Initially talking about roaming profiles alternatives for FreeBSD clients over here I decided to start a new discussion about the usage of FreeBSD as a client OS in an enterprise environment. The reason for the separate thread is that on one hand I don't want to shift the topic of the previous discussion and on the other hand this question deserves its own discussion because of its significance for the acceptance of the OS.
So here comes first an overview of the best practices for managing Windows and Apple clients. There are numerous discussions out there about what the best/right approach is. Generally, they run down to the following solutions (please note that for simplicity I am talking about Windows and OS X clients only! FreeBSD/Linux come later):
Open Directory instead of Active Directory
When using Open Directory for serving Windows Clients instead of Active Directory, one has to use the Samba 3 package which comes with OS X Server. Some disadvantages: tedious setup and support, old Samba version, limited AD functionality. What you have, is in fact Samba, and not Open Directory serving PCs ... You could put Samba on every BSD/Linux box with the same effect. There is no solution (I am aware of) besides Samba, which can extend an OD schema in order to offer some or full AD support to Windows clients. The trick with Active Directory is the proprietary SMB protocol - not the schema itself.
Active Directory instead of Open Directory
Most advices go in the opposite direction - serving OS X clients through AD on a Windows Server. The point here is that AD offers the most complete (or bloated, depending on the personal opinion) functionality for Windows clients. There are 3 approaches:
Using plain Samba instead of AD/OD
Samba 4 finally offers an almost complete implementation of Active Directory thanks to the European Commission, which compelled Microsoft to provide full information about the SMB protocol and the internals of AD. You could install Samba 4 on a FreeBSD or Linux server and extend the schema to support Open Directory and Mac Clients. Is this the end of Microsoft's hegemony in business installations?
No! Those of us running mainly FreeBSD or OS X with a couple of Windows boxes would gladly use Samba as the main or only Directory Service in a heterogeneous environment. For the rest of the world - all the companies with dozens or hundreds of Windows-only clients - some additional Windows Server licenses make no difference in price and even less in usability. Don't forget that most of their system administrators speak Windowish only.
Using the Apple Active Directory plugin
* cited from here
Using third-party software
Thursby ADmitMac, Centrify DirectControl or Likewise Enterprise all offer a Mac-to-AD integration by providing their own plug-ins for Macs willing to obey an AD server. There are two excellent overviews here and here. In my opinion this is the best and most complete solution for paying enterprises which need to manage Macs and Windows PCs through a single directory service.
What about managing FreeBSD or Linux clients? Well, give me a coffee break, I'll post some thoughts about this later.
So here comes first an overview of the best practices for managing Windows and Apple clients. There are numerous discussions out there about what the best/right approach is. Generally, they run down to the following solutions (please note that for simplicity I am talking about Windows and OS X clients only! FreeBSD/Linux come later):
Open Directory instead of Active Directory
When using Open Directory for serving Windows Clients instead of Active Directory, one has to use the Samba 3 package which comes with OS X Server. Some disadvantages: tedious setup and support, old Samba version, limited AD functionality. What you have, is in fact Samba, and not Open Directory serving PCs ... You could put Samba on every BSD/Linux box with the same effect. There is no solution (I am aware of) besides Samba, which can extend an OD schema in order to offer some or full AD support to Windows clients. The trick with Active Directory is the proprietary SMB protocol - not the schema itself.
Active Directory instead of Open Directory
Most advices go in the opposite direction - serving OS X clients through AD on a Windows Server. The point here is that AD offers the most complete (or bloated, depending on the personal opinion) functionality for Windows clients. There are 3 approaches:
- either expanding the AD schema to support Open Directory, or
- by augmenting AD with an OD server, or
- with the Magic Triangle method.
Using plain Samba instead of AD/OD
Samba 4 finally offers an almost complete implementation of Active Directory thanks to the European Commission, which compelled Microsoft to provide full information about the SMB protocol and the internals of AD. You could install Samba 4 on a FreeBSD or Linux server and extend the schema to support Open Directory and Mac Clients. Is this the end of Microsoft's hegemony in business installations?
No! Those of us running mainly FreeBSD or OS X with a couple of Windows boxes would gladly use Samba as the main or only Directory Service in a heterogeneous environment. For the rest of the world - all the companies with dozens or hundreds of Windows-only clients - some additional Windows Server licenses make no difference in price and even less in usability. Don't forget that most of their system administrators speak Windowish only.
Using the Apple Active Directory plugin
* cited from here
"Apple's OS X directory service support is built around LDAP and includes a plug-in architecture. The company provides a small set of plug-ins that enable support for Open Directory, Active Directory, and generic LDAP services. The big advantage for enterprises, however, is that this approach allows third parties to create additional plug-ins that offer greater capabilities than what Apple includes with each OS X release.
Apple's Active Directory plug-in has steadily updated since it was introduced five OS X generations ago, with the most notable improvement in OS X Lion being support for DFS browsing. That said, Apple's Active Directory support has its limitations, as it is primarily aimed at providing authentication and, on its own, offers almost no client management capabilities."
Using third-party software
Thursby ADmitMac, Centrify DirectControl or Likewise Enterprise all offer a Mac-to-AD integration by providing their own plug-ins for Macs willing to obey an AD server. There are two excellent overviews here and here. In my opinion this is the best and most complete solution for paying enterprises which need to manage Macs and Windows PCs through a single directory service.
What about managing FreeBSD or Linux clients? Well, give me a coffee break, I'll post some thoughts about this later.