Using Mountain Lion OS X server, we'd like to setup an environment where two OS X servers which are under different administrative control trust each other. That is, Server A has users & other resources, Server B has different users & other resources and each server can share resources with users that belong to the other server (without having accounts for everyone on both servers). This is very similar to having two Windows Domains which trust each other -- a common feature of Windows Server. Is there a way to accomplish this w/ OS X server?
Asked
Active
Viewed 330 times
1 Answers
1
Open Directory doesn't support domain trusts in the same sense that Active Directory does, but you can mostly fake it. Just set up both servers as Open Directory masters (i.e. each has its own domain that it serves out), then join each into the other's domain (in System Preferences -> Users & Groups -> Login Options -> Network Account Server: Edit. The domains won't know anything about each other, but since each server is a member of both domains, users from both domains can use both servers.
There is a potential hangup with Kerberos authentication -- I don't know if the services on OS X server know how to handle this sort of multi-domain membership. If you have trouble with this, you may have to set up a cross-domain trust within Kerberos. I know this was possible with the MIT implementation of Kerberos that Apple used to use, but they switched to Heimdal's implementation starting in OS X v10.7. I assume it's still possible, I just don't know the procedure anymore.
Gordon Davisson
- 11,216
- 4
- 28
- 33