Jamf Nation Community

Matt, can you offer up some background?

For what it's worth – in my tests, Centrify/Quest/Likewise all are capable of Cross Forest Trust, where as out of the box Admit Mac and the OS X native plugins are only capable of cross domain trusts- if your site has multiple forests you're going to be looking at Centrify/Quest/Likewise.

Admit Mac is is capable when it comes to DFS and kerberized printer support. In addition Admit mac utilizes it's own SMB stack rather than Apple's own. As a result the user experience can be a bit smoother with Admit in those situations.

It's also worth noting that not all services requiring authentication are kerberized – as a result, all clients will fall back to some variant of NTLM (or LM) which will require login and password to be entered in order to authenticate- instead of the single sign-on of Kerberos aware services.

Of course, Lion holds changes – as according to Apple's public page – they've officially committed to DFS support.

I've worked in 2 previous environments with AdmitMac, and one of our groups here uses it. I have nothing but horror stories with it. AdmitMac is notorious for just unbinding or stopping for no apparent reason at all. Its nice to have DFS and Kerberized everything but at the expense of not having a solid environment I am all against it. I have also seen some interesting file corruption from AdmitMacs SMB stack. If you are using it for AD Binding just use the built in tool, if you are using if for DFS support you might be better off using something like ExtremeZI-P.

--
Matt Lee
FNG Sr. IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group
matthew.lee at fox.com<mailto:matthew.lee at fox.com>

Need Help? Call the Help Desk at (310) 969-HELP (ext 24357) or online at http://itteam<http://itteam/>
Help Desk Hours: Mon-Fri, 6AM-6PM PST

I second Matt's comments.

Nothing but issues with admit mac.

Since we started using native ad binding, we haven't had domain drops,
but now we get duplicate files, temp files, lost files, etc with AM...
even the latest 5.2 version.

Is anyone out there working in a multi-forest scenario?

We use ADmitMac here too (v4 and v5), alongside Centrify and Apple AD. There have been a few "domain drops" - at least I think that's what meant, Macs which have unexpectedly lost their bindings. No real file issues, even though we're using NetApp filers for the most part (for the ADmitMac folks). Also no network homes or multiple forests.

Does (or has) anyone use a mixed environment of ADmitMac and Apple's plug-in, for clients sharing files? I'm not sure how a mix of Macs with ADmitMac/Centrify/Apple and a mix of OS (10.4-6) will behave when sharing the same files on the same shares, because of ADmitMac's own SMB stack. We have 10.4 Macs with ADmitMac, 10.5 with Centrify, and 10.6 with neither!

Thanks for your responses. We recently evaluated ADmitMac and other products for cross forest authentication but have found that ADmitMac doesn't support these features. We have had great success with Centify and other similar products.

Used to have AdmitMac here, but switched away from it….
binding broke too often, requiring an unbind and rebind…
also, get info in the finder would freeze up the finder for about 30 seconds.

I'd go Centrify over AdmitMac, but we've switched to Apple's binding mechanism as it seemed to get a lot more solid for us around 10.8.2…

I used to use ADmitMac for many years.

Over the last years the support is absolutely dreadful and its so buggy. Apple has done great things with their own built in connector that we use that now. Like kstick binding screwed up so many times that is was a real pain.

I had to re-engineer a lot of systems to be able to come away from it, but i am glad i did :)

ADmitMac = run away very quickly

I used to use ADmitMac for many years.

Over the last years the support is absolutely dreadful and its so buggy. Apple has done great things with their own built in connector that we use that now. Like kstrick binding screwed up so many times that is was a real pain.

I had to re-engineer a lot of systems to be able to come away from it, but i am glad i did :)

ADmitMac = run away very quickly

Just to pipe in here, stay away from Quest as well, we had nothing but problems with their QAS and QMX products. Once the native AD plugin became good enough (~10.7.3) I switched us to Casper and things have been great.

We only have one domain, though.

+1 on no Quest, the first version we had was pretty good but had a minor problem that they had a fix for in the next release, which just introduced more different worse problems and it never got better over the next year, went back to apple's plugin.