Here are the steps to do it on the OSX Server
- Create an OD Master
- Remove the automatic kerberos that is set up
sudo sso_util remove -k -a sadmin -p password -r OD.APPLE.EDU (replace password with your own password used for the sadmin account)
- Use Directory Utility and bind to the Active Directory
- Rejoin the kerberos domain
sudo dsconfigad -enablesso
On the client, Bind to both the AD as well as the OD. In the authentication and contacts custom paths, set the AD to be the first look up
NOTE that augmented records only applies to Group and Computer policies. It also only applies to Services and NOT MCX settings. It is possible to import users from the AD to create augmented records and control them from the Workgroup manager tool.
A very good reference that i have found is the AD-OD Sandbox Guide.
A very good command to use is
dsconfigad
. It is possible to use this command to bind and/or unbind to the AD.
7 Step Golden Triangle
The easiest way of doing the bind is comprises of the following steps
- Make sure that the server is in stand alone mode
- Bind the Server to the AD using Directory Utility
- Promote the server from stand alone to OD Master
- Make sure that in Server Admin, the Kerberos service is stopped in the Overview tab
- Verify the setup of the kerberos domain in the keytab using
sudo klist -kt
- Run from the command-line
$ sudo dsconfigad -enablesso
- Enjoy!