Mac OSX Clients in AD server environment - anomalies

Archived from groups: microsoft.public.win2000.active_directory (More info?)

In news:591B0049-65BF-4994-A208-5B6E74634489@microsoft.com,
Eliot <Eliot@discussions.microsoft.com> made this post, which I then
commented about below:
> Hello all,
>
> Im going to post a basic rundown of our current environment that
> mainly consists of PCs, with a handfull of OSX Mac clients (lets say
> 60odd). Im hoping for some input from anyone else out there in the
> world that has seen similar problems occur in this environment.
>
> File client / server permissions - 10.3.x and 10.4.x clients are
> experiencing problems when renaming folders and deleting files etc on
> the AD file servers.
>
> * Issue occurring on current w2k AD file servers
>
> * Issue occurring in testing on w2k3 AD file servers
>
> * Occurring for a variety of 10.3.x versions inclusive of the latest
> 10.3.9 revision
>
> * Issue also found to occur with 10.4.x clients in testing
>
> * Clients can save documents to the file servers
>
> * Clients can create folders on the file servers
>
> * Clients experience troubles when deleting files in some cases
> (generic permissions based error occurs). Not in all cases.
> Intermittent for some.
>
> * Clients experience troubles when renaming folders with file contents
> (generic permissions based error occurs). Not in all cases.
> Intermittent for some.
>
> * Documents accessed via an OSX client from a 2k file server are
> unable to
> be accessed by other users at the same time, even read access (in
> most cases).
>
> Hopefully thats enough to get the ball rolling.. if at all
>
> Cheers guys.

Sounds like you have your hands full. I had to setup access for 25 Mac OSx
10.3 clients and a Mac server about 9 months ago and it was a pain. I don't
remember the specifics, and don't have the docs and notes on hand, but from
memory, it comes down to first binding the clients to AD using the AD
plugin. We had to also 'kerberize' BSD as well to create a kerberos trust
between the Mac server and AD. Then on the server we allowed access based on
an AD group, and what was unfortunate, it will not allow you to specify some
groups having Read and some groups having Write. It only allowed you to put
in ONE group on the Mac server. Ouch.

As for Windows, I'm not sure how you set it up, but did you install the Mac
service on Windows? If so, did you go into Computer Management to create a
share, specifically a Mac share to allow them access? This method allows AFP
access. If you didn't create a Mac share, then it relies on SMB thru the
normal shares, which should be working providing you set that up to allow
SMB on the Mac machines.

There are plusses and minuses using either AFP or SMB. I perfer SMB because
when users using AFP create a file, and are lazy and don't provide an
extension, the Mac saves it as an AFP file, meaning it will have two files
associated with the one file, one is called the data fork, the other is
called the resource fork. If someone comes in using SMB to view it, all they
will see is the data fork, and when they try to open it and view it, it
errors out because it doesn't know what the data represents. To fix it, we
had to tell the user to go back into each file with the associated program
and resave it with an extension so it saves it as one file without the
forks. The forks, I believe (don't wuote me on it) are based on NTFS
streams, hence why an app opening it if does not use the streams (not many
apps do), it can't open it.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
=================================

Archived from groups: microsoft.public.win2000.active_directory (More info?)

In news:EDA5E810-222D-4EC5-9705-C898EAD2B345@microsoft.com,
Eliot <Eliot@discussions.microsoft.com> made this post, which I then
commented about below:
> Hi Ace,
>
> Thanks for your input towards the problem. I choose not to worry
> about AFP because its just soo old and causes other little issues
> such as file name character limitations etc (30 characters limit).
>
> Im almost beginning to wonder if this is a Kerberos problem, although
> I dont fully understand the interaction between OSX SMB Kerberos and
> AD kerberos.. Perhaps some standards just dont match up.
>
> We have also elected not to proceed with Mac servers as they add
> another layer of administration that we unfortunately dont have time
> to attend to.
>
> Ill keep plugging away at this thing, I might look closely at
> kerberos and see if something is happening there.
>
> cheers.

Using Samba, you are binding the Mac workstation to AD. Here are some links
that may help out. Please read up on them. I listed them by relevance for
you. Sorry, I don't have the docs with me that we put together on the step
by steps. They are at my client's site.

binding the Mac workstation to AD - Google Search: (general search)
http://www.google.com/search?hl=en [...] tion+to+AD

Good one with a step by step: CertMag.com How to...Integrate Mac OS X With
Active Directory:
http://www.certmag.com/articles/te [...] &zoneid=89

MacWindows The web site for Macintosh-Windows integration:
http://www.macwindows.com/

MacDevCenter.com Panther and Active Directory:
http://www.macdevcenter.com/pub/a/ [...] ctory.html

Macs and Windows Server 2003:
http://www.macwindows.com/Win2003.html

Apple - IT Pro - Integrating Mac OS X and Active Directory:
http://www.apple.com/itpro/articles/adintegration/

Mac OS X Server 10.3 Help- Directory Access:
http://docs.info.apple.com/article.html?artnum=163009

Directory Access 1.5 Help Learning About the Active Directory Plug-in:
http://docs.info.apple.com/article.html?artnum=151443

Directory Access 1.5 Help Enabling or Disabling Active Directory Credential
Caching:
http://docs.info.apple.com/article.html?artnum=151445



Ace