Is Mac OS X 'Tiger' Rolling Over on Windows Support?By John Rizzo | Print
Re-Imagining Linux Platforms to Meet the Needs of Cloud Service Providers
Opinion: Could Apple be skimping on Windows integration with its forthcoming "Tiger" version of Mac OS X? Support for Mac clients in the enterprise still looks scant to many on the front lines.Apple Computer Inc. CEO Steve Jobs recently waved the flag for a stack of new technologies due in Mac OS X 10.4, such as expanded support for 64-bit processing and the Spotlight search engine. While the promise of Mac OS X "Tiger" looks promising, with the perspective of someone integrating Mac clients into enterprise networks, OS X 10.4 looks more like a paper tiger.
At his Apple Worldwide Developers Conference keynote address, Steve Jobs spent a grand total of 30 seconds on the Tiger client's Windows compatibility features. Two of the features listed on the slide (SMB home folders and Kerberos authentication) were features Apple has previously claimed were already in the currently-shipping OS X 10.3, aka "Panther" version. Jobs referred to one of the bullet points as "better authentication with Kerberos and whatever that is." He meant NTLMv2 (NT LanMan), Microsoft's secure authentication protocol.
Now, one could write this off to Jobs' interest in sexy products such as the company's new 30-inch flat-panel display. But this inattention to the Mac as enterprise client extended to other conference sessions later in the week.
If Apple has a cross-platform client strategy for Mac OS X, it is playing it close to its vest.
However, Derick Naef, chief operating officer of networking developer Group Logic Inc., of Arlington, Va., said that WWDC attendees received some useful information about the Tiger client later in the week.
"There wasn't anything groundbreaking, but there were incremental improvements," he said. "They are moving in right direction."
The promise of even incremental improvements would have been welcome for admins struggling with Mac clients. So why focus instead on the harder sell of migrating from Windows servers to Mac servers?
The answer could be seen in the David vs. Goliath motif plastered over the conference. While Jobs mocked the long development cycle of Microsoft's Longhorn, movie-screen-sized banners all over Moscone Center did the same.
"Apple tends to see their business differently then their customers do," said Paul Nelson, vice president of engineering at Thursby Software Systems Inc., of Arlington, Texas. The company offers a variety of Windows network sharing products for Mac clients.
"Apple sees themselves as competitors to Microsoft. Customers, on the other hand, are concerned about getting the best experience for the money," he said. And that user experience revolves around having Mac clients play nice in Windows networks.
For administrators of enterprise networks, Mac clients are a pain. They still need special care that isn't required with Windows clients. This applies to access to Exchange Server and support for Microsoft server clusters.
Certainly, this situation isn't all Apple's fault, and third-party products go a long way towards filling in the holes. For example, Group Logic's ExtremeZ-IP lets Macs access Microsoft clusters using AFP (Apple Filing Protocol).
Still, the fact remains that the separate and unequal status remains a barrier to the wider acceptance of Macs in enterprise.
The biggest barrier is integration with Microsoft's Active Directory. Apple offers two choices to integrate Panther with Microsoft's Active Directory. You can make changes to the Windows Server schemaa risky proposition that few admins are willing to undertakeor install Mac OS X Server on the network.
A third-party option is to install Thursby Software's AdmitMac tool on the Mac clients. Any way you look at, the Macs require special treatment.
But even when Macs join the Active Directory, they can still require special handling due to a lack compatibility with certain Windows authentication features. Once such feature is SMB signing, which is similar to a digital signature. SMB signing has been around since Windows NT 4.0, but Windows Server 2003 domain controllers now default to having SMB signing turned on. In order to accommodate Macs, the admin needs to turn off SMB signing in their policy settings. Or, they can add a third-party Mac product such as Thursby's AdmitMac and DAVE, or Sharity 2.9 from Objective Development Software GmbH.
Other deficiencies make Macs less secure on Windows networks. There's currently no support of NTMLv2 authentication unless you add one of the third-party solutions to the Mac. Then there is the problem with cleartext authentication in Windows domains.
"Apple doesn't provide an admin setting to prevent transmission of cleartext passwordssomething Microsoft has had since Windows NT 4.0," Nelson observed.
But this isn't a case of poor security with Mac OS X. For instance, you an eliminate cleartext in file serving if you install an Apple Filing Protocol server, such as ExtremeZ-IP, on a Windows server.
"Apple's security is greatuntil you get into cross-platform situations," Nelson added.
This explains why Kerberos authentication and SMB home folders are on Apple's list of Panther features as well as on the list of new Tiger features. In Panther, they work in all-Mac environments, but are problematic in Windows domains.
In the WWDC sessions, out of earshot of the press, Apple said that it would beef up Kerberos and make SMB home folders work with Windows domains. It also spent some time discussing NTLMv2 authentication for higher security, another feature currently available through the third-party products.
Naef said that Apple was "sending the message that they were pushing to be a good citizen with Active Directory."
For those sites that do run Mac OS X servers, Tiger Server will add ACL (Access Control Lists), an important feature of Windows Servers that gives administrators and users far more flexible file permissions than the simple read-write-execute of Mac OS X.
For example, ACLs will let Mac server managers specify user and group permissions for creating and modifying files and folders as well as for accessing network services. Windows servers and Unix servers such as Sun Solaris have supported ACLs for years.
But once again, the question is whether Tiger Server's ACL implementation will work in a cross-platform environment. That is, will Mac clients be controlled by ACLs on Windows servers?
"How they actually pull that off will be interesting," Nelson said. "We'll have to see the implementation details to see whether you can do it cross platform."
Meanwhile, Apple isn't spending a lot of effort to promote Tiger's support for ACLs. Jobs' only mention of it was when he said, "Access control lists have been a big request." This was a line that received big applause from the developer audience.
Instead, Apple focused on its big server dreams to the developer crowd. For instance, when describing its Xgrid 1.0 cluster server strategy (which uses Apple's Open Directory), the company emphasized the use of Macs in multimillion-dollar super-computer arrays rather than the enterprise use of clusters.
Nelson considered Apple's focus on servers and Oracle 10g is paying off in at least one respect.
"The Xserve RAID product helped Apple get back into the enterprise because the price point is much less than the competition. The more Apple can get into data centers, the better for Apple. And, these are the same guys buying Oracle."
Perhaps Apple doesn't yet have a complete enough Tiger vision to encompass enterprise issues such as Active Directory and improved integration of Mac clients. Or the company is holding some cards out for the launch of the OS in 2005. But if Apple really wants to increase its Mac market share with Tiger, it will need just such a strategy.
John Rizzo is the editor of MacWindows Web site.