In your corporate network, how do you handle Mac OS X users on your Active Directory based network? What are some specific things you do to cater to the Mac OS users?
We are specifically having issues with the following:
-
Password expirations (specifically that there is no notification given to the user while they are logged in).
-
Finder not consistent about using kerberos. Browse to a windows server in "All…" and open a SMB share, you'll have to authenticate. However when you use Finder's "Go to Folder…" action or access via
smbclient -k
the system will properly use kerberos. Is this a bug? Is there any work around? Do you just mount the needed drives at logon? If so, how do you manage these login scripts? -
VMs. Nearly everyone uses either Parallels Desktop or VMWare Fusion. Do you join these VMs to the domain as well? Do you do anything else special with VMs?
-
File share compatibility. If we let the Mac users use an SMB share on a Windows server, the Macs have to leave
.DS_Store
everywhere for compatibility. Letting the Windows users use SMB on a Mac server is my best option, as the Mac users can use AFP (enabling the use of resource forks, instead of leaving .DS_Store everywhere). Additionally this will allow Mac OS users to use spotlight on the server mounts. -
The directory application shows a number of system accounts, cluttering it up. Do your users even bother using this application? If so have you found a way to hide them?
Best Answer
I have a few Xserves running as file servers in an Active Directory environment. The golden triangle approach has worked great for me: http://www.bombich.com/mactips/activedir.html. I set mine up following those directions exactly, and here's my experiences:
sudo dsconfigad -enableSSO
.defaults write com.apple.desktopservices DSDontWriteNetworkStores true
Active Directory provides the username and password, as well as some group memberships and user policies. AD only targets Windows users. I don't have admin rights on Active Directory. I have to get permission to join my Xserves to the domain. I have no ability to modify the AD schema at all. If I wanted to extend certain OS X specific policies to my Mac users, I can do so via my Open Directory master. The Bombich document explains how.
Hope that helps some!