Magic Triangle (Active Directory + Mac Server)

ds_support
New Contributor III

Hello Community,

we use a mixed infrastructure. Some employees use Macs the other one Windows systems. For the management we use a active directory.

On Windows it works great, no issues. With OSX sometimes we have trouble in the user managment. I am looking for a solution to get a better compatibility between OSX and Active Directory.

I "google" a little bit and get a few site, they talking about the "Magic Triangle". The "Magic Triangle" combine Active Directoy with a OSX Server.

Maybe everyone is here, they can tell me the benefits there? At the moment we have very often the keychain issue and other user management issues. I hope that a better compatibility between OSX and Active Directory can fix that.

Many Thanks
Christian

12 REPLIES 12

itupshot
Contributor II

@c.knipping To tell you the truth, you really don't need a Magic Triangle anymore. It'll just be adding another level of complexity.

Is it the "login" keychain, or the "local items" keychain that's giving you problems? What other issues are your running into? What OS X version(s) are your client machines running?

Taylor_Armstron
Valued Contributor

What are you trying to accomplish? We need to know what you want in terms of "user management" to really make a recommendation - if you're using Casper (since you're posting in the JAMF forums), there's really no need for OS X server at all....

sdagley
Honored Contributor III

As @itupshot and @Taylor.Armstrong have said, the "Magic Triangle" isn't really appropriate if you're managing AD bound Macs with Casper. For keychain synchronization issues with AD bound Macs, you'll find something like Keychain Minder will be extremely useful.

ds_support
New Contributor III

Hello!

Many Thanks for help! The KeyChain is a big issue in the company. We habe 12 workstation for freelancer, it is a IMac. The 12 workstation are available for all freelancer. On the IMacs we working with Mobile Accounts. Sometimes, after a freelancer login, the keychain crash and the user get the typical Windows to enter a password but no password works.

Our workaround is, to delete the KeyChain folder and restart the IMac then is works. I think, the KeyChain crash because the User change his password on a other Mac or Online in "OWA" (Outlook Web App). After he login, the Keychain don't accept the password and can't unlock. The problem is, that the password before didn't works.

I think it is a synchronisation issue with AD to the IMac Workstation and the AD don't update the KeyChain Password.

The two questions are:
1. Is it a problem to work with Mobile Accounts on a Freelancer Workstation?
2. How I can solve the KeyChain issue, every day we need the fix this issue on one IMac.

Many Thanks for help.

Christian

bentoms
Esteemed Contributor
Esteemed Contributor

@c.knipping Magic Triangle eh? Wow used that back in the 10.4 days.. as the other folks said.. old method.

For Keychains, @sdagley pointed out Keychain Minder, there is also ADPassMon

sdagley
Honored Contributor III

@c.knipping Yes, if you have a user change their password for an AD bound account on a machine other than the Mac they usually log into, they are going to get an incredibly annoying display of password requests to unlock the login keychain. That is why you need to install something like Keychain Minder, it will detect that the user's current AD password doesn't match their login keychain password, and offers them the chance to fix it.

ds_support
New Contributor III

Ok, I am Understand. To fix this issue I am need the KeyChain Minder or ADPassMon?

Which program ist better and which one is better to deliver on the Macs?

bentoms
Esteemed Contributor
Esteemed Contributor

@c.knipping it's best to test which one works best for your org.

They both offer some keychain management, but work in different ways.

ds_support
New Contributor III

Maybe everyone can tell me the different between this two tools?

Next time I test the "Keychain Minder" with ADPassMon I had a few problems to install it with casper suite.

mjsanders
New Contributor III

If you do some tests, include the NoMAD project, 'the new kid on the block' in this field. Has similar features for password management in AD centered deployment as ADpasMon and Keychain minder, but with certificates and home folder availalble from menu.
To be honest: just played with it and watched video bij Joel Rennich, but his name gives me confidence in this project that looks like the Apple Connect packages (which is only available with expensive AppleCare support)
See maclovin blog

bentoms
Esteemed Contributor
Esteemed Contributor

@mjsanders It's funny as the Enterprise Connect sales keynote mentions ADPassMon. :)

sdagley
Honored Contributor III

@c.knipping As @bentoms said, you really need to look at the feature set of the tools mentioned yourself and decide which one best fits your needs as what works for one of us isn't necessarily what will work best for you. In a K-12 environment like I'm currently working with, Keychain Minder is my choice because it only offers the ability to update or reset the user's login keychain to their current AD password. In a corporate environment I might use ADPassMon because of the additional functionality. I can't speak personally on the NoMAD tool @mjsanders mentions, but on first look it appears to be intended to provide the benefits of AD binding without actually requiring AD binding, and that may not apply to what you're trying to achieve.