It’s impossible to keep an updated list of what I’m studying about the latest Apple technologies, but today I’ve successfully completed a “milestone” step towards the integration of OD in a Microsoft AD environment, and I must to write it somewhere.
An essential step in the process of migrating from MSFT to Apple IT infrastructure is the setup of a Mac OS X Server as Open Directory Master, leveraging the KDC service of an existing Active Directory Domain Controller. It’s just a snap to make this new server join a Microsoft-based realm and then installing OD services on it to take advantage of the centrally managed authentication from AD while effectively managing all Mac client with the MCX (Managed Client for X ) system.
What it took me into some troubles was the integration of the AFP (Apple Filing Protocol) service that I need to host Mac users’ home folders into the Microsoft customized Kerberos infrastructure. At the end I only needed to issue the command “dsconfigad -enableSSO” on the Mac server to have all Mac users automatically authenticated through Kerberos TGS (Ticket Granting Service) released by Microsoft’s KDC. Chances are that this behavior was due to a little bug in the Server Admin interface, which didn’t show me the button to join an external Kerberos realm under the OD Service settings tab, since the same machine was acting as an Open Directory Master, as you can view in the next figure.
Now, by using the same AD credentials whichever machine they log on to, my users browse happily both SMB and AFP shares, without being prompted for the same password after the first Kerberos authentication. Another little step was done through the way of adopting Apple technologies in the enterprise.