"Seamless" Integration of Mac OS X w/ Active Directory

eexlebots asks: "I work for a small college which has a few Mac OS X 10.2 machines and a fairly standard Active Directory setup. Actual deployment of these clients rides on getting them to authenticate at login to our Active Directory server. Apple has stated that this is possible (easy! seamless!) with Jaguar without the use of an additional Mac OS X server, but I have found the case to be quite different. It is possible, but not without a good deal of nightmarish configuration issues. Documentation? HA! No sign of it anywhere on Apple's site. I'm not alone: at macwindows.com I found a good many people who think that Apple's claims of seamless Windows Network integration to be a bad joke and nothing more. I was wondering who else out there is having this problem, and what they have done to solve it."

Re:Well it's not that hard to fix.

[Telastyn]

because if you use LDAP or NDS you end up with the same nightmarish configuration issues, except now the issues are with the windows machines, which are probably 90% of his clientelle.

(this of course assumes it's impossible to just get rid of the windows machines and they actually need cetralized authentication in the first place...)

Re:LDAP support != AD integration

[plsuh]

This list consists of items that are irrelevant or unnecessary:

Can you add users to OS X and have them appear in Active directory?

The point of a central directory service is that you create the user records in one place (using the native tools) and all systems can authenticate against them. Adding users to your Mac OS X machine doesn't make sense under centralized directory services. With the correct administrative user login, it is possible for Workgroup Manager to edit user records in an LDAP server using LDAP v3 mechanisms.

Can you get your DHCP server (on OS X) to authenticate itself in Active Directory?

DHCP does not by nature authenticate. DHCP servers can send out additional vendor-specific DCHP packets -- Apple's implementation does this to tell Mac OS X clients where to look for directory services -- but they do not authenticate directly to DHCP. These additional records are ignored by systems that don't understand them. Look into the Mac OS X Server documentation and the /Applications/Utilities/Directory Access application to see the options.

Can you get user lists and permissions to replicate into OS X's user list?

The point of central directory services is to NOT have everything replicate into client systems! :-O When a Mac OS X system that utilizes LDAP directory services for group information it asks the LDAP server, not its own local NetInfo database or BSD-style config files.

Lastly...can you get a user to log into OS X and have OS X process login scripts replicated to domain controllers? Doubtful...most of the windows login scripts don't apply to the Unix world.

You've answered your own question here -- the Windows-based login scripts do not make sense and would not run under Mac OS X. Mac OS X has its own ways of setting up scripts to be run on boot and on login, as well as automatically mounting share points.

Scripts can be run from the /etc/rc scripts or from the /Library/StartupItems folder. On login, there are a variety of options detailed in Apple's docs.