William M. Smith said:
Hi Deanna!
Yes, you have a few options.
Here's a link to Apple's website for a PDF explaining how to authenticate to
AD without having to modify the schema of the AD domain
http://a192.g.akamai.net/7/192/51/456131c15df370/www.apple.com/education/tec
hnicalresources/pdf/ActiveDirectory_070803.pdf.
This next PDF details using AD with a Mac OS X server
http://a1776.g.akamai.net/7/1776/51/7f99c60f0c08bf/www.apple.com/server/maco
sx/pdfs/MacOSXwithActiveDirectory.pdf. This does require modifying the AD
schema.
You'll also find tons of very useful information if you search for "Active
Directory" at
http://www.macosxlabs.org.
ADmitMac from
http://www.thursby.com offers a third party solution for
connecting to AD from a Mac.
I know this is premature, but if you can afford the wait, you may want to
hold off for the release of Mac OS X 10.3 (Panther). According to Apple, it
is suppose to integrate with AD without modifications to the AD schema. See
this
http://www.apple.com/server/macosx/pantherserver.html. This is for
Panther Server, but the client will also support AD connections.
These are a few options available and I'm sure there are more. You'll need
to evaluate your need for strict security vs. simplicity.
Hope this helps! bill
Your particular problem probably has to do with DNS. Make sure you
can ping the FQDN (Fully qualified Domain name) of the domain. For
example: trinity.nyc.ny.us. One of the domain contollers should
reply. The good news we got it working just fine as long as you don't
have an email account associated to the user id.
We have been testing Panther for several weeks and confirmed a problem
with the Active Directory plug-in. It will not authenticate against an
Active Directory database that has Exchange 2003 attributes. In
English, if you have Exchange 2003, Windows 2000/2003 servers and a
user id has a mailbox they CAN NOT login to the domain. We have been
working will an Apple consultant and the developer of the AD plug-in
for about a week now. No solution yet. In addition, Apple has not had
the courtesy to post this problem on their support database. Quote
from Apple rep:
"First, I exchanged emails with the Consulting Engineer who's been
architecting & driving the AD plug-in, so have new information.
Unfortunately, OS X 10.3 Active Directory plug-in has not been fully
qualified with Windows 2003 AD Servers.
When we coded & architected the plug-in, Apple could only base work on
a shipping product - at the time W2K AD Server; like everyone
deploying
or writing software to work with Windows 2003 Server Software, we had
to wait for shipping & final software. There were changes in Windows
2003 Server and when it was available, pushed a Windows 2003 AD
plug-in
outside the 10.3 Panther client development schedule.
Today, there are issues with AD Plug-in & Windows 2003 Server; basic
authentication should work, but you will (as you've experienced) run
into issues. We are already working on an update to work with Windows
2003 AD Servers. As you know, I can't provide an update schedule for
you, but it's a known issue & has attention. It's coming.
"
