn't really work all that well. When I tried to look at the list of computers in Network Neighborhood, I often saw only a partial list (some computers that I knew were connected did not show up). The only way I could connect to these was by specifying their IP address. Other times, I could not access them at all (even though in some cases they could still access my machine!). I switched to Linux a while ago, and I have had similar results using SAMBA.

This leads me to believe that the fault for bad Windows Network performance lies not in the implementation (whether SMB on Windows, SAMBA on Linux, or the Apple implementation) but in the protocol itself.

Re:The problem is probably not with Apple

[duplicate-nickname]

How is this modded as "Interesting"? Is it becuase it bashes a protocol used by MS? Hell, the guy doesn't even know what he's talking about.

The name resolution used while browsing the network is NetBIOS. SMB/CIFS is the protocol used to "talk" to the server once you have it located.

It sounds like this guy had machines on seperate subnets and expected to find them by using a protcol that relies on broadcasts. That's what WINS is for.

Anyway, I will be one happy camper when MS drops support completely for NetBIOS and relies solely on DNS & LDAP. Dynamic DNS is one step towards supporting that reality.

Re:The problem is probably not with Apple

Spoken like someone who has never seen a DNS servers logs wondering why hundreds of machines keep trying to alter their DNS entries on the server. Yes, I like Dynamic DNS. No, I hate that Microsoft makes it a default to automatically update using DDNS. Would it have killed them to make the default no unless you are part of a domain.

Re:The problem is probably not with Apple

[duplicate-nickname]

That's a good point that I would have to agree with.

Re:The problem is probably not with Apple

ActiveDirectory is a major upgrade to Windows Networking

For one it eliminates the crappy network browser stuff that you are complaining about (network neighborhood)
For two it eliminates the crappy name resolution stuff (NetBIOS or WINS).

'Classic' Windows networking such as you are using is indeed cruddy plug-n-pray shite left over from OS/2 in the 80s. However it will be a while before the MCSE club gets their brains around AD.

Non-local subnets: logon yes, browse no.

[decapentaplegic]

Based on Apple's adverts of "seamless" we told people they'd be able to browse my organization's full list of local windows servers from MacOsX10.2's [Connect to Server] command. As stated in the linked article, it quickly became clear that browsing using active directory only works for severs on the local subnet. Fortunately, if you already know the name or address of the machine you're trying to connect to, you can log on directly by entering: . So far, this has worked just fine on non-local subnets.

So for my org, it's a mixed review. It's a long way from "seamless", but it's a LOT better connectivity than MacOS has ever had before. If Apple had advertised what they actually delivered ("Now you can log onto a windows server"), we'd be thrilled.

Re:Non-local subnets: logon yes, browse no.

Ummm...

Setup a WINS server on your AD controller. Then setup a WINS proxy so you can access WINS across the different subnets. Voila, done.

Re:Non-local subnets: logon yes, browse no.

[Binary+Boy]

Informative? You claim to have made a major technical decision based on your interpretation of an advertisement, and you get rated "Informative"?

Bottom line, this is why organizations have configuration labs - to test products before they go out and just buy them and slap them on the network, assuming they'll work "seamlessly" (whatever that means!). OSX has some work to go before it is perfectly integrated, "seamlessly" (meaning effortlessly?), into your Active Directory services, but that doesn't excuse you telling your users about features you did not personally verify (or even try to apparently), based on interpretation of a word in an ad. Get a grip.

X Serve Road Shows

Apple is sponsoring XServe road shows all across the country, targeted toward educational institutions and businesses which are interested in "XServe Integration."

I attended one of these demonstrations a few weeks ago. If you are in Education, (especially higher-ed) and are interested in integrating XServe with your Active Directory server, check with your Account Executive to see when/if this "XServe Roadshow" will be coming to your town.

Here's information about the "XServe Roadshow" from Apple's site:
http://seminars.apple.com/tours/unixserver/ index.h tml

Jaguar and windows network browsing

[sjonke]

Jaguar's alleged Windows network integration is lacking to say the least. In my case it is that windows network browsing is limited to your subnet only, making it nearly useless. I.e. you don't see and can't get to (even nearly) everything when you browse. You CAN get to anything via typing in an appropriate smb URL in the "Connect To Server..." window, but obviously then you have to know the server is there.

Mind you, I have little to no need to do any of this anyway so it isn't a big deal to me, but if they're going to advertise seamless windows network integration then it ought to be that. I want $1 back for that alleged feature.

Re:Jaguar and windows network browsing

[MacDaffy]

You can browse any properly-configured Windows network with Jaguar. Apple's SMB implementation was designed to allow you to drop a server into an existing network and have it "play well" with everyone else. Check out Apple's tech note #24448 (it deals with AppleShare IP--Apple's Mac OS 9 server software), but the issues discussed apply to the SMB implementation in Jaguar as well.

If you've provided a domain controller/WINS server or a readily-available LMHOSTS config, you shouldn't have the trouble you're having.

Re:Jaguar and windows network browsing

[sjonke]

I have supplied a correct WINS server address and yet have the problem. I only see the local subnet. Also, it's highly doubtful that our network is improperly configured as it is configured by professionals (for what that's worth ;). Is your claim based on experience or on a technote? If there is a way to get this working fully, I'd like to know how....

Re:Jaguar and windows network browsing

[MacDaffy]

It turns out that you're correct: Jaguar only browses the local subnet. A search of Apple's Knowledge Base on "SMB" acknowledges this and suggests--as you've found--that there other ways to reach entities beyond your own subnet. Apologies.

Re:Active Directory is different than Active Deskt

It was changed soon after being posted...

Samba

[gl1ched]

Samba is built into OSX and samba can be compiled on OSX. I dont see a problem with documentation because if you go to www.samba.org you will have plenty of documentation. Albeit apples gui configuration of samba is a little lacking but if you configure smb.conf you wont have any issues.

Re:Active Directory is different than Active Deskt

[Vann_v2]

The article originally used Active Desktop rather than Active Directory. It appears to have changed, though.

Re:Active Directory is different than Active Deskt

[Drakonian]

You know what kills me... Microsoft has different meanings for "active desktop". I had to deal with the other meaning extensively on my last project.

Re:Well it's not that hard to fix. NDS != Evil.

[Zeio]

I beg to differ about NDS on Windows ever being a problem.

I have no great love for Windows. Novell, I happen to like very much but it is cost prohibitive. But is NDS worth the money? Yes. Also, GroupWise is capable of driving Outlook properly, even better than my beloved OpenMail [RIP, now Samsung Contact - yeach, thanks Carly] was.

My experience since Novell 4.x (I've used it back in the bindery days as well) and NDS has been flawless. It supports DOS, WinALL, and anything else. It has native file sharing so it can appear as a Winderz box. The server is ugly as sin at the console, but it runs more reliably that one would ever imagine, I had several servers stay up for more than a year. The Novell client integration with Windows NT based operations systems is superior, supporting advanced network trashcans, robust undelete for idiots, and does interesting things like server side searches (as in, if you are looking for the word "cat" on a network file system, the server does the searching 'for you.'

Also, NDS is much more scaleable than ADS. It has the proper notion of root, it is possible to merge trunks together, if you've ever used ConsoleOne, you'll see more granularity on this directory and its objects than was ever dreamed possible, cleanly integrated and rather fast.

Is Novell run by intelligent business people? No. Are the products of incredible quality? Yes. Novell's image has been so heinously stained, with angry red color schemes, idiotic pictures of polyester clad fools running around on my console dancing or holding up red N's.

Novell needs to do only this: Change colors to blue or something, and rip out that licensing shit and start offering to replace ADS/Exchange with NDS/GroupWise for $100 bucks. All it costs them is a CD. It would cost Microsoft a lot of pain.

If you haven't given Novell a shot, please do,. You'll realize that the free stuff right now is primitive compared to NDS. Any other comments on good directory service implementations are welcome.

I just setup a Novell 6 server the other day to stay sharp with that stuff. Besides the fools in the marketing department over there, I was impressed with it. I would take a job working with Novell and Unix, but if someone wanted me to deal with Windows ADS or NT4 DS again, and not be open to Samba, I would probably not take the job or demand a premium.

Re:Active Directory is different than Active Deskt

Judging from all the -1 flamebait/troll posts above, the article apparently was originally posted with "Desktop" in the title instead of "Directory". Makes for some confusing reading when you RTFA.

Even more difficult

[DeadBugs]

Have you ever tried to get "Mac People"and "Windows People" to integrate. They run on the same hardware yet seem totally incompatible.

Re:Even more difficult

Damn, I wish I had mod points to give you...funny and very, very true.

try synching AD with OpenLDAP and use that instead

[Kunta+Kinte]

http://acctsync.sf.net - It's difficult to deploy, but it works.

There are other such products, like PSych and NDS, which may be easier to work with.

Using this ensures that you don't have to rely on a Win2k LDAP network for authentication services ( read Win2k license for every AD replica, additional CALs )

But you can alternatively deploy an OpenLDAP set of replicas and have all your services/computers authenticate against them ( read free, their don't care how many you deploy or what you put into them ).

Microsoft not having Win2k play nice with others is having the beneficial side-effect of increasing their Win2k sales.

Hmmm... Hey! You think that was their plan to begin with?

Do your homework before posting

[mithras+the+prophet]

Had you actually *read* the document you linked to, rather than googling for forty seconds and then patting yourself on the back, you might have found that this is the sole reference to Active Directory:

LDAPv3
This is a newer version of LDAP, which Mac OS X fully supports (read-write). This is the same version of LDAP used by Microsoft's Active Directory and Novell's NDS.

The poster's problems are a very real issue and are well-deserving of a public question on Slashdot.

Re:Do your homework before posting

Oops! That was meant to be a reply to the guy posting a link to the O'Reilly book. But the same applies to your link - despite the seductive title, it's not actually very relevant to the poster's question.

Get a server.

[megaduck]

It sounds like your real problem is getting AD to play nice with LDAP clients. The reason that Microsoft clients integrate "seamlessly" with AD is that they use some funky proprietary directory protocol, whereas everything else (Linux, Mac, etc.) speaks straight LDAP. I've found that 10.2 has pretty darn good LDAP integration, but getting it to work with Microsoft takes some accomodation on the AD side.

Remember that Macs use open protocols and tools for their Windows integration. Samba is used for the SMB stuff and LDAP for directories. Any time you're using proprietary MS protocols, you're going to run into problems. You'll run into the same situation with Linux, Novell, or anything non-MS. If your mandate is to make the Macs behave exactly like Windows, then they're setting you up for failure

That being said, you can really help yourself out by getting a 10.2 server to act as a bridge. Apple's OpenLDAP is still fairly young, but it really simplifies AD integration. With your modest requirements, you probably use an old iMac. The server software for 10.2 server is pretty cheap with educational discounts ($250 for 10 clients, $500 for unlimited), and it doesn't require much of a box. I'm using an iMac server to get a 20 station lab on AD and it works pretty well. You get some really cool deployment and workstation management tools, too. ;)

I hear you about the documentation, though. I don't mind so much, because I like tinkering with things and Apple's stuff is fairly intuitive. However, when you're just starting out, Apple's "Why would you need a manual?" attitude gets pretty annoying.

Re:Get a server.

[torre]

"It sounds like your real problem is getting AD to play nice with LDAP clients. The reason that Microsoft clients integrate "seamlessly" with AD is that they use some funky proprietary directory protocol, whereas everything else (Linux, Mac, etc.) speaks straight LDAP. I've found that 10.2 has pretty darn good LDAP integration, but getting it to work with Microsoft takes some accomodation on the AD side.

Remember that Macs use open protocols and tools for their Windows integration. Samba is used for the SMB stuff and LDAP for directories. Any time you're using proprietary MS protocols, you're going to run into problems. You'll run into the same situation with Linux, Novell, or anything non-MS. If your mandate is to make the Macs behave exactly like Windows, then they're setting you up for failure"

I'd like to correct a point here, AD has a full implementation of LDAP protocol that you can use to access it (although I have not actually tested how great/bad it is). The proprietary protocol (ADSI) you speak of is merely a convenience for accessing directory services. If you don't like it use the original protocol in which it is based. You do have a choice. And in Apple's case... their using LDAP to access AD.

The problem that is happening is not protocol based, its more of a mapping between which properties are actually used to describe resources. AD is setup from scratch to suit a windows world... No questions there... The problem Apple has is how to map as much of the existing structure and settings while making as few Apple specific properties.

Now, to point out an obvious and sound design choice by Microsoft that annoys many, is that, making changes to AD is strongly discouraged. And as such they make it as difficult as possible to prevent unnecessary changes, and frankly a pain in the ass to make changes. This is the second biggest problem for Apple as AD is windows specific out of the box most admins have never changed the schemas in the AD. SO proper seamless integration with AD would also include a proper setup (AD Schema) that would be robust enough for MacOS as to resist change over time to prevent corruption... Something that is unlikely to come in the near future as window integration with apple is in constant flux not to mention important new features like Rendezvous which can offer redundant functionality found in the Active directory and window services.

The documentation for integrating 10.1 with AD is a crude attempt that is far from perfect but a step in the right direction. "Seemless integration" seems like a dream with such different design philosophies, my personal hope is that enough ground can be covered as to at be able to call it a workable illusion of seamlessness for both the user and Admin. But only time will tell...

Re:Get a server.

[megaduck]

I'd like to correct a point here, AD has a full implementation of LDAP protocol that you can use to access it (although I have not actually tested how great/bad it is). The proprietary protocol (ADSI [microsoft.com]) you speak of is merely a convenience for accessing directory services. If you don't like it use the original protocol in which it is based. You do have a choice. And in Apple's case... their using LDAP to access AD.

Actually, the original article didn't tell if the "nightmarish configuration issues" were on the client side or the AD side. Since MS doesn't enable LDAP by default, ADSI probably one of the many frustrations that this guy faced. AD just doesn't play well with others, and its' default configuration doesn't play with others at all.

Since you seem to have some experience, is there any way to get Windows clients to authenticate to an non-microsoft LDAP directory? I'm currently investigating going the other way: Using Windows clients with Open Directory.

Re:Get a server.

[boschmorden]

"It sounds like your real problem is getting AD to play nice with LDAP clients. The reason that Microsoft clients integrate "seamlessly" with AD is that they use some funky proprietary directory protocol, whereas everything else (Linux, Mac, etc.) speaks straight LDAP." You couldn't be more wrong. Active Directory has two interfaces: LDAP and ADSI. LDAP works just like any other server such as Novell eDirectory, Oracle Internet Directory or Sun iPlanet Directory Server. The ADSI part is another piece that works better talking to other Microsoft clients utilizing some domain controller functions in the directory. Microsoft has recently announced that they'll be strengthening their LDAP support: http://www.eweek.com/article2/0,3959,667380,00.asp The problem with AD traditionally has been Microsoft has chosen to deviate from the norm like inetOrgPerson and created new classes with very similar attributes. Getting LDAP clients to work with AD as it is pretty easy. Justin Harvey

Re:Get a server.

[torre]

Actually, the original article didn't tell if the "nightmarish configuration issues" were on the client side or the AD side.

True, but at some point if you are maximizing reuse of standard information provided by AD, you have to somehow map this information who's names and value's may not map 100% to apple's defined values. If you look at Apple's first attempt you can see the manual mapping that is required on the client side even though custom apple specific properties were added to the AD.

A good solution from apple would be to have this mapping happen transparent to the user and only needing an admistrator via say a setup program to make the changes to the AD. This might be too much to ask though, at least on the server side :(

Since MS doesn't enable LDAP by default, ADSI probably one of the many frustrations that this guy faced. AD just doesn't play well with others, and its' default configuration doesn't play with others at all.

actually it does... that is unless they have recently changed that... if you install the support tools from the win2k server CD you can use ldp.exe (a simple LDAP client) to verify this. All windows 2000 boxes running AD should respond to ldap on port 389.

Information can be found in the windows 2000 resource kit. Expecially usefull for this topic is the book labeled windows 2000 sever distributed system's guide. It goes into much gory detail about the AD.

Since you seem to have some experience, is there any way to get Windows clients to authenticate to an non-microsoft LDAP directory? I'm currently investigating going the other way: Using Windows clients with Open Directory.

Thanx... but i'm afraid i can't really answer your last question.. swapping out AD for some other LDAP might not work as their kerbose (default authentication for win 2k+)authentication depends on AD functionality... wether that's hardcoded or not I simply don't know. And besides, even if you could, creating a working solution with another ldap would probably be more work than it worth considering all the information that is stored in a standard AD repository. If your looking for a replacement and all your interested is authentication and admin stuff try NDS ala novel... Its been a long long time but at last check they did a great job along all platforms. Problem is that you loose some of the niceties that AD brings.

What's your current perdicament... perhaps i can shed a bit of light into it?.

Re:Get a server.

[megaduck]

All windows 2000 boxes running AD should respond to ldap on port 389.

Ack. You're totally right. Apologies.

Back to Windows clients with LDAP. Our current CTO is looking to replace our AD with some sort of UNIX-based solution. As you said, Win2k authentication is dependent on AD unless you replace it with something like the Novell client. Paying Novell instead of Microsoft isn't really an option either. Of course, all of Microsoft's documentation is AD specific, so I'm starting to think that Windows just plain doesn't work with other directories. Is there any way to get Win2k to use regular kerberos and speak LDAP?

Re:Get a server.

[torre]

If your looking for a bridge between the two worlds, you might want to give microsoft's Services for unix product a try... it adds stuff in AD to accomodate unix related issues... This is no guarentee that it might solve your particular problem but I have read of people getting the two to work with a single sign on setup using LDAP and kerbose and NFS...

I personally can't vouch for the solution as I was not able to try it even though i suggested it about a dozen times. My boss at the time was a die hard *NIX guy and would not hear of any mixing of the two.. So i did my best to accomodate the user's needs around him.

The the other thing is you might want to check out .net server RC1 as it introduces new tools to make AD more bearable over time... like changing the domain/forest names over time!... This is stuff that should have been there in the first round in my opinion!.

Good luck :)

Ozzy says it best

There are no impossible dreams
there are no invisible seams

Who says John Osbourne is a fool?

What, Apple lied?

Say it ain't so!

Re:Well it's not that hard to fix. OS X/NDS here

[Havokmon]

because if you use LDAP or NDS you end up with the same nightmarish configuration issues, except now the issues are with the windows machines, which are probably 90% of his clientelle.

Ehrm. Not only do I have Windows machines, I have an OS X box, and my workstation is Linux.

Now, the windows boxes DO have random crashes regarding the TCP/IP stacks (Exception 0E), but that has nothing to do with Netware/NDS.

Stop spreading FUD, I've run NDS for 5 years, and logging into the server is not an issue. Sure, there can be other issues (client-side caching of shared documents - umm turn it off), but nothing that is specific to NDS.

Plus, with NDS, you don't even need Netware. (Oh, and it's also LDAP v3, so we've used it for web app auths also)

A suggestion to help you

[FIRESTORM_v1]

I have had the same problem with computers not showing up under Network Neighborhood. As a suggestion: configure your Linux SMB server to also act as a WINS server and pass the necessary WINS statements to clients from your DHCP server (assuming you have access to it.) This will make every smb-based client (i think) register with WINS so that they are "seen" as soon as they appear, much sooner than the 20/30 minutes it normally takes for Windows/Linux clients to discover themselves by themselves.

As always, IMHO(it's my humble opinion) and YMMV..

messed with it

I haven't actually done it I got real close
I would reccommend learning netinfo from the command line
man nidump, niutil there's some shell scripts out there but nothing which explicitly works

netinfo has multiple password domains, smbpasswd so you have to add machine accounts to the correct domain for smbpasswd to find it

here's a start
http://food.tamu.edu/mosxs_scripts/adduser. html

Re:From O'Reilly Press

[djdavetrouble]

I read that sample chapter. It seems useless in relation to the topic. They list appletalk and netinfo as the legacy services, and then proceed to go into great detail on how to setup netinfo, not discussing any of the others at all... Why would we want to use the legacy directory service?

AD is a Rube Goldberg hack of LDAP

[itwerx]

If you ever look at the properties in a typical user's account in AD vs LDAP you will get the screaming heebeejeebies!!!
LDAP user = a paragraph or two of logically arranged and named fields.
AD user = a page and a half of garble!
There's a reason MS has an AD "connector for LDAP" product (for a small fee).
AD might technically have the same modes of communication as LDAP but that's like saying just because I can use the same phone to call my Aunt and that friendly guy in Nigeria that they can and should talk to each other. (Okay, bad analogy, but I thought iwas funny. :)
So, to summarise for anyone who hasn't had the pleasure of attempting to integrate AD and LDAP, they ain't even close to compatible Jack!!

Re:AD is a Rube Goldberg hack of LDAP

[sbjornda]

It depends on which tool you use to look at it. If you look at it the way you're supposed to, using Active Directory Users and Computers, you get lovely tabbed windows. Who cares what it looks like under the hood? Some of us would rathr USE computers than fart around with them. They're just tools, you know? Not ends in themselves. (I've used 3 different x500-based systems in business environments. They each have their strenghts and weaknesses. And they're all just tools to get a job done. This is not a knee-jerk pro-Microsoft comment.)

.nosig

Re:AD is a Rube Goldberg hack of LDAP

[itwerx]

Ah, yes, but if you actually have to import or export data manually to integrate with other systems that don't have connectors (probably because MS would rather not have you talking to them) then guess what Microsoft suggests? Scripting!

And you know what those scripts need? Correct syntax!

And how is the syntax determined? By the underlying structure!

So yes, computers are just tools to get a job done, but when standards are munged so as to make using those tools as difficult as possible, then hey, guess what? You get non-knee-jerk anti-Microsoft comments.

Interestingly enough I was a MS contractor for awhile and I was suprised just how much of the crappiness that comes out of Redmond is NOT willfull evil but simple incompetence coupled with poor management and overzealous sales people.
But that doesn't let 'em off the hook! :)

Re:AD is a Rube Goldberg hack of LDAP

Excellent comment. Well met. Wish I had moderator points at the moment.

.nosig

Re:Well it's not that hard to fix. NDS != Evil.

Keep it coming ;-)

I really like to see people putting out the word for Novell.

I work with Novell and Windows servers everyday and it is so clear what the better product is.

Getting an AD installation working takes twice as much time, pain, and agony that setting up NDS.

Had to say it ;-)

It Doesn't Work, Yet. I've Tried.

[Spencerian]

Apple, in its attempts to get into more enterprise accounts, has not learned that system administrators require documentation ad nauseum. They wrote their documentation for AD in the old 10.1 Server AD/LDAP PDF and in their System Administrators guide for 10.2 Server much too simply.

Recently I worked with Apple to receive an Xserve for two tests--getting a Macintosh to authenticate by AD (which is an LDAP superset) from login, and to provide authentication on file shares from AD using the Connect to Server command, where the shares would be provided by the Xserve.

I had no success in getting anything to work with 10.1 Server. After getting 10.2 Server from Apple, we had luck in getting authentication for file shares working. Part of the problem involved how LDAPv3 (the main component in Apple's Open Directory) relates to the AD schema. I'm not an AD expert, but Apple has got a "not-invented-here" mindset here; the LDAP components don't match up with with sysadmins expect. I was unable to get the login authentication component working at all.

As a result, I couldn't recommend an Xserve for my customers, and stuck in Services For Macintosh, a component in Windows 2000 Server that provides the same authentications to file shares by AD without the Xserve acting as a middleman for file sharing. It's got its own issues, but at least it worked as advertised; it took us only 5 minutes to set this up on a working W2K server.

Apple MUST have the documentation and software working and tested before making claims. This is a completely unacceptable way to sell their wares, and is worsening an already bad reputation for many in IT.

Just so you know, Macintosh system integration is my business, so I feel quite justified in flaming Apple for such a bad implementation. It's not really their technology, but how they sold this currently-snake oil concept to Mac professionals.

Re:It Doesn't Work, Yet. I've Tried.

[nystul555]

I'd just like to back up everything that you are saying. I have been working with one of my clients to get OSX-AD integration set up for several months now, with no luck. First we started with 10.1, and we have now moved on to Jaguar. Although I am not an Apple expert, we are working with the top Apple support company in our city, which frightenlingly is also the only one that is supporting OS X in large environments yet (this is in a city of 3 million). We have also had two engineers from Apple come and assist us, and we've had no luck. My client was supposed to be a showcase for Apple, to show how great it integrates with Windows and how it can be used by large corporations and institutions, so Apple definately has an interest in making this work. But still, no luck. As a matter of fact, the IT department at my client sent me an email earlier today saying that they would like to end the project, since it is going nowhere. It is a great disappointment to me, since I would really love to make this work, but I can't blame them at all. It seems like the big problem is that no one really has any idea how to set this up correctly. We've spoken with places where they have been able to make it work, but either they haven't actually made all of it work like it should, or they have it setup in a convoluted manner that we can't emulate on a large scale. Apple's engineers have been little help. Although they know a lot about Macs in general, it seems like they really don't know what they are talking about when it comes to LDAP and the AD integration. I really get the feeling that they just think that it SHOULD work, with minimal effort, and when it doesn't they just fall apart. I am considered to be an LDAP and NDS expert, so I have a good knowledge of how this should work, but unfortunately it just doesn't. It's been a huge dissapointment. The worst part is, I had several other clients that were ready to implement this, but I have had to inform them that our pilot testing isn't working, so we won't be implementing it any time soon. I guess I'll just hope that they get it worked out eventually, and maybe try it again later.

Re:It Doesn't Work, Yet. I've Tried.

[jafac]

This very much resembles the typical situation where two vendors have a solution that's supposed to work "in theory" but one or both implementations of the "standard" are broken; ie- there's some undocumented behavior.

Quite often, in these situations, Vendor B has set up a test environment, and it works in their lab. But that only matches about 20-30% of the environments you'll hit in the field. (as I've seen, you typically see stuff like this breaking on the Microsoft side, mysteriously dropping names, losing connections, failing to authenticate where there's supposedly a trust - etc. it can be fragile on "difficult" networks).

It's not enough for Vendor B to say that their solution works with Vendor A's solution - it has to be tested, but then you get it out into the field and you run into these "edge cases" and it doesn't work - and the ONLY way ANY vendor can fix it is to plow through it with onsite visits with engineers, LAN analysis, debugging, etc. It's very costly and time consuming. In the end, Vendor B will code around the problems, (or try to get Vendor A to code around them) and the system becomes more robust. This is what is known as a "MATURE" product.
An immature product "should" work, and does not when you hit an edge case, and the vendor hasn't "worked it out" yet. Only the companies that "been there done that" have "mature" products. We need to ALL remember that OS X is just a year or so old. Apple has been in the server market (in this incarnation) for less than 6 months. Apple does not have the field force of say, IBM, Sun, or CA. It's going to take time for them to grow the expertise to mature THIS solution, and learn how to mature their other solutions.

This is why the CIO's out there tend to shun products from smaller, newer companies. No matter how cool, great, whiz-bang, or free the product is - it it's going to be costly to implement if it, and the support organization behind it, aren't MATURE.

Yes - the fault lies with Vendor A in this case, most likely, for using a non standard implementation (as Microsoft is FAMOUS for - on purpose, to get the checkmark for compatability, but actually preventing interoperability, in order to persuade people to buy into homogeneous computing - based on their system) - but at the end of the day, if Vendor B wants to play in this market, they've got to mature. Fact of life. Not pretty, just the fact.

Re:It Doesn't Work, Yet. I've Tried.

[Spencerian]

Excellent comment. Given Apple's history of doing things their way without much external feedback, I think that's exactly the case here. Again, it's not that Mac OS X can't do what they claim, but that Apple hasn't apparently bothered to make it work outside of the lab, or feed us conjecture.

Apple is obviously excited on presenting abilities IT and users could never have realized in Mac OS 9, but this is such a vaporware tactic.

Re:It Doesn't Work, Yet. I've Tried.

Yes, it really sounds like Apple's still learning how to play this game.

With AppleTalk/AFP they implemented the protocols and then convinced Novell/MS/IBM/Unix to take the burden of interoperating with their stuff. I'm just not sure if they have the corporate culture, or the support networks, to try to sell their stuff as infrastructure in mixed networks.

not to be a complete wag....

[otis+wildflower]

... but how about porting your AD environment to Samba + LDAP on a unix-based Samba PDC?

Save lots of $$$ on server licenses, and Win2k works fine in NT4 backwards-compatibility mode..

Depends on how many people, departments, etc.. But it could be a cost-effective solution.

As long as M$ isn't paying your college off, of course ;)

OpenAFS

Depends if you *have* to use Active Directory. Some people have sucessfully deployed OpenAFS in heterogenous environments. It does run on Windows and MacOS X. There are even some success stories mentioning this setup.

http://www.openafs.org/success.html

Re:OpenAFS

Thanks for this helpful tip !!!!!!!!!!!
signed,
IT Department

Re:OpenAFS

This is great information! I Wasn't aware of AFS. I have a mix of WinNT and MacOS9 with upgrades badly needed and a new file server strategy needed. Thanks!

DHCP does not by nature authenticate???

[zerofoo]

One DOES...Microsoft's DHCP server must register itself with Active Directory. This keeps rogue DHCP servers off the network. This is a nice feature in a large organization. How many networks have been interupted by some bozo accedentally activating DHCP on his windows NT/2000 server box? I know of a few.

Sure, that doesn't stop the same bozo from enabling DHCP on his wireless access-point/router...but it does help.

I guess what I want is Linux or OS X to act like an Active Directory DC....to do all the things that Microsoft's AD-DC's do.

-ted

Re:DHCP does not by nature authenticate???

[plsuh]

DHCP authentication as you described is a Microsoft extension to the standard and is not a part of any RFC that I am aware of. In point of fact, no non-Microsoft DHCP server implements this protocol and as a result, any other device that wants to broadcast DHCP packets can do so. The DHCP server on Mac OS X is really just a slightly modified version of the ISC reference implementation of bootpd. By design, you can set up the DHCP server on Mac OS X to respond to directory services request packets but not other types, such as IP address allocation requests, so that Mac OS X machines can pick up directory services information via DHCP and still interoperate with existing DHCP servers.

And, as you pointed out, any other device plugged into the network that can broadcast DHCP can cause the same chaos. Mac OS X makes it so that regular users without admin privileges cannot turn on DHCP, either on Mac OS X or Mac OS X Server. Keep non-technical users as non-admin users and you will never have the problem of DHCP interference.

I guess what I want is Linux or OS X to act like an Active Directory DC....to do all the things that Microsoft's AD-DC's do.

This gets to the core of your problems -- you have a VERY Microsoft-centric view of the world. Forcing authentication against a Microsoft-specific non-standard server protocol just because that's the way Microsoft does it is a really poor way of getting interoperability. Other systems have other ways of handling directory services and security -- look at them in their native environments and work with them, don't treat every problem as a nail just because all you have right now is a hammer.

--Paul

Re:DHCP does not by nature authenticate???

[zerofoo]

Agreed on the DHCP point.

Can Mac OS X and OS X server determine whether or not a user is an administrative or non-privileged user when it authenticates against an Active Directory?

Example: I enter my boss into Active Directory as a non-administrative user. He logs into OS X on his desktop (assume i've gotten OS X server to work with Active Directory), what level of privileges does he have? Will he be allowed to make administrative changes on his workstation?

If he can not, then the OS X/Active Directory interoperability might work well enough to manage the Mac users on my network.

-ted

Re:DHCP does not by nature authenticate???

[plsuh]

Can Mac OS X and OS X server determine whether or not a user is an administrative or non-privileged user when it authenticates against an Active Directory?

Yes. It all has to do with the "admin" group. If the user is a member of that group, then he or she has admin privileges. If the user is not a member, he or she does not.

--Paul

Purpose?

[greygent]

Uh, what the hell is the purpose of this article? Shouldn't this be under "Ask Slashdot" or perhaps "Senseless Ranting"?

Have Win2k authenticate against LDAP instead

[Kunta+Kinte]

http://pgina.cs.plu.edu/

Will do that. I think in the end, I think the benefits of few less win2k servers to maintain/buy is worth the client install.

What we found...

[Null_Packet]

I work for a company that looked into it recently. We bought an XServe, read the docs, and when I tried to assemble it in a test environment (Fresh AD infrastructure, own address space, etc) I ran into problem after problem. Finally when all the people at the Apple Support Forums (http://discussions.info.apple.com/) we got an error. So I called apple support. Would they help? They said no. Would Apple Pro support help? They said no. They said "We can get you in touch with Apple Consulting Services to help you get it working."

WTF? I have to buy consulting? They won't even *help* you through it over the phone, they direct you to the discussion forums. Basically my point is that Apple won't even support vanilla test-only installs, let alone ones in production.

The way it basically works is that Apple's own LDAP flavor (OpenDirectory) only works with Apple clients. *But* you can make some additions to the Win2k/AD Schema (not that scary) and make it so Apple's OpenDirectory can read attributes (users and shares) from AD, letting AD users login locally to a mac. Great stuff, yet to see it work.

The documentation sends you all over the whitepaper, looking for info on how to do this and that, and leaves out crucial steps (enabling LDAPv2 in AD, for example, as well as enabling LDAPv2 write access).

I'm no apple basher, but at the very least they should stop saying it's easy.

Re:What we found...

[demon]

Were you using OS X 10.1 or 10.2? 10.1's LDAP "support" was so insanely broken, it was pretty much worthless. I tried getting an iMac running OS X Server 10.1.5 authenticating against an LDAP server at my previous job - the only thing it ever managed to do was lock up the machine. I could never get it to actually work.

Supposedly 10.2's LDAP support actually works, as opposed to the steaming pile that was included with 10.1.x and labeled "LDAP support". I haven't gotten a chance to actually try it yet, unfortunately.

Re:Well, QWZX

[johnnyp123]

the only platform that quicktime sucks on is windows for some reason... the mac version is pretty damn nice, stable, and fast.

Oh god

[0xA]

Uhh, we're talking about extending an LDAP (MS AD) schema and maybe setting up Samba here. Not exactly friggin rocket science. I would suggest you read up some on LDAP and SMB, once you understand the basics of this stuff all will become clear to you. I would hardly call what is going on here a nightmare.

Keep in mind that nothing you are doing here would be at all new to someone who has used LDAP, or MS AD, in a Linux + Windows or Sun + Windows environment. Keep in mind that your shiny Mac is a Unix based machine and eperience and tools from other platforms will apply. Get off your ass and spend 5 minutes with google.

Is is possible you are just stupid? I read the site you linked to, most of these people are definately stupid. You have a MCSE right?

Mixed mode is not about the clients

[McSpew]

This may be OT, but mixed-mode doesn't have anything to do with how your clients authenticate. It has to do with what types of domain controllers you have. If you have nothing but Win2k DCs, you can run in native mode.

I'm running my ActiveDirectory in native mode and I have plenty of "downlevel" clients authenticating using the old NTLM protocols.

Re:Mixed mode is not about the clients

[nurb432]

We still have NT BDC's spread out. Will be months before all are converted to win2k.

Whhen we go native it DOES effect how clients authenticate. Does it matter, perhaps not but it does effect things.

Actually, mixed mode isnt 100% compatible as we have already expierenced problems with some local software. Though so far the mac hasnt puked beacuse of it.

Search Google and read the PDF Idiots

[denjin]

10.2 and 10.1 are vastly different in authentication for this purpose. The PDF file on Apple's site doesn't talk about 10.1, so it isn't exactly useful, nor are the myriad of stupid Google search results people are posting.

Instead of telling peoplt to search first, you might want to do a bit of background checking yourself first!

Mac/Windows Networking

[abroadst]

I recently plugged a new Mac with Jaguar on it into our office Windows network. I firmly believe that this machine does Windows networking better than Windows 9x, and it's easier to configure than anything I've used so far.

Active Directory aside, I find Mac OS X to work on a Windows network better than Windows does, honestly.

A little more to the story

[lkaos]

Having worked on Active Directory interoperability in Linux along with giving a presentation at the recent CIFS conference on the topic, I can speak to this issue with a certain degree of confidence.

My understand of the OS X client is that it doesn't contain true Active Directory client support. Instead, it relies on the fact that most AD installations are in mixed-mode where they still accept old client logins. In fact, only the bleeding edge versions of Samba actually support true Active Directory client login as it erquires some pretty obscure protocols that only recently have been understood (LDAP over UDP and other various nonsense).

Chances are, your network is in native-mode. That would kill your chances of using the native OS X CIFS clients (although Samba should allow you to access network resources if you use a beta 3.0 version).

MS-AD is not LDAP

Perhaps it goes without saying, but ActiveDirectory is not intended for supporting a heterogeneous network easily. It is intended to support a Windows-based network with the hope of providing some services (with intended frustration) to non-Windows hosts on the same network.

What you are looking for is an LDAP service on your network (freeware, commercial, whatever). You will find that management of a true LDAP service and interoperability with it will be much easier. Moreover, it will be more "seemless" for your Macs.

Your IT department cannot be entirely clueless. At least one person in the department must be aware of the issues related to ActiveDirectory. It's just that your site made a conscious decision to go with the higher-cost deviant-from-standard semi-proprietary solution rather than the more mature less-expensive cross-platform solution. It's that sort of thinking that keeps a lot of the software industry afloat and product quality marginal.

Hey, man. I only work here, you know?

[tulare]

And, while I understand that having Apple say "its easy" makes you want to blame them, you really ought to blame MS or yourselves for purchasing MS technology.Believe me, if it were my choice, we wouldn't have a single Windows machine on our network, either server or client. But it's not my decision to make. Given the reality that I am in a Windows shop, I do my best to make things work right. And, so far, OS X clients only work marginally well. Users can manually mount NT shares using their AD auth, but we'd relly prefer to see login screens at bootup authing against the AD. And that's where the problem lies. I agree that the problem is probably M$, but what can I do?

You mean it didn't "just work"?

[User+956]

It is possible, but not without a good deal of nightmarish configuration issues. Documentation? HA! No sign of it anywhere on Apple's site.

But I thought Macs "just work"?

AD for auth in OSx client side login

use the domain in front of the user name for the OSx client side login.

registered user: domain\username
password: xxxxxxxx

modified == *extended*

[netsrek]

Apple haven't broken LDAP by modifying it. They are using OpenLDAP, which is published under an open source licence.

All they have done is provide a bridge and NetInfo schema such that current NetInfo account information can be published via LDAP directly from the NetInfo database. They're not the bad guys here.

Re:modified == *extended*

Umm... ok. Then MS is NOT the bad guy here either. After all what they do is extend the product whether it be LDAP or Kerberos. Insert name of product here.

Re:Well it's not that hard to fix. NDS != Evil.

[dlawson]

You may have to put the Apple schema into eDirectory, it's easy. After that, it should work fine. P.S. Run the eDirectory (renamed NDS) on Solaris. Screamin' fast, and only 320 GB for a million users. (All attributes filled.)

I love it...

[SPYvSPY]

...when people complain about Apple not documenting when it is Microsoft's non-standard nonsense that caused the problem in the first place.

Re:I love it...

[digrhino]

Then Apple shouldn't have ads saying that this works. That's what people are annoyed at Apple about. It doesn't matter whose fault it is, Apple is the one saying "We can do this!" when they can't.

Dunno if this helps any

[kc8apf]

but I recently had to get Solaris interacting with AD. After digging around and finding no real definitive documentation, I found a set of PAM and nsswitch modules from PADL that provide LDAP support for both setups.

After getting these to compile properly on Solaris (which was it's own nightmare, though they work out of the box for Linux), I had to install the AD4UNIX package. This is a program/plugin/schema update maintained at this site that adds the MS Servies for UNIX version 2 schema to the AD. This gives you places to store uids, gids, home directory, etc. It also gives a nice plugin for the AD user manager to let you set that data.

Finally, you edit a few config files (non-trivial, but possible) and suddenly you have AD users appearing in your passwd entries, and they can login with anything that uses PAM.

Like I said, i don't know how much that would apply to OS X (I haven't had a chance to play with it yet), but if you have PAM and NSS, it does work.

Also, I'm gonna put my notes online once i clean them up so that no other poor sysadmin has to dig for it.

pam is not the way under OS X.

[netsrek]

Just to clarify something, although Apple have included PAM in OS X 10.2, it's kind of useless, as /etc/pam.d/login isn't actually consulted at the login window. yeah. brain dead and bloody annoying.

How to do it with OS X 10.2

You will need 10.2.

Browse to /Applications/Utilities, select Directory access. Select LDAPv3, click Configure, drop down the show options button, hit 'new', type a friendly name for your AD server, slap in its name or IP, Select Active Directory from the LDAP Mappings, use SSL if you want, fart around with the other options if you need to, OK everything, go back to Directory Access, Select Custom Path from the Search Drop Down, hit 'add', select '/LDAPv3/Your Friendly name'.

Slap back wallop, you should now be authenticating with an AD server, seamlessly it is. Works Good for me, I dont like AD, but I really dont care, it authenticates me thats all I need, keeps management happy too, they love spending that money!!!.

T

Re:How to do it with OS X 10.2

Hmmm, did this, and now I cannot even log in to my network. Before, I could start up and browse manually, but now, I cannot get past "Waiting for Network File System" in my boot panel.

Any way to get rid of what I set up in Directory Access?

Re:How to do it with OS X 10.2

[willigis]

Very informative!

As you seem to be well versed in this, is there a way to "see" from my iBook running Jaguar a Linksys printserver which is connected to my windows MSHOME network.

The printserver can be seen from the Win machines but not from the mac.

It only has the NETBEUI protocol.

CHeers
GS

Re:What we found... Apple lies

Yes, Apple does lie. They made you think they sold you an "Enterprise Solution" when you paid for an XServe. But you bought an experiment. Take it from me, don't wait for Apple to get it right. They have ignored the Enterprise for nearly two decades and the only reason they are selling experiments is for market share.

Mind you, my next question is going to be, OK APPLE wanna play Active Directory? So what's your solution to replacing Active Directory? When they answer that question, I will believe Apple is thinking "Enterprise".

Covered on the Mac-Mgrs mailing list.

Mac-Mgrs (Macintosh Managers) a mailing list in existence for over 10 years, has covered this issue, and every other issue regarding managing Networked MacOS machines in a multi-platform environment.

They keep an archive, which is available for public searching. Go there, and search the "new" archives (post April 2000) for "Active Directory."

The list is an excellent resource for troubleshooting MacOS (Classic & X) management issues.

Mac-Mgrs also has probably the best s/n ratio on the Internet, as well as throwing a great geek party at MacWorld Expo twice a year. =)

Re:Well it's not that hard to fix. NDS != Evil.

[plazman30]

You are soo right. Novell's products are an administration dream! NDS eDirectory is incredible. I have never met a sigle tech guy who didn't praise Novell after having used it. Novell's biggest problem is the fact that Microsoft has much better marketing.

Knowledge Assumptions and LDAP

[morrison]

To meta-quote Apple's guide to interact with Active Directory Services:

"Mac OS X uses the LDAP protocol, not Microsoft's proprietary Active Directory Services Interface (ADSI), to connect to Microsoft's Active Directory. This .. assumes that you have in-depth knowledge of Active Directory, especially the ways in which it need s to be configured to support standard LDAP schema definitions. Because the primary means of accessing Active Directory is ADSI, using LDAP as an alternative implies a thorough working understanding of the use and limitations of the LDAP support provided by Active Directory."

It sounds like someone didn't know Active Directory sufficiently, hence the pain. Otherwise, setting up things on the Mac side is very simple and strait-forward. O'Reilly has a great book " Mac OS X for UNIX Geeks " that goes into great detail on explaining not only what to do, but what is going on behind the scenes.

In this case, I would be Active Directory Services is making things the most difficult for you (and the fact that OS X uses LDAP instead of ADSI).

AD documentation for 10.2

[daveschroeder]

The Active Directory documentation for Jaguar Server is now integrated into the Mac OS X Server 10.2 Admin Guide; from http://www.apple.com/server/resources.html:

Active Directory for Mac OS X Server v10.1: Learn how to integrate Mac OS X Server v10.1 with Microsoft Active Directory. (v10.2 customer, refer to the Administrators Guide for Active Directory integration documentation.)

The Mac OS X Server 10.2 Admin Guide is available from:

http://docs.info.apple.com/article.html?artnum=122 015

Particularly, see:

Chapter 2: Directory Services (p.65)
Using an Active Directory server (p.104)

Mac OS X, the docs, flat files

[TheCubic]

I work for a large university, and I've been working to integrate Mac OS X with flat BSD files (for both the GUI and other environments). I have some tips for anyone intent on doing the same - dave (at) math.umn.edu. Apple support (the people to complain about when you've already bought the product) didn't help me at all.

Back to the business: Gordon Shukwit (who I talked to last week) is writing white papers on integration with Active Directory, and said that "[he'd] have them done soon" (<- perfect for slashback). I won't publish his e-mail address because having a slashdot story about it is already enough pressure :)

I agree

[Andy+Dodd]

Using LDAP is the way to go, but when you already have a Windows-based authentication infrastructure in place, you don't necessarily have that option. Hence pam_smb_auth

That doesn't make any sense

[Gareman]

So I invent something. You create a product that says it will work with my new invention. Your product doesn't. So it's my fault? Total nonsense. About as nonsensical as the score you got for your post by the MS hating, elitist moderators. --gary

Re:Well it's not that hard to fix. NDS != Evil.

[Openadvocate]

I had a excellent Novell experience today. :)
I just installed a demo of Netware 6 today, I was amazed by the number of programs coming with the server as default, damn. Just look at the web admninistration.

When talking NDS, I discovered that now that Novell runs PHP,MySQL,Perl there is a greater reason to run apache web servers on it.
And what was even better, you can now authenticate users against your NDS in apache. cool. Just like you would use a .htaccess file, you can point it to the NDS directory instead, very cool indeed, it would look something like this.
-----
AuthType Basic
AuthName "Secure_Site"
AuthNDSTree TREE_NAME
AuthNDSContext .organization [.context.organization]
AuthNDSRequireSSL [on|off]
require valid-user
order allow,deny
allow from all
---

It was very cool to see my php/mysql applications running on a netware server, I didn't need to change anything in the code, I imported my SQL data into MySQL and it was running.

More like...

...you invent a square wheel. I, on the other hand, employ round wheels in my product (i.e., the standard configuration). I tell people that they can use your crummy square wheels if they want. People use your crummy square wheels and complain to me that the ride is bumpy.

OSX integration with AD, other resources

[mistermoonlight]

Check out Apple's OS X section for the PDF on AD. If already have, read on.

Along with the becoming more and more useful macosxlabs.org, there is the idea that if you cough up $150 per AD server for MS Services for Unix, this software will do most of the work in terms of schema modification.

You don't have to use the file/print services installed by this software, but that may be helpful to you.
We've already covered this in slashdot. Check out articles concering using PAM with AD and there should be a thread there as well.

Mod this up, I hope it helps. Irrational bleats like "IT'S a NIGHTMARE" help no one, especially yourself.

Re:KTHXBYE

Slashdot! Linux Hackers! Hah! It's obvious (based on 90+% of user comments) slashdot is for homosexual windows fanboys.

You're out of line

[Lovejoy]

most of these people are definately stupid. You have a MCSE right?

'nuf said

Re:You're out of line

Not really. You're post was infinately more devoid of intelligence than his. That's probably enough said right there.

Re:Well it's not that hard to fix. NDS != Evil.

[sniggly]

As a side note check out mod_auth_mysql - http://www.diegonet.com/support/mod_auth_mysql.sht ml
to do user auth against mysql as an apache module, works like above.

There's also http://www.giuseppetanzilli.it/mod_auth_pgsql/

Novell is playing attention to the good stuff :)

Re:From O'Reilly Press

[benedict]

I play it cool, and dig all jive
That's the reason I stay alive ...

Cool to find another Hughes fan on Slashdot.

As for that book, it spends too much time on basic
unix stuff like what a here document is. As a friend
of mine quipped, it should be called "Unix for Mac
OS X Users".

How we've done it

[halmstrz]

Our method involves authenticating to AD via LDAPv3, and automouting a volume over SMB. We've just put this doc together over the last few hours, but will try and work more on it in the next few days. It can be found here at the bottom.

Re:How we've done it

have any of you google search idiots read this? would seem to me, this may be one of the 5 or 6 useful posts. the environment is not exactly like mine (each person in seems to have a hidden mount point...which is understandable given all the privacy lawsuits of late...), but, unlike any other help anyone has given, this appears to have a non-local home directory. i'd think this a step forward for X in an MS world.

Not with Negative Karma

(the way you're going)

MacOS X Server 10.2's SMB sharing is flaky

We have a MacOS X Server 10.2 and are having lots of trouble serving up files via SMB to Window users.

There are a bunch of notes on various message boards with similar login/authentication problems. One trick is that you can't use local password storage for SMB accounts - you have to use a password server.

But even then it didn't work for us. Hopefully Apple will get it right soon, but for now MacOS X Server is not quite ready for prime time.

Of course, configuring Windows and Unix servers for cross-platform work isn't exactly simple either.

I hate stupid people...

...do this search on Google.com:

OS X active directory how to

The first thing to show up is an Apple PDF on how to do it.

Stop wasting everyone's time and making yourself look really stupid.

I'll take what I can get.

[inertia187]

Maybe I'm not asking a lot from OS X 10.2, but I have no issues joining our network as long as I'm willing to:

1. type big long SMB connection strings (Apple-K, then smb://WORKGROUP;user@host.domain/volume)
2. don't mind having .nsmbrc on my home directory with stuff like this:

   [host.domain:user:*]
   password=password
   workgroup =WORKGROUP

3. don't mind not being able to print a darn thing.

I can browse the domain more or less (less than more). It's a real joy compared to 10.1.

Re:From O'Reilly Press

As a friend of mine quipped, it should be called "Unix for Mac OS X Users" hahahahahahaha LOL wow!!! You're friend is very witty and funny indeed User #9959, any chance of catching up with this intellectual giant online my friend? Oh to have friends as smart and quick witted as this unknown person!! You must be a very elite hacker indeed benedict (no-caps on purpose because User #9959 is entirely too cool to capitalize his name you see and if oh piss on it... you are not worthy of my lord and master benedict) ... oh to be your friend and apprentice!
Benedict! Benedict! Benedict Peters....King of the useless posts!
Can I say it again for posterity's sake benedict??? Can I? Please??????
Unix for Mac OS X Users
Great Benedictine!!! I'm excited by our conversation!! Do reply in great detail about your Unix haXory exploits my friend... I cannot wait one minute more!!!

Re: MAC vs. Mac

[bursch-X]

I actually think of it as a feature rather than a "bug", if the poster talks about MACs you can tell immediately that he knows jack about them ;-)

Re:Well it's not that hard to fix. NDS != Evil.

[deviator]

very well said, and it sounds like something I would have said anyhow. :)

(way, way off tangent) the thing that frustrates me about open source is that much of the enterprise stuff is still -not- as good as some of the stuff Novell produces... because most people are content to simply copy Windows features (which is all most people know.) It is _definitely_ worth the effort to spend some time with Novell's technology and see how good network management can really be.

quit airing your mit laundry in public.l.

Besides, all of you losers probably belong in prison next to the DoD warez guy..

It works but Directory Access must be right

[Current+Point]

I just recently setup our Mac OS 10.2 server utilizing our Active Directory server. Here are some tips that may help.

1) Do not test with OS X Server. I used the Java LDAP browser, available at http://www.iit.edu/~gawojar/ldap/ to check for a proper connection. Once I got this to work where I could see the LDAP user data, I plugged those same settings (User/Password, search base, IP, etc) into Directory Access for OS X Server. OS X Server does not give as much diagnostic feedback when testing as the LDAP browser does.

2) Do not add a cn=Users to the search base. Yes it may be necessary, but OS X Server will do this for you. By adding it, you will have 2 cn=Users which breaks it. The search base should look something like dc=mydept,dc=mycompany,dc=com.

3) In Directory Access use the Active Directory template (not From Server, or Custom). In most cases this will work without any mappings making it a simple Directory Access setup.

Hope this helps
Rik

Resistance if futile earthling, why even bother?

Go all Windows now and mortgage your house. You WILL be assimilated.

Solution is risky, but not complicated

Using a 10lb sledgehammer, smash the Active Directory server. If it pops up again, smash it again. Once you've completed this essential step, your Microsoft compatibility problems will be over though your legal problems may be just starting.

See, not complicated at all! If you're locked in, smash your way out...

Huh?

[Trillan]

Password servers? I don't even know what those are, but I got the SMB file server and client on Mac OS X working with Windows XP without any problem at all...

What problem are you having?

Google should answer this guy's question but...

[Nezer]

What about going the other way?

Can one use Apple's OpenDirectory and netinfo to not only have Windows authenticate against it but also set GPOs?

Forks?

Could it possibly have something to do with the resource forks Apple incorporates into the file system? You know, the ones to identify file/MIME types to the OS without relying on extensions, and which are typically hidden from users?

I could be way off, but that part of the file which Windows understands could be copied, while the resource fork might be left behind.

More stuff...

[zerofoo]

You have given me more information on OS X server than any of the Mac "salespeople" I have to deal with. It's greatly appreciated.

We are mostly a PC shop, but my boss is a Mac nut....it might just be time to convince him to let me buy an OS X server :)

In fact, the AD replication process is actually fairly complex...

You said it! Have you ever configured two bridgehead servers? Ugh, no fun to set up, but it works pretty well once up and running.

I have to admit, the Active Directory replication process is pretty cool. It manages lots of info, does conflict resolution well, and does not need tight time synchronization.

...including the ability to change a clone into a master if the master fails...

Does the failover have to happen manually? I like the idea that if one of my AD-DCs fails, I automatically have another master (since all Active Directory domain controllers have a writeable copy of the Active Directory). Does OS X have the ability to "auto-promote" a slave to a master?

-ted

Re:More stuff...

[plsuh]

Let's take this off line -- Paul Suh

--Paul

Re:More stuff...

[plsuh]

Let's take this offline -- and let actually type my e-mail address this time! Paul Suh psuh at apple dot com

--Paul

*extended* !=broken...

[netsrek]

That's completely different, and you bloody well know it. This isn't an "embrace and extend" kind of extended... Apple is still running OpenLDAP, they haven't broken interopability at all, not like what Microsoft did with Kerberos/Active Directory at all. Any other LDAP client that implements the standard can still talk to Apple's install of OpenLDAP...

Re:Well it's not that hard to fix. NDS != Evil.

[Nalmar]

Well, I can definetly say that netware ease the pain of administrating a windows network. I've worked with netware 2, the great file system of netware 3, the excellent NDS with netware 4 and the wounderfull ZEN and groupwise of netware 5. But for the sake of discussion, I'll be the devil's lawyer here( does that expression make sense in english ? ). Novell is great if you have a microsoft os network but beeing a macintosh guy, I can say that I've rarely seen such a lousy mac support. I don't know is it's true for other platform ( linux, solaris, be,...) but for mac, the support was next to 0. You were stucked with an outdated, unreliable, bindary only, badly integrated with the os client. Maybe things have changed in the last 2 years but I doubt it since a search on novell.com download section for product:novell client platform:macintosh returned nothing. And the cost is prohibitive. Even for the education marked, it ran in the 30000$/year.

This does work just fine with 10.1.5 and 10.2!

I have setup OSX clients to authenticate and automatically mount their home directories using both 10.1.5 (LDAPv2) and 10.2 (LDAPv2 or v3). It works great once you have it setup correctly.

Just to be clear, this is with *no* replication of account information between AD and OSX. All account information is stored in AD and stays there. The clients don't store any user information.

Also, I have done this with both win2k and OSX servers for home directories.

The article from Apple (OSX integration w/ AD) is a good start for the basics. Much of it applies when moving forward to 10.2, except that many of the setup screens are different.

My main recommendation is to *not* use their schema definitions. The reason for this is that they tell you to piggy back on existing attributes in AD. While this is nice from the standpoint of not having to edit the schema much, other MS applications may need those attributes for their own use. For example, they tell you to put the home directory URL (an xml description of the home directory location) into the "HomeDirectory" attribute. This, however, is used by MS clients to find their home directories. If you have users that cross between windows and mac, it won't work.

Instead, I'd take the schema from the Open Directory service which comes with OSX Server and pull out the attribute names and OIDs from there to use. The only thing it is missing is an attribute/OID for the "NFSHomeDirectory", which they recommend you use "UserSharedFolderOther".

Also, don't add the attributes directly to the existing user class. Create another class with those attributes and add it into user class as an auxiliary.

I agree that the docs really need alot of updating to make this possible for the average admin to deploy. However, Apple has provided the technology to have a very nice integrated solution once you know what you are doing.

This solution is actually fully deployed at one public school in Massachusetts and partly deployed at another one (they are still in testing). Students are able to sit down at any OSX system and have their desktop, preferences, and documents follow them around seamlessly.

Mac OS X 10.2 and Sun ONE Directory Server

[allenw]

At home, we have two Solaris 9 hosts and two Mac OS X 10.2 machines fully connected with home directories, accounts, and the like coming from S1DS. It isn't pretty, since Apple doesn't support RFC 2307bis definitions for automounts in addition to the lack of any real documentation about what lookupd and other system daemons require to be present.

Here are some things that might help folks:

Tip #1: /etc/openldap/schema is a directory full of schema information. In particular, you want to look at apple.schema, which has all of the weirdo Apple definitions.

Tip #2: Start with the RFC 2307 definitions and modify from there. Be aware that you will also need to match the objectClass for the type. i.e., when you click on Users in Directory Access, you need to list posixAccount, inetOrgPerson, and shadowAcount so that it pulls all of the necessary fields from those objectClasses. This is different than how it worked with LDAPv2 and under 10.1

Tip #3: Location management does NOT work with LDAPv3, despite the shiny pull-down. If you are on a PowerBook and use Locations to move around, you do not want to set up any sort of services.

Tip #4: "lookupd -d" is your friend. Use it to debug what your machine sees from the LDAP server and what you need to work on.

Tip #5: You can do NFS mount points, but they aren't pretty:

VFSLinkDir = /Network/Applications (or wherever you want it mounted) VFSType = nfs cn = server:dir path

Tip #6: You should match all of the fields for mount, even if you don't fill them in. For some reason, automountd wants to be able to look it up values that make no sense for a remote mount.

Hope this helps somewhat.

Re:Mac OS X 10.2 and Sun ONE Directory Server

[mgrover]

The original topic was about OS X and AD. So I'm curious if you're integrating any Windows systems on the network you describe.

Equally off-topic (but related), I'd like to avoid AD altogether and going with something like Samba-LDAP-PDC (pdf). You should be able to include all the apple, posix, and samba objects you need and get a single directory to catalog the contents of the whole network and authenticate everyone. Using nss_ldap and pam_ldap, there would not even be any LDAP-NIS synching behind the scenes.

Isn't this what LDAP (or any good directory technology) is supposed to be all about?

Slashdot slanders Apple?

[A.+Brate]

I couldn't find any claim of "seamless" integration by Apple. It certainly wasn't on the link. Considering that the title, which put "seamless" in quotes, the department, and the front-page message text, all mentioned the seam-word, it sure looks like Apple claimed seamless integration.

And judging from the posters who attacked Apple's supposed "seamless" claim, that's how it would be reasonably interpreted.

The best that Apple claimed was "peaceful". That may be a marketing weasel-word with no meaning, but it's hardly the same as "seamless". After all, the U.S. and North Korea are living peacefully together right now.

Adam Brate

Re:Slashdot slanders Apple?

[Warlock7]

Nicely put. It is amazing what happens when one actually follows the links and reads the page. You are 100% correct and the poster of this particular story and the moron that posted it for them should probably verify the stories once in a while before putting them up.

Why do you resist logic?

You are a dense man.

In terms of your analogy, Apple has said: my product works with both round and square wheels, so buy it. I buy it. It doesn't work with square wheels. I need it to work with square wheels. So next time I don't buy Apple.

Schemas are a key part of LDAP

[oneiros27]

If someone were to 'extend' the way that an LDAP consumer interacts with a supplier, there's an issue. As it is now, every set of LDAP software has its own way to handle direct replication of data.

However, the type of information that can be placed into an LDAP directory is handled by the schemas.

In much the same way, a database server doesn't care what your table definitions are to maintain ODBC compliance.

Now, in this case, we have schemas, which much like a table definition, define what sort of information is allowed to be placed into the directory. It may be mail addributes, such as 'rfc822mailalias' and 'mailforwardingaddress', it might be posix authentication information, such as 'loginshell' and 'homedirectory'.

In this case, I have no idea what schema extentions OS X may require, but the standard posix attributes would make sense (ie, what you'd find in /etc/passwd normally).

Re:Well it's not that hard to fix. NDS != Evil.

[-cman-]

Well, that's all well and good but the subject of the message is integrating Mac OS X with AD. I've played around with the third-party Novell client for OS X and I merely find it, okay.

Besides that you've completely missed the point as the poor sod above is simply looking for some help keeping his new Unix boxes hooked up to the insanely complex and costly network that his bosses have imposed on him, which he (or she) has little or no conrtol over.

-cman-
MCSE, CNE, AppleCare :P