[unisog] MAC/PC Mixed Mode Envioronment

nigel kersten nigel at cofa.unsw.edu.au
Wed Jan 12 19:52:41 GMT 2005

On 09/01/2005, at 5:01 AM, Troy Gauthier wrote:
> 1.	Which Server solution should be used? Or should it be a combination
> W2K3/OSX Solution (since I'm pretty sure OSX can readily use MS Active
> Directory)

I'm assuming you're wanting to use the same network users for your Mac 
clients as you do for your Windows clients? with network home 
You have a few options here.

You can have a 'pure' Active Directory setup, with your OS X clients 
being connected to the Active Directory domain.
You can put an OS X Server box in, and get the best of both 
environments, using Active Directory for your authentication, and using 
the OS X Server box to add Mac-specific control over the Mac clients. 
This would be my initial suggestion without getting more info about 
your environment.
You can put an OS X Server box in, and keep the Mac clients isolated 
from the Windows network.

Mac OS X clients could either have their home directories on an SMB 
server, or on an AFP server.
I wouldn't suggest using Services for Mac on the Windows box for home 
directories. The version of AFP it uses will not be satisfactory for 
your OS X clients.
If you're thinking of using AFP for home directories on a Windows box, 
I would suggest investigating solutions such as Extreme Z-IP.

I run my OS X Open Directory Master as a PDC using Samba, and in all 
honesty, I've had my share of problems with it. I wouldn't recommend 
SMB home directories on an OS X Server, but there should be no need for 
you to do this.

The integration features are quite good these days.  Apple have worked 
hard to try and make sure that they 'play well with others', as they 
simply have to. You won't need to modify your AD setup at all if you're 
running the current version of Mac OS X.

You can have your OS X Server box integrate to a Windows Kerberos setup 
as well. This works quite well, with the OSXS box being able to grant 
and accept tickets for your existing Kerberos infrastructure, whether 
that be Windows or standard MIT Kerberos on a *nix.

> 2.	Is there a common interface to manage the clients, perhaps a 3rd
> party solution?
> 3.	best practices to sucure and maintain both os's in such an
> environment.

I would have a look at http://www.macenterprise.org (formerly 
MacOSXlabs.org) and join that mailing list.
There are a lot of people doing very similar things to this.

If you're worried about the limitations of a traditional Unix 
'user/group/other' permissions setup, you may want to consider waiting 
until OS X 10.4 comes out in the first half of this year. It will bring 
ACLs to the platform, but really it is just a matter of changing the 
way you think about permissions. You can do pretty much everything you 
need with this kind of a permissions model, it just becomes a bit more 
conceptually difficult if you're used to an ACL setup.

If you have the chance, I'd try and find out if Apple are running their 
Directory Services training course anywhere near you. It would be well 
worth sending someone along to this course, it is one of the best 
training courses they have ever run.

The training materials alone will give you step by step recipes for 
setting things in a way that I think you're looking for.  I can think 
of several examples in this material that would suit your situation.

if you have any more questions you want to ask off-list, please feel 
free to email me.


Nigel Kersten				Systems Administrator
College of Fine Arts, UNSW 	Sydney, Australia.
CRICOS Provider Code: 		00098G

More information about the unisog mailing list