« The Amazon blogging thing, or, not every company is the same | Main | Best April Fool's Day Joke »

I recently finished doing an AD/OD integration project, and thanks to the very good folks at afp548.com, it went smashingly well. I found their paper on the subject easy to follow, thanks to the differentiation of Mac OS X 10.4 and Mac OS X 10.3 where appropriate. After seeing that a member of the Mac-Mgrs list was having some problems, I sent them a very basic rundown of the steps I had followed, which pretty much mirror the paper.

Evidently, my mad numerical listing skillz are madder than I thought. I've sent out quite a few copies of that email, and so I'm just going to post the steps here. Now, some points:

• There is nothing here that isn't in the afp548 paper. Really. All I did was RTFM that paper, take my time, test, and implement with care. As Sir Isaac Newton said, If I have seen further, it is by standing on the shoulders of Giants. There is nothing here I have thought of other than the presentation. If this helps you at all, then please, direct all thanks to the folks who wrote the afp548 paper, as this post is standing on their shoulders


• This is not a detailed synopsis. It's just an overview. if you're looking for a step-by-step howto, this isn't it, nor should it be taken as one


• If you're doing this in a situation where you have no access to, nor even neutered administrator rights over the Macs you're using this for in Active Directory, then I'd highly recommend you stop until you can get that access or make nice with those who do.


• This is assuming you know what you're doing with Open Directory, and are just being stymied by the Active Directory integration. If you're an Open Directory newbie, again, stop. Do not do this until you get some training. This looks simple, but it's not, and if you don't know all the stuff I'm not posting, you're going to be in a world of hurt.

Technorati Tags: Apple, Command Line Tools, Heterogeneous Networks, Mac OS X, Microsoft, Tech Support, Technology, Windows

1. Get the Open Directory master working correctly for all the services you'll want it to use.
2. In the Active Directory management tools, delete the machine account that is in there now, and all the DNS entries for that machine.
3. Recreate the Active Directory machine account, and the fwd/reverse DNS entries for it.
4. Bind the server to Active Directory. Once that's done, make sure that Active Directory appears above LDAP in the authentication pane in Directory Access.
5. From the command line, run: sudo kerberosautoconfig -u That will regenerate your edu.mit.kerberos file. If you have a "can't find it error" remove the LDAP entry from the authentication pane in Directory Access, hit apply, re-run sudo kerberosautoconfig -u, then put the LDAP entry back in Directory Access, making sure that Active Directory is on top.
6. If this is an Open Directory master, ignore that silly "Join Kerberos" message, it doesn't really apply here.
7. In Workgroup Manager, enable "Show All Records" in the prefs, then click on the Bullseye tab. Make sure you're auth'd to LDAP, then in the dropdown pick "config". Select the KerberosClient item, and in the inspector, change the RecordName to KerberosClient_DONOTUSE. This will keep Open Directory from trying to push down conflicting kerb records. You ONLY want the Active Directory kerb info on the clients. Save these changes.
8. From the command line, run: sudo dsconfigad -enablesso This will tie in all the services on the Open Directory Master to use Active Directory for authentication. Go ahead and reboot, even though you really don't have to. I like to here, it's cleaner.
9. In Workgroup Manager, bring up the Active Directory users, and add them to your Open Directory groups. This allows you to apply MCX policies to them. You can also add Active Directory groups to Open Directory groups as well.
10. Now go ahead and bind the clients to both the Open Directory Master and Active Directory. I usually do Open Directory first. Again, make sure that Active Directory is first in the Authentication pane in Directory Access. Run sudo kerberosautoconfig -u on the clients, and then reboot. At that point, you should be able to log into a client, and get tickets, etc.
11. In Workgroup Manager, set up your computer lists and policies with the bound client.

Comments