I currently work in a Windows/AS400 shop and they got a G5 the other day for the new marketing person. I was rather suprised when my boss came in the office and asked me what I know about Mac. :wink:

First thing is we need to be able to back this thing up. I looked around at some of the imaging options and noticed that Veritas Backup Exec has an unix backup agent that supports OSX. We have a backup server that runs Backup Exec so it's a familiar solution and that makes my boss a lot happier. While this wasn't my first choice, everything I can do to make this integrate seamlessly into the network increases my chances of getting a Mac at my desk. :silly: I ran the install script and manually started the service. I went over to the backup server and browsed over to the unix agents. The box showed up and all the directories. We ran a backup and verified that it was really working.

Next I need to get it to login to Active Directory with the AD plugin. This turned out to be more frustrating than I hoped it would be. Long story short, our AD domain uses .local for the suffix and that's what Rendezvous uses too so they weren't talking on the same wavelength. There's some hacks you can do from either end but it can be a bit messy. Fortunately I found a great article (http://www.afp548.com/article.php?story=20041228092123788) that showed me that I just need to create a simple zone file in /etc/resolver/. Back to the AD plugin and add the directory for authentication. It's working like a champ. I logged in with my regular network user/pass and then I logged in remotely via ssh too. I did notice that it won't create your home directory via ssh. I have to login locally once first.

http://screamingelectron.org/~strog/pictures/osx-ad.jpg

Next, I setup the HP Business Inkjet 2800 printer. It setup pretty easy and I checked the box to share it out. Looking at the details revealed that the queue name for lpd is HP_Business_Inkjet_2800. We use the default queue name of L1 on the AS/400 and all Windows boxes with printers have TCP/IP printing installed with the printer shared as L1. I have a diskless PXE image that shares out the printer as L1. We have some commercial linux thin clients that have lp hardcoded into them and the vendor refuses to add an alias. These are annoying when we run into them so I wanted to make this Mac play nice. After much digging through CUPS/lpd/printcap/etc. docs, I finally went to edit /etc/cups/printers.conf by hand. A quick reboot reminded me that several files in /etc are rebuilt on boot and that I need to edit /private/etc/cups/printers.conf instead. Another reboot and my printer is shared out as L1.


<Printer HP_Business_Inkjet_2800> <-- Change to <Printer L1>
Info HP Business Inkjet 2800
Location sales17
DeviceURI usb://HP/HP%20Business%20Inkjet%202800?serial=TH4CK34057
State Idle
Accepting Yes
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
</Printer>

The proxy is asking for user/pass if I go through it and I still have to decide the best route for mapping shares. I've made pretty good headway on this and I have a month before the user actually starts. People keep coming into my office to drool over the 23" Cinema Display and I show them remote dekstop to the terminal server, Entourage accessing Exchange, browsing network printers, etc. I hope this is the first of many Macs here. The Vice President of the company is really impressed and was thinking about getting one for his house. He keeps saying "Macs on every desk" but I'll wait for him to approve the purchase order. I'll try to follow up this post as I iron out more details on the integration.

Why not Windows Services for UNIX, and NFS? :wink:

Looks like a great setup! Might have to give it a try at one of our clients if the situation does arise (they use a lot of Macs).

Why not Windows Services for UNIX, and NFS? :wink:

Looks like a great setup! Might have to give it a try at one of our clients if the situation does arise (they use a lot of Macs).

I'd love to use NFS for this but this is a busy fileserver that many people run apps off of. Performance impact is going to play a big part of the decision making process. It will get a good hard look because it would be really nice if it worked out. I setup my NFS shares in Netinfo Manager at home. I have all my shares automounting in ~/Desktop/Net. The biggest advantage of using automounting with Netinfo is you can make it mount anywhere you want in the file structure transparently without it adding the icon on the desktop for each share. I just happen to put all my mounts in a folder on my desktop but they could be anywhere I like.

I've thought about running pkgsrc over an NFS instead of running it in a dmg image. The nice thing about running pkgsrc in an image is that it's totally portable and self-contained. The only thing I have outside of it is my path statement in my shell config and a couple symlinks for /usr/pkg and /usr/pkgsrc.

Surprisingly the SFU NFS doesn't take up hardly any resources. With two added services, and some command line options, you are good to go. :wink:

I went with the easy solution for now on mounting shares. If you manually mount a share then there's a file in ~/Library/Recent\ Servers/ for that mount. Just add that to the user's startup and it will automatically mount when they login. I'll look more at SFU and other options but this will suffice for now. I have other projects needing some attention right now. :wink:

The proxy authentication has been more of a pain. You can setup proxy in the System Preferences on a per user basis and deauth it to keep them from changing it. The problem with this is that while Safari and some other apps use it, Firefox and IE don't use it. I can manually setup Firefox/IE proxy settings and put the user/pass in but they still want to pop up the dialog the first time a session is started. It has been transparent after the intial startup but it's still an annoyance. I'll let Safari be the default and leave it on the dock. The user will have to live with the dialog if they want to use Firefox/IE until I can find a transparent solution for it.

This project has come together really well and I'd say it's 95% done and is definitely usable as it stands right now. I found out that the carpet and furniture won't be in until the day they were supposed to move into the new offices. Looks like this box is going to stay at my desk for a couple extra weeks. :biggrin:

I finally ironed out SFU last night. If you install with NFS Server, PCNFS Authentication, and User Mapping, you are good to go. Go into PCNFS, add your UNIX users, then go to User Mapping, choose to do mapping with files, add the passwd and group files from C:\WINDOWS\System32\drivers\etc and map those users and groups to the Windows equivilant. Go to the properties of the folder to share, go to the NFS Sharing Tab, and share away. :biggrin:

I'll have to check that out and see if I can get AD to use it properly.

You can integrate NIS into AD, or use the PCNFS and manually add each user.

Update:

I received my 10.4 upgrade DVD since we ordered this G5 right before the release. It was right before the Memorial Weekend so I ran the basic upgrade and several things were crashing and having issues. I decided to let it wait until after the holiday to tackle it. I tried the backup and restore upgrade option and got a kernel panic. I decided to do the erase and reinstall after all the hassles and it's running smooth again.

Now let's start in again and see if all my tweaks/settings still work in Tiger.

I noticed that /etc/resolver isn't there anymore. Either that means it's going to work without any problems or I'm in big trouble. The good news is that it works great. :biggrin:

The smb shares still work but now it opens them on login. I've tried to find ways to stop this behavior but it's really persistent. Good thing the user only needs a couple shares. I might just write an Applescript to close the open windows and throw that in the user's login.

The printer tweak still works but there's a second instance that comes up setup as a raw printer. I'll dig into this a little more.

Proxy ( :frown: ). We use Surf Control for content filtering at work. They have setup very elaborate rules and don't want to change solutions. We added a Windows Terminal server and it didn't know how to handle 90 users coming from the same IP address. We had to add a Microsoft ISA 2004 server to use the AD plugin to enumerate the users and give fine-grain control. Spend $1300 and commandeer a backup webserver box to save an $800 investment? :Eyecrazy: Anyway, this makes authenticating to the proxy transparently a bit more difficult. Luckily I found authoxy (http://www.hrsoftworks.net/Products.html) and it worked great. It's a local proxy that sends the auth and supports NTLM. Throw the starter in the user's login, point the proxy at 127.0.0.1:8080 and it works transparently. The downside is that it uses one set of credentials so when it starts, you get the main user's browsing rules (the general rules currently). The other marketing users have been bumped up into higher supervisor/manager rules (everything except the blantant stuff. Gambling, Illegal, Porn, etc.) so this probably won't be an issue.