|
Macs and Active Directory
Apple has made great strides to make OS X work with Active
Directory. There are many different scenarios to make it
work. Let's approach these one by one. Items addressed
below are most applicable with 10.3. (OS X 10.4 is entirely different and looks much easier. Check it out in their own documentation.)
OS X Client connecting to Active Directory after Mac login
This is actually so simple it's hardly worth mentioning. Select
Go->Connect to Server... and you can either browse through the
domain or type smb://servername. ; Share points will display, and
you also get the option to authenticate.
OS X Client connecting to Active Directory for Mac login
To have OS X log in through a server, you must configure Directory
Access (in the Utilities folder). There is an Active Directory
conduit there that you can configure and install. It asks for the
same information you would expect to see in a Windows machine joining
the domain. You have to configure the Active Directory Forest,
Domain, and Computer ID, then click the Bind... button to join the
domain.
There are several other options related to offline operation and some
AD schema stuff, with which I've never played. You can allow your
domain administrators to log in and manage this machine as well if you
like.
When logging in, the "regular" Mac privileges apply at the workstation
level, and each user gets a local home directory. However, you
are now requiring authentication through your Windows systems, and the
network home directory should also automount.
OS X Client managed through Active DirectoryI've thought about doing this since Apple has documentation on modifying the AD schema (see http://a528.g.akamai.net/7/528/51/17ab5d654eb22d/www.apple.com/server/macosx/pdfs/MacOSXwithActiveDirectory_122002.pdf).
However, I've never been overly interested in doing custom stuff with
Active Directory so thought there should be an easier way.
By the way, this still takes a Mac server to easily customize the
management settings. It's just that they are saved on the AD
server and accounts work through that instead.
OS X Client authenticating to Active Directory and managed through Workgroup ManagerWhat
I've always wanted to do and never quite had a chance to figure out is
make the Active directory the main authentication tool so that all
users have one place to authenticate and store home folders, but make
my OS X server the group management tool. About the time I was
ready to say it was not yet practical, someone came up with
documentation for it, and I was disappointed I hadn't thought of it.
The crux of the matter is where the authentication occurs. Your OS X server has to be configured to look at the
Active Directory in addition to the clients. Here is a summary: http://www.macwindows.com/ADinstruct.html
While not complete, hopefully this has helped your research and can
be useful in your planning. I now work for a district that is
more likely to make the Active Directory authenticate the other
direction, so this might be the end of my input on this topic.
For more information
If you want more information, the links above are pretty useful. Apple also has two very good resources at their Education Technical Resources site and their Server Documentation pages.
Good luck!
|
