So I’m rebuilding my test lab in preparation for our rollout of Mac OS X 10.3.4 and the synchronized moving of authentication from 2 sources (Active Directory and Open Directory) to one (Active Directory). I thought my fellow co-workers would like some notes (as well as you, gentle reader) on how to accomplish the following:
All computers under your control authenticate against Active Directory.
All users’ home directories are stored on a Mac OS X file server running AFP and SMB.
All “special folders” on the PC side (Desktop, My Documents, Application Data) are redirected to the user’s home directory.
All Macintosh home directories are mounted via AFP as the user’s “home” folder.
What this hopes to provide is a steamlined user experience with access to their documents and settings on any computer they log on to, be that a Macintosh (which we prefer in these parts) or a PC (there’s no accounting for taste…).
Some assumtions about your current setup:
- You already have and know how to admimister your Active Directory
- You already have and know how to administer a Mac OS X server
- You are (somewhat) comfortable in the Mac OS X CLI (Terminal.app, or your preferred application)
So here’s a step by step on how to accomplish this:
- Set your server up to be an Open Directory Master: using Server Admin, select Open Directory, click settings, change role to “Open Directory Master” and enter your admin username and password, Kerberos Realm Name should be the fqdn of your server, Search base should be your.domain.tld expressed as dc=your,dc=domain,dc=tld (no spaces!)
- After entering the above values, click save and your server will chug for a few moments and set up a kerberos domain, as well as update a bunch of LDAP configuration entries
- Go here and follow Clint’s great writeup. (I’ll grab those pages and archive them in case they go away…)