Macintosh OS X and Active Directory Integration

2009-08-29 23:21 PDT

Having an interesting issue with and OS X/AD integration. I have a Windows 2003 domain with many servers. I also have an OS X server running Open Directory. The OS X server is bound to AD, and all of the Macintosh clients are bound to both AD and to OD. This forms Apple’s “Golden Triangle” and allows users to login to a Mac using their AD credentials, while allowing you to specify “preferences” for the machine via the OD server. These preferences can be though of as Group Policies for Macs, however they are nowhere near as detailed as the catalog of settings you can enforce using Group Policy on the WIndows side.

Anyway.. I have a small issue with this system, and I am not yet certain where it comes form. My users all have a home directory mapped to the drive letter P:. This is specified in their AD accounts in the form of \fileserver\users\students\user_name.

Recently, during a MacBook deploy to a small group of students I discovered that none of them could log in… or more specifically, they were able to log in, but received a message as the Mac tried to mount the sharepoint. I don’t have a copy of the message here, (its on my desk at work) but essentially it said that the sharepoint was not available. The students clicked OK to this and the machine proceeded to log them out.

A head scratcher indeed.

The machines are also running BootCamp with WIndows XP, and the students were able to log in and access their mapped drive under XP… so what gives. Also… I was able to login to a student computer as myself and get my network home folder mapped to my dock.

With a little bit of thinking, and some experimentation by one of my coworkers, we discovered that if we used the server’s correct hostname, rather than the generic “fileserver” CNAME that had been assigned to the machine, the student’s could log in.

None of this explains why for the past week we have had faculty (who have little more in the way of privileges than the students) able to log into their newly deployed Macs, pulling their network home form the same server, using the same CNAME, with absolutely no problem.

I can see that I will need to do a good bit of testing to see just what permission level the faculty has, that grants them access to the fileserver by it’s CNAME record rather than by it’s A record. It would make sense to me if this failed for users, but that it only effects a subset of them makes me wonder what kind of magic is working behind the scenes.

I will update this as I come up with more info.