Re: Re: [Micronet] ADmitMac Educational Pricing / pam_ldap

On Wed, Jun 02, 2004 at 09:58:28AM -0700, Eric Chamberlain wrote:
> > -----Original Message-----
> > From: Tom Holub [mailto:tom@LS.Berkeley.EDU]
> > Sent: Tuesday, June 01, 2004 4:14 PM
> > To: Eric Chamberlain, CISSP
> > Cc: magnet-list@lists.berkeley.edu
> > Subject: Re: [MAGNet] Re: [Micronet] ADmitMac Educational
> > Pricing / pam_ldap
> >
> >
> > I see no mention of either "Mac" or "SAMBA" under "FAQ", or
> > "Documentation", or "Technical->Configuration files and
> > templates", or "CalNetAD Scripts", or "Various CalNetAD
> > Procedures and How To's", or "Configuration Files", or
> > "Support and Tools".
> >
> > In the article "CalNetAD Security NTLMv2", there is no
> > mention of the implications for anything except various
> > versions of Windows.
> >
>
> Tom,
>
> Try
> http://www.google.com/u/berkeley?q=calnetad+mac&sitesearch=berkeley.edu&doma
> ins=berkeley.edu for Mac information or
> http://www.google.com/u/berkeley?hl=en&lr=&ie=ISO-8859-1&domains=berkeley.ed
> u&q=calnetad+samba&sitesearch=berkeley.edu for SAMBA references.

I don't see any documentation on Mac and Samba integration with
CalNetAD with those searches. I also don't see any warnings that
joining your server to AD will mean that Mac, Linux, and Windows XP
Home users won't be able to access it.

> > Could you show me where the documentation about connecting
> > SAMBA clients, and particularly MacOS clients, to CalNetAD exists?
> >
> > I suggest that, instead of blaming the users, that the
> > CalNetAD team evaluate its own internal policies to determine
> > why, after several years of warnings of the importance of
> > alternative platforms on campus, CalNetAD still fails to show
> > any interest in supporting non-Windows platforms.
> >
>
> Our documentation is driven by three factors: the number of times the same
> question is asked by our users, areas of interest to our current users (less
> weight is give to requests by units not using CalNetAD), and our 2.8 FTE
> resources. We don't have much documentation for non-windows platforms,
> because the vendor documentation does not exist. In the case of Apple, they
> have changed their Active Directory integration implementation a number of
> times in the last two years. As I mentioned before, until Panther, not much
> was gained by pointing Mac's at CalNetAD.

How would you suggest we allow Macs to access a Windows server which
is joined to Active Directory?

> Apple's AD integration
> documentation has been vague and difficult to follow and none of their
> documentation discusses using Active Directory with an external Kerberos
> Realm. We lack the resources to conduct the R&D necessary to properly
> document what Apple has not. We don't have any Macs in our group and have
> been waiting for someone in our user community that does have Macs to
> provide instructions for other users.

I don't see how it would be possible for us to provide instructions.
We are not Active Directory experts, and we don't have access to any
of the relevant servers to examine what happens when a Mac user tries
to connect.

But I would be glad to provide you a Mac that you could use for
testing.

> In the end, it comes down to resource allocation. Here is our current
> forest machine breakdown:
>
> 1750 Windows XP Professional
> 1376 Windows 2000 Professional
> 481 Undefined
> 190 Windows 2000 Server
> 88 Windows Server 2003
> 67 Windows NT
> 18 Mac OS X
> 1 Samba
>
> Based on these numbers, it doesn't make much sense for us to allocate
> resources documenting systems that are not being used by our user base.

That's a bit of a catch-22, don't you think? There's no documentation
on how to hook up a Mac OS X client to AD, and it doesn't work out of
the box, so of course there aren't a lot of Macs in the forest.

I can tell you that there are many people in L&S who are currently
unable to access our Windows server, who would be joining the forest
if it were possible.

-- 
Tom Holub (tom_holub@LS.Berkeley.EDU, 510-642-9069)
College of Letters & Science
249 Campbell Hall
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about MAGNet, its meetings and events, and its
mailing list, including information on subscribing and unsubscribing,
see the MAGNet Web site at <http://magnet.berkeley.edu/>.