[MacTUG] FW: [CTSC] [AD-consolidation] Supporting Mac and Unix UID/GUIs

[Donald Duff-McCracken]

Hi there
I thought we should be sharing info about this. A while ago, Erick Engelke presented at UCIST & CTSC regarding AD consolidation, and asked CTSC reps to get input from Mac and other Unix admins. Here is what I sent to him…

From: dsmccrac <dsmccrac at connect.uwaterloo.ca<mailto:dsmccrac at connect.uwaterloo.ca>>
Date: Tue, 12 Jul 2011 15:18:02 -0400
To: Erick Engelke <erick at engmail.uwaterloo.ca<mailto:erick at engmail.uwaterloo.ca>>
Cc: Marko Dumancic <marko at uwaterloo.ca<mailto:marko at uwaterloo.ca>>, Steve Hellyer <phasetwo at apple.com<mailto:phasetwo at apple.com>>
Subject: Re: [CTSC] [AD-consolidation] Supporting Mac and Unix UID/GUIs

Hi Erick

Marko forwarded me this for comments. I am wedged between some meetings and other things I need to get done today, but here are my 2¢…

Firstly, to give you a minor correction (or at least my interpretation of the events), and I believe this one is in line with my comments made at the UCIST meeting where you presented. At the time, the Golden Triangle was not viewed by anyone as a 'perfect solution' to authenticating Macs to AD, but it was (and obviously more by some units than others) viewed as a workable solution for the time being. I believe there was always interest (in at least some members of the group) in eventually fully integrating the Macs into AD, and this point is echoed in an email from Steve Hellyer (Apple engineer who was at the meeting), that is representative of what our opinion was/is.  I was trolling through my old messages to see if I could find any documentation of the view that the Golden Triangle is a workable solution but not the ideal long term option, and the best thing I could find was the email (that I have pasted into the bottom of this email) from a conversation between you and Steve Hellyer (cc'd in this message).

The Golden Triangle is certainly workable and certainly works. While our environment is much less complex than Math/CS there are numerous situations where the golden triangle makes things much more complex than if AD authentication was happening directly. To be clear, management of the Mac labs machines would still happen through Apple's Workgroup Manager (WGM) software (that is part of OS X Server). WGM would be controlling which groups of people are allowed on which groups of Macs and allowed to run which groups of software, etc. The benefit is that now, Open Directory (OD) is standing in between them as the middleman, and as is often the case, the middleman can sometimes be a problem or at the very least a bit of a pain! Clearly our environment is less complex than Math/CS, but even in our case I find situations where pulling OD out of the equation would be really beneficial. An example is that there has been cases where OUs or Groups in AD needed to be manually replicated in OD.

The only other comments I are ones where I am paraphrasing Steve (in a call I had with him today about another issue we briefly discussed this) are that Mac integration with AD should be structured in a granular manner so that people can migrate from the golden triangle in an orderly fashion, and when they are sure that their 'workable solution' has a better replacement. Secondly, that integrating Macs with AD works best when the AD structure has not evolved far from Microsoft's intended structures. Obviously, Apple is trying to get their stuff to mesh with how it thinks that Microsoft intends AD to be set up — if there have been changes (even if they are for the better) they may introduce new gotchas. Thirdly, we should think through our home folder needs and ensure that we have a robust NAT/SAN/whatever to handle the load or loads. Remember that OS X does not have a Profile folder for a user but stores stuff in ~/Library. There can be a lot of folder redirection going on to send a lot of this stuff to temp on the local drive (or whatever).  Lastly, while 2008 server RC2 and OS X lion have come a long way towards making this a much easier process, it is still one that should have outside help from consultants that are experts in the Mac/AD integration. While we have a lot of experts on campus on AD and lots on Macs (and even the golden  triangle), I am not sure we have any experts on Mac/AD integration.


Thanks Erick…
don


-----Original Message-----
From: ctsc-bounces at lists.uwaterloo.ca<mailto:ctsc-bounces at lists.uwaterloo.ca> [mailto:ctsc-bounces at lists.uwaterloo.ca] On Behalf Of Erick Engelke
Sent: July-06-11 5:27 PM
To: ctsc at lists.uwaterloo.ca<mailto:ctsc at lists.uwaterloo.ca>
Subject: Re: [CTSC] [AD-consolidation] Supporting Mac and Unix UID/GUIs


When I recently did my AD Consolidation Project slideshow tour, an area that was not well addressed by the Project was how to integrate Mac and Unix systems. I was under the impression that most faculties were content with the Magic Triangle solution from Apple, but Math and CS indicated they were not. I've written up a plan and shared it with the consolidation team, who have then shared it with MikeB's Unix group.  So far no one has objected.

Now I would like you to send it to any Mac or Unix administrators in your faculty to see if they would like to offer input.

  http://www.eng.uwaterloo.ca/~erick/ad/mac.htm

Erick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.uwaterloo.ca/pipermail/mactug/attachments/20110725/de3a16c4/attachment.html>