Slashdot Mirror
"Seamless" Integration of Mac OS X w/ Active Directory
eexlebots asks: "I work for a small college which has a few Mac OS X 10.2 machines and a fairly standard Active Directory setup. Actual deployment of these clients rides on getting them to authenticate at login to our Active Directory server. Apple has stated that this is possible (easy! seamless!) with Jaguar without the use of an additional Mac OS X server, but I have found the case to be quite different. It is possible, but not without a good deal of nightmarish configuration issues. Documentation? HA! No sign of it anywhere on Apple's site. I'm not alone: at macwindows.com I found a good many people who think that Apple's claims of seamless Windows Network integration to be a bad joke and nothing more. I was wondering who else out there is having this problem, and what they have done to solve it."
It isn't exactly in Microsoft's best interest to make this easy for them is it?
I do not fear computers. I fear the lack of them. Isaac Asimov (1920 - 1992)
Not really. Apple has been partners with M$ for quite a while now. ANd you do know the best way to win users over is to make it easy to incorporate the new into the old.
T Money
World Domination with a plastic spoon since 1984
I'm not sure what active directory is but I do know that using Jaguar, my machine can browse my windows network and connect to any shared folders very easily.
I also have it sharing folders out to the windows machines though it doesn't give out a listing of what's shared (probably for security reasons). You have to tell it what username, password and share you want to access.
What exactly are you trying to do?
because if you use LDAP or NDS you end up with the same nightmarish configuration issues, except now the issues are with the windows machines, which are probably 90% of his clientelle.
(this of course assumes it's impossible to just get rid of the windows machines and they actually need cetralized authentication in the first place...)
I'll save you the time:
"M1cr0s0pht sux0Rz@@!@! Use LiNuX it RAWKZ#(*#@*(#@#@#"
All they lose out on, is the OS License. Which when purchased from a Dell, et al, isn't that significant. When a Mac gets roped into the AD network seamlessly, they still get revenue from a copy of Office so the user can share docs with other users (LOTS more profitable than Windows). Plus a few more CAL's as well, for the file server(s) as well as the exchange server(s). All in all, it's still a good revenue stream for MS.
"Politicians are interested in people. Not that this is always a virtue. Fleas are interested in dogs." P.J. O'Rourke
Ive had the exact same problem...I seems to have to do with wich subnet the smb servers are on and does not happen if the smp servers are on the same subnet as the Mac. Anyone have a solution?
My primary complaint against SMB is that it doesn't really work all that well. When I tried to look at the list of computers in Network Neighborhood, I often saw only a partial list (some computers that I knew were connected did not show up). The only way I could connect to these was by specifying their IP address. Other times, I could not access them at all (even though in some cases they could still access my machine!). I switched to Linux a while ago, and I have had similar results using SAMBA.
This leads me to believe that the fault for bad Windows Network performance lies not in the implementation (whether SMB on Windows, SAMBA on Linux, or the Apple implementation) but in the protocol itself.
Creating user dirs is a tricky problem. Samba w/ winbind and the PAM auth module is pretty difficult to setup for that, as well.
And, while I understand that having Apple say "its easy" makes you want to blame them, you really ought to blame MS or yourselves for purchasing MS technology. Its really that simple. Folks need to stop complaining about MS and just either suck it up, or not use their tech. If its good, use it. If its not, don't - and don't complain.
OS X is more compatible with Windows than Windows is with OS X. Finito.
Cheers.
This list consists of items that are irrelevant or unnecessary:
/Applications/Utilities/Directory Access application to see the options.
:-O When a Mac OS X system that utilizes LDAP directory services for group information it asks the LDAP server, not its own local NetInfo database or BSD-style config files.
/etc/rc scripts or from the /Library/StartupItems folder. On login, there are a variety of options detailed in Apple's docs.
Can you add users to OS X and have them appear in Active directory?
The point of a central directory service is that you create the user records in one place (using the native tools) and all systems can authenticate against them. Adding users to your Mac OS X machine doesn't make sense under centralized directory services. With the correct administrative user login, it is possible for Workgroup Manager to edit user records in an LDAP server using LDAP v3 mechanisms.
Can you get your DHCP server (on OS X) to authenticate itself in Active Directory?
DHCP does not by nature authenticate. DHCP servers can send out additional vendor-specific DCHP packets -- Apple's implementation does this to tell Mac OS X clients where to look for directory services -- but they do not authenticate directly to DHCP. These additional records are ignored by systems that don't understand them. Look into the Mac OS X Server documentation and the
Can you get user lists and permissions to replicate into OS X's user list?
The point of central directory services is to NOT have everything replicate into client systems!
Lastly...can you get a user to log into OS X and have OS X process login scripts replicated to domain controllers? Doubtful...most of the windows login scripts don't apply to the Unix world.
You've answered your own question here -- the Windows-based login scripts do not make sense and would not run under Mac OS X. Mac OS X has its own ways of setting up scripts to be run on boot and on login, as well as automatically mounting share points.
Scripts can be run from the
Depends if you *have* to use Active Directory. Some people have sucessfully deployed OpenAFS in heterogenous environments. It does run on Windows and MacOS X. There are even some success stories mentioning this setup.
http://www.openafs.org/success.html
DHCP authentication as you described is a Microsoft extension to the standard and is not a part of any RFC that I am aware of. In point of fact, no non-Microsoft DHCP server implements this protocol and as a result, any other device that wants to broadcast DHCP packets can do so. The DHCP server on Mac OS X is really just a slightly modified version of the ISC reference implementation of bootpd. By design, you can set up the DHCP server on Mac OS X to respond to directory services request packets but not other types, such as IP address allocation requests, so that Mac OS X machines can pick up directory services information via DHCP and still interoperate with existing DHCP servers.
And, as you pointed out, any other device plugged into the network that can broadcast DHCP can cause the same chaos. Mac OS X makes it so that regular users without admin privileges cannot turn on DHCP, either on Mac OS X or Mac OS X Server. Keep non-technical users as non-admin users and you will never have the problem of DHCP interference.
I guess what I want is Linux or OS X to act like an Active Directory DC....to do all the things that Microsoft's AD-DC's do.
This gets to the core of your problems -- you have a VERY Microsoft-centric view of the world. Forcing authentication against a Microsoft-specific non-standard server protocol just because that's the way Microsoft does it is a really poor way of getting interoperability. Other systems have other ways of handling directory services and security -- look at them in their native environments and work with them, don't treat every problem as a nail just because all you have right now is a hammer.
--Paul