MacOS X mobile homes with Active Directory integration 
I just had a
hard time looking up information on how to get my PowerBook integrated into our Windows Domain. This in itself is not really difficult with the Active Directory plugin provided by Apple. However, I also wanted the mobile home feature that allows me to have a server side home directory synchronized to my laptop.
The issue was that whatever I did I could not get the Mac to find the network home directory as stored in AD. I always got /Users/leo which is clearly wrong. What I found out the hard way was, that on Windows 2003 Servers my AD plugin is not privileged to read this information. Luckily I found out that there exists a special group stemming from the days of Windows 2000 and NT upgrades. Its called something like "Pre-Windows 2000-Authentication" and allows computer accounts (like the one for my Mac) to read users attributes including the HomeDirectory.
So, whats left? I did'nt want the network home on the Windows 2003 share as its CIFS/SMB which I don't trust with Mac files, even though Apple supports it. This is where
Kerberos comes in. First, I had to decide which services to "kerberize". In my case
host and
afpserver. I followed the instructions found
here to get a kerberos keytab and it worked out of the box. After logging into a client with the AD plugin I don't have to re-authenticate on my server. I just could'nt get into the server with ssh anymore. Luckily I had still a window open, so I added another keytab entry for ssh and since then its all perfect.
Last but not least is the mobile home. This is relatively easy by binding the server to AD as well and creating a local OpenDirectory group where you add AD users with Apple computers. Then you can manage the group with Workgroup Manager to have a mobile home. To have the network home on your server let the AD admin change the HomeDirectory to \\yourserver\Users\user and export a share Users on the server.
The steps are these (links above):
- Backup the home directory on the laptop to the server
- Create a local admin account on the laptop
- Bind laptop to AD and OD
- Put laptop account into Pre-Windows-2000 group
- Get AD admin to change home location
- Kerberize the login window (change /etc/authorization)
- Bind server to AD
- Create mac group on server and manage preferences
- Export Share on server for user homes (home dirs are not autocreated!)
- Log into laptop with AD user
Wow, now if I could get my kerberos ticked after a reboot of the laptop I would be mighty happy.
