[Superchicken]

One of my profs was talking to me a few weeks ago and said that he wanted to get a Mac but that the netwrok guys didn't want him to get one because then he couldn't use the School's active directory stuff or something. Granted if it's what lets us log on with our accounts to go online in the computer lab I have no idea why any prof would want to use that but whatever.

[Dr. Smoke]

Mac OS X 10.3 Panther includes support for Active Directory, i.e. if your professor gets a Mac, it can be configured to use Active Directory for authentication.

Here is a list of all the AppleCare Knowledge Base documents related to Active Directory as proof.

[CatOne]

Originally posted by Superchicken:
One of my profs was talking to me a few weeks ago and said that he wanted to get a Mac but that the netwrok guys didn't want him to get one because then he couldn't use the School's active directory stuff or something. Granted if it's what lets us log on with our accounts to go online in the computer lab I have no idea why any prof would want to use that but whatever.

Yes, OS X can log on via Active Directory. This is really only possible with 10.3 -- and you're best off with versions later than 10.3.4.

Just go to Applications/Utilities/Directory Access and configure the Active Directory plug in -- documentation is available somewhere at www.apple.com/server/documentation.

Note Active Directory is used for centralized user management -- accounts are in Active Directory, not on the local machine (meaning, then, that you can log into ANY machine that's connected to Active Directory, and not go to system preferences to create an account). This is very useful for IT folks. And many have policies that only "bound" machines are permitted on the network. There are many good reasons for using a Directory Service (including Active Directory or Apple's own Open Directory), so just because you don't know what it is, doesn't mean it's stupid or worthless

[[APi]TheMan]

Originally posted by Superchicken:
One of my profs was talking to me a few weeks ago and said that he wanted to get a Mac but that the netwrok guys didn't want him to get one because then he couldn't use the School's active directory stuff or something.

We do it here at our University with Panther boxes. I did it about a year ago with a Jaguar box but it was ugly.

Granted if it's what lets us log on with our accounts to go online in the computer lab I have no idea why any prof would want to use that but whatever.

My guess is that your professor couldn't care less whether his computer was "using" the school's Active Directory or not, it's most likely the network admins that require this. The big deal with getting computers bound to a directory such as Active Directory (really just LDAP with some "special" Microsoft sauce) is that "policies" can be enforced on users and groups. Policies include things like startup scripts and disallowing certain security-related control panel settings like "auto-login". This model also allows for client computers to authenticate to the server rather than locally, meaning that accounts are managed centrally on the server (less IT headaches).

Macs have been able to talk to directory servers such as Active Directory for some time, but all they can really do is say, "Hey, my username is <user> and my password is <password>". It is possible to employ security policies for Macintosh clients on an Active Directory server, but it's kinda a pain in the butt and the various solutions for doing so range in robustness.

But yeah, Macs'll talk to AD just fine.

[larkost]

Active Directory is a very complicated topic... and can be used in a lot of ways:

• At its simplest it is just the newest version of NT domain controller... that it it gives out addresses to SMB (Windows) servers.
• The next level is that it can also be used for Authentication (providing a common login/password verification), this can include single sign-in through (a modified) kerbros.
• The next level is that is can provide login settings, like the location of a network home directory.
• After that is the layer that provides the ability to lock-down/administer networked computers.

10.3 can participate in some level of everything except the last bit. There are a number of limitations, some of which can be addresses using Thursby's ADmitMac.

[waterbuck]

My experience at a university is that a very savvy Windows IT director and an IT employee with great Mac experience, plus a Unix IT person, could not really get my Mac (running Panther) to hook up to their Active Directory System and find my partitions on the servers in all of the various network directories. Yes it could log in, and no we could not open my networked drives and directories (I'm not sure what the right word is). They probably spent, altogether, about 5-8 hours working on it because they also understood that Panther was supposed to work reasonably well with Windows Active Directory and it became a point of pride for them to make it work. After futzing around for all that time, they ultimately gave up. We installed AdmitMac and hooked up with easy flawless drive-finding and file transfers in about 10 minutes.

I think my report is a bit like what larkost is saying above. We could connect to Active Directory to get a domain address, log-in. We could not connect to, or even see, networked drives like the ones I ordinarily used from my desktop PC running Windows XP. With AdmitMac all that happened pretty much instatneously. Plus, at home, I was able to print from my wireless laptop to my wife's PC (which has the printer). Again, Admit Mac simplified setting up the printing to a PC, even though in principle this can be done without Admit Mac.

I don't really understand if Tiger addresses any of the problems we had. I fear that it doesn't since we haven't heard it mentioned much.

Very problematically, AdmitMac won't be Tiger-compatible until August, according to Thursby (the manufacturer) and that depends in part on Apple fixing some aspects of Tiger.

Anyone know enough about Tiger to indicate if it interacts more smoothly than Panther?

Thanks...
waterbuck

[winterlandia]

I have been able to bind my mac with an Active Directory with both Panther and Tiger without an issue. I can even get my Windows home directory to map properly and automount when I log in as well as browse the active directory, printers, and server shares no problem which is nice as it doesn't need to reauthenticate every time I hit a new share (it uses my AD credentials). One thing if I remember right is that early versions of 10.3 did have some issues, I think they finally all got resolved around 10.3.4 or so.

From memory, here is how I configured it:

go into directory access
there are 2 checkboxes you need to check: Active Directory and SMB
hit configure on SMB and type in the domain as it is stated in WINS then put in the WINS IP address (your windows guru can help you with this)
in the Active Directory forest, put the forest name, make up a computer ID (it will show up in AD Users and Computers as this name)
open up the advanced options and pick cache last user and allow administration by (enter yourself in there and whoever in the AD you want to admin the computer)
THEN, hit BIND and type in an AD account in the form of [email protected] and the password (this will likely need to be a domain admin or another AD admin that has access to add machines to the active dir)
You might think you're all done but you're not, it's still not set to use AD to authenticate yet. So, go back to the main directory services box and instead of being on the services tab, select the Authentication tab. Pick 'custom path' from the dropdown, then 'add'
Now, pick the path that uses Active Dir authentication (not NetInfo/root, it will be called something else)

There you go!
It works for me.

[waterbuck]

seems like you really understand the complexities of the system...I have a sneaking suspicion we didn't get as far as you did and that it's worth a try.
Thanks

[larkost]

AdmitMac: it sounds like your system relies on NTLM v2 or Microsoft Kerberos authentication. AdmitMac adds support for this in 10.3, 10.4 has both natively.

[waterbuck]

The system does rely on Microsoft Kerberos authentication. It sounds like Tiger may enable us to bypass AdmitMac. I hope it does because I would rather install my copy of Tiger now, and not wait until next August.

[Chris Grande]

Tiger doesn't seem to map AD ADmin groups to the local admin group anymore.

[Chris Grande]

-double post-