<rdf:RDF
    xmlns:s='http://snipsnap.org/rdf/snip-schema#'
    xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax-ns#'
    xml:base='http://thinkberg.com/rdf'>
    <s:Snip rdf:about='http://thinkberg.com/rdf#start/2006-02-23/1'
         s:name='start/2006-02-23/1'
         s:cUser='arte'
         s:oUser=''
         s:mUser='arte'>
        <s:content>1 MacOS X mobile homes with Active Directory integration {anchor:MacOS X mobile homes with Active Directory integration}&#xD;&#xA;I just had a {link:hard time|http://www.afp548.com/forum/viewtopic.php?forum=24&amp;showtopic=11372} looking up information on how to get my PowerBook integrated into our Windows Domain. This in itself is not really difficult with the Active Directory plugin provided by Apple. However, I also wanted the mobile home feature that allows me to have a server side home directory synchronized to my laptop.&#xD;&#xA;&#xD;&#xA;The issue was that whatever I did I could not get the Mac to find the network home directory as stored in AD. I always got /Users/leo which is clearly wrong. What I found out the hard way was, that on Windows 2003 Servers my AD plugin is not privileged to read this information. Luckily I found out that there exists a special group stemming from the days of Windows 2000 and NT upgrades. Its called something like &quot;Pre-Windows 2000-Authentication&quot; and allows computer accounts (like the one for my Mac) to read users attributes including the HomeDirectory.&#xD;&#xA;&#xD;&#xA;So, whats left? I did&apos;nt want the network home on the Windows 2003 share as its CIFS/SMB which I don&apos;t trust with Mac files, even though Apple supports it. This is where {link:Kerberos|http://www.cgl.ucsf.edu/Security/CGLAUTH/CGLAUTH.html} comes in. First, I had to decide which services to &quot;kerberize&quot;. In my case ~~host~~ and ~~afpserver~~. I followed the instructions found {link:here|http://www.4am-media.com/sso/} to get a kerberos keytab and it worked out of the box. After logging into a client with the AD plugin I don&apos;t have to re-authenticate on my server. I just could&apos;nt get into the server with ssh anymore. Luckily I had still a window open, so I added another keytab entry for ssh and since then its all perfect.&#xD;&#xA;&#xD;&#xA;Last but not least is the mobile home. This is relatively easy by binding the server to AD as well and creating a local OpenDirectory group where you add AD users with Apple computers.  Then you can manage the group with Workgroup Manager to have a mobile home. To have the network home on your server let the AD admin change the HomeDirectory to {file-path://yourserver/Users/user} and export a share Users on the server.&#xD;&#xA;&#xD;&#xA;The steps are these (links above):&#xD;&#xA;&#xD;&#xA;1. Backup the home directory on the laptop to the server&#xD;&#xA;1. Create a local admin account on the laptop&#xD;&#xA;1. Bind laptop to AD and OD&#xD;&#xA;1. Put laptop account into Pre-Windows-2000 group&#xD;&#xA;1. Get AD admin to change home location&#xD;&#xA;1. Kerberize the login window (change /etc/authorization)&#xD;&#xA;1. Bind server to AD&#xD;&#xA;1. Create mac group on server and manage preferences&#xD;&#xA;1. Export Share on server for user homes (home dirs are not autocreated!)&#xD;&#xA;1. Log into laptop with AD user&#xD;&#xA;&#xD;&#xA;Wow, now if I could get my kerberos ticked after a reboot of the laptop I would be mighty happy.</s:content>
        <s:mTime>2006-02-23 20:42:53.34</s:mTime>
        <s:cTime>2006-02-23 20:33:49.328</s:cTime>
        <s:comments
             rdf:type='http://www.w3.org/1999/02/22-rdf-syntax-ns#Bag'/>
        <s:snipLinks>
            <rdf:Bag>
                <rdf:li rdf:resource='#arte'/>
            </rdf:Bag>
        </s:snipLinks>
        <s:attachments
             rdf:type='http://www.w3.org/1999/02/22-rdf-syntax-ns#Bag'/>
    </s:Snip>
</rdf:RDF>