I believe what you want is the golden triangle of an OD server bound to an AD domain controller, then replicate your AD users/groups in OD and it should get it's kerberos and authenticate against AD but use OD for management.

As Tom says.

You'll have a Mac server that's bound to AD, then make it an od master (10.6 normally sorts the Kerberos out).

Once that's done, open workgroup manager, create the group(s) & set the phd syncing & other mcx you want. Then add AD group(s) to the OD group(s) & point the clients to both ad & OD servers (ad 1st, then OD).

So you're clients will authenticate to AD to login & get a Kerberos ticket. Then pass through to OD server for phd/mcx settings.

Regards,

Ben.

We are currently using Casper for MCX settings because we didn't want to do the Golden Triangle because of complexity.

We just want to sync user's home directories on Snow Leopard clients back to a Snow Leopard server running AFP. If there is a way to configure MCX settings on Casper to do this, that would be awesome. Currently I have tried to configure some MCX settings to sync back to a regular AFP share on a Snow Leopard server but it won't sync.

We are binding to an AD forest but only have the rights to bind and create computer objects. We have no rights to anything else related to kerberos or anything else with administering the AD forest.

I tried what was mentioned earlier about the magic triangle, but when it comes to setting up the OD master it seems to allow you through even with typing in anything when needing to authenticate through kerbirizing any services, but obviously won't do it properly. I am not not able to go backwards because I do not know any of the information to undo what was setup.

All in all the less we need to do with AD the better and if we can accomplish it without needing OD in the middle the better also.

Thanks for the help,

Justin