Integrating with Active Directory

Hello Chris,

What do you mean by Integrate? Simply access files on a server/workgroup, or server/domain? Or are you looking to host computer accounts and such with the Active Directory, and have taps into other management?

10.2 (Jaguar) and 10.3 (Panther) will connect out of the box with the SMB protocol... so you can mount file shares using username/password combinations for either workgroup or domain shares.

What other resources? What do you need to do? Please explain your conversion and spell out what your mission objectives are. For instance, if you need Citrix, it is available. VNC server so that you can remote control an OS X machine? It is available. MSN Messanger? it is available.

Look forward to your reply,

Christian

Christian,

We're going to be using Active Directory for user authentication in a university lab setting. Ultimately, the users are going to need to access their user folders on the Microsoft servers as well. We have been using SMB for the time being to connect, but now we're adding user authentication in the labs, and that is where I am most confused.

I should tell you that I USED to do network admin way back, but have been out of the loop for a few years and don't really know much about the Active Directory.

I hope this helps.

Chris

Hello Chris,

This will require some research on my part. I do not know if the Mac OS X will allow for total authentication from OS X. I believe that OS X uses an LDAP solution for username / passwords (that is what NIS is all about), but am not certain if AD and OS X can do the whole deal, like a Win 2000 box does.

I do know that if the user logs into the Mac OS X using the traditional style, that he/she will be able to hit APPLE-K and choose the server (or type it in), and authenticate that way. It might also be possible to do a login script for the user, but then again, this is now two logins (kinda like Novell on top of NT!). Since I have not had to do this, I am weak, and hate guessing.

I'd love to simulate this at home, but need some time. i am starting a new job this week, and need some adjustment. I would be happy to develop this over the next two weeks. Let me know a timeframe.

Christian

Christian,

A two week time frame is fine right now. I've got plenty of other things on my plate that I can handle until at least then.

I'll look into creating a script in the meantime.

Thanks for looking into this for me! I really appreciate it.

Good luck on your new job, too.

::: Chris :::

Hello,

I just wanted to announce that I have things in place to work on this. I am sorry I went beyond the two-week suggestion... just been tied up with things here.

Christian

Not a problem. I think we've got a workable solution outlined here, now. It's still in the testing phase, but it seems to work so far.

What we're doing is using the Active Directory plug-in in Panther (we decided to upgrade all our machines to that version). In there, the forest and domain are the same, which was a large part of my confusion. As long as you have rights to add a computer name to the domain, things should go smoothly.

To configure the AD plug-in, you have the forest and domain name be the same. You need to have a unique computer name for the domain, then bind it to the domain.

The other part I was having trouble with took care of itself somewhat. After you bind the Mac to the domain, you then have to set the "Authentication" and "Contacts" nodes. If you bound the domain correctly, the correct path should show up automatically when you search in "Custom Path".

I found that rebooting really helped with this, too (an unfortunate side effect of having to deal with a MS product...).

If it's configured correctly, it should show up with a User/Password box, in which you use your domain login.

That's all there is to it (from the Mac side of things, anyways).

I'll have to let you know how it works out once we roll it out to the rest of the users.

Thanks for all your help in checking into it, Christian. If you find any other useful bits of information, I'd love to hear about them!

Chris

Not a problem. I think we've got a workable solution outlined here, now. It's still in the testing phase, but it seems to work so far.

What we're doing is using the Active Directory plug-in in Panther (we decided to upgrade all our machines to that version). In there, the forest and domain are the same, which was a large part of my confusion. As long as you have rights to add a computer name to the domain, things should go smoothly.

To configure the AD plug-in, you have the forest and domain name be the same. You need to have a unique computer name for the domain, then bind it to the domain.

The other part I was having trouble with took care of itself somewhat. After you bind the Mac to the domain, you then have to set the "Authentication" and "Contacts" nodes. If you bound the domain correctly, the correct path should show up automatically when you search in "Custom Path".

I found that rebooting really helped with this, too (an unfortunate side effect of having to deal with a MS product...).

If it's configured correctly, it should show up with a User/Password box, in which you use your domain login.

That's all there is to it (from the Mac side of things, anyways).

I'll have to let you know how it works out once we roll it out to the rest of the users.

Thanks for all your help in checking into it, Christian. If you find any other useful bits of information, I'd love to hear about them!

Chris

Hello,

I just found this thread and was wondering what the out come was? I have a smiliar environment and am fairly new to setting this up. Any extra information would help.

Thanks

Joe