Binding to AD with AFP PHDs

New Contributor

Our group is interested in setting up synced portable home directories. We are currently bound to an AD forrest that we have no control over in which case our home directories on the server are setup to be some samba directory that we do no use at all.

We have some experience with PHDs with an open directory server that we setup ourselves for testing when we were rolling out Leopard.

Does anyone know if it is possible to setup synced PHDs on our own AFP server without it affecting AD? We are looking to get more information before we devote a bunch of resources to it.




Honored Contributor

I believe what you want is the golden triangle of an OD server bound to an AD domain controller, then replicate your AD users/groups in OD and it should get it's kerberos and authenticate against AD but use OD for management.

Honored Contributor III
Honored Contributor III

As Tom says.

You'll have a Mac server that's bound to AD, then make it an od master (10.6 normally sorts the Kerberos out).

Once that's done, open workgroup manager, create the group(s) & set the phd syncing & other mcx you want. Then add AD group(s) to the OD group(s) & point the clients to both ad & OD servers (ad 1st, then OD).

So you're clients will authenticate to AD to login & get a Kerberos ticket. Then pass through to OD server for phd/mcx settings.



New Contributor

We are currently using Casper for MCX settings because we didn't want to do the Golden Triangle because of complexity.

We just want to sync user's home directories on Snow Leopard clients back to a Snow Leopard server running AFP. If there is a way to configure MCX settings on Casper to do this, that would be awesome. Currently I have tried to configure some MCX settings to sync back to a regular AFP share on a Snow Leopard server but it won't sync.

We are binding to an AD forest but only have the rights to bind and create computer objects. We have no rights to anything else related to kerberos or anything else with administering the AD forest.

I tried what was mentioned earlier about the magic triangle, but when it comes to setting up the OD master it seems to allow you through even with typing in anything when needing to authenticate through kerbirizing any services, but obviously won't do it properly. I am not not able to go backwards because I do not know any of the information to undo what was setup.

All in all the less we need to do with AD the better and if we can accomplish it without needing OD in the middle the better also.

Thanks for the help,