Posted on 06-08-2011 09:27 AM
Howdy,
I've gotten some questions lately around ADmitMac and if we should look at it for use with our home directory mounting and folder redirection. Just wanted to check in with the group here to see how many were using this type of set up and what pros/cons you see with it verses the native AD binding in 10.6.x. Thanks!
James Fuller | Starbucks Coffee Company | Technology Application Services | application developer II
E: jafuller at starbucks.com<mailto:jafuller at starbucks.com> | V: 206.318.7153 | F: 206.318.0155
Technology does not drive change -- it enables change.
Posted on 06-08-2011 09:31 AM
I would avoid AdmitMac like the plague.
--
Matt Lee
FNG Sr. IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group
matthew.lee at fox.com<mailto:matthew.lee at fox.com>
Need Help? Call the Help Desk at (310) 969-HELP (ext 24357) or online at http://itteam<http://itteam/>
Help Desk Hours: Mon-Fri, 6AM-6PM PST
Posted on 06-08-2011 10:18 AM
We use it here, and we've had some problems. It does tend to be difficult to deal with updates, as the Setup Assistant must be run manually. Also, we've seen many Macs invalidate their bindings spontaneously, as well as a few cases of local account corruption (requiring dscl to remove the local account, so that it gets regenerated). It did make connecting to network shares and printers a breeze, though, as it took care of the SSO ugliness automagically.
Disclaimer: Nobody here (except me) has a home folder set in AD; login scripts handle that on the PCs.
Posted on 06-08-2011 10:41 AM
Matt, can you offer up some background?
For what it's worth – in my tests, Centrify/Quest/Likewise all are capable of Cross Forest Trust, where as out of the box Admit Mac and the OS X native plugins are only capable of cross domain trusts- if your site has multiple forests you're going to be looking at Centrify/Quest/Likewise.
Admit Mac is is capable when it comes to DFS and kerberized printer support. In addition Admit mac utilizes it's own SMB stack rather than Apple's own. As a result the user experience can be a bit smoother with Admit in those situations.
It's also worth noting that not all services requiring authentication are kerberized – as a result, all clients will fall back to some variant of NTLM (or LM) which will require login and password to be entered in order to authenticate- instead of the single sign-on of Kerberos aware services.
Of course, Lion holds changes – as according to Apple's public page – they've officially committed to DFS support.
Posted on 06-08-2011 10:52 AM
I've worked in 2 previous environments with AdmitMac, and one of our groups here uses it. I have nothing but horror stories with it. AdmitMac is notorious for just unbinding or stopping for no apparent reason at all. Its nice to have DFS and Kerberized everything but at the expense of not having a solid environment I am all against it. I have also seen some interesting file corruption from AdmitMacs SMB stack. If you are using it for AD Binding just use the built in tool, if you are using if for DFS support you might be better off using something like ExtremeZI-P.
--
Matt Lee
FNG Sr. IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group
matthew.lee at fox.com<mailto:matthew.lee at fox.com>
Need Help? Call the Help Desk at (310) 969-HELP (ext 24357) or online at http://itteam<http://itteam/>
Help Desk Hours: Mon-Fri, 6AM-6PM PST
Posted on 06-08-2011 11:03 AM
I second Matt's comments.
Nothing but issues with admit mac.
Since we started using native ad binding, we haven't had domain drops,
but now we get duplicate files, temp files, lost files, etc with AM...
even the latest 5.2 version.
Posted on 06-08-2011 11:05 AM
Is anyone out there working in a multi-forest scenario?
Posted on 06-08-2011 11:21 AM
We use ADmitMac here too (v4 and v5), alongside Centrify and Apple AD. There have been a few "domain drops" - at least I think that's what meant, Macs which have unexpectedly lost their bindings. No real file issues, even though we're using NetApp filers for the most part (for the ADmitMac folks). Also no network homes or multiple forests.
Does (or has) anyone use a mixed environment of ADmitMac and Apple's plug-in, for clients sharing files? I'm not sure how a mix of Macs with ADmitMac/Centrify/Apple and a mix of OS (10.4-6) will behave when sharing the same files on the same shares, because of ADmitMac's own SMB stack. We have 10.4 Macs with ADmitMac, 10.5 with Centrify, and 10.6 with neither!
Posted on 12-18-2013 03:18 PM
Thanks for your responses. We recently evaluated ADmitMac and other products for cross forest authentication but have found that ADmitMac doesn't support these features. We have had great success with Centify and other similar products.
Posted on 12-18-2013 03:44 PM
Used to have AdmitMac here, but switched away from it….
binding broke too often, requiring an unbind and rebind…
also, get info in the finder would freeze up the finder for about 30 seconds.
I'd go Centrify over AdmitMac, but we've switched to Apple's binding mechanism as it seemed to get a lot more solid for us around 10.8.2…
Posted on 12-19-2013 08:47 AM
I used to use ADmitMac for many years.
Over the last years the support is absolutely dreadful and its so buggy. Apple has done great things with their own built in connector that we use that now. Like kstick binding screwed up so many times that is was a real pain.
I had to re-engineer a lot of systems to be able to come away from it, but i am glad i did :)
ADmitMac = run away very quickly
Posted on 12-19-2013 08:47 AM
I used to use ADmitMac for many years.
Over the last years the support is absolutely dreadful and its so buggy. Apple has done great things with their own built in connector that we use that now. Like kstrick binding screwed up so many times that is was a real pain.
I had to re-engineer a lot of systems to be able to come away from it, but i am glad i did :)
ADmitMac = run away very quickly
Posted on 12-19-2013 09:35 AM
Just to pipe in here, stay away from Quest as well, we had nothing but problems with their QAS and QMX products. Once the native AD plugin became good enough (~10.7.3) I switched us to Casper and things have been great.
We only have one domain, though.
Posted on 12-19-2013 09:54 AM
+1 on no Quest, the first version we had was pretty good but had a minor problem that they had a fix for in the next release, which just introduced more different worse problems and it never got better over the next year, went back to apple's plugin.