Re: [Samba] How to Join Mac OSX workstation as AD domain member
- Date: Tue, 26 Jun 2018 20:41:25 -0400
- From: Mark Foley via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] How to Join Mac OSX workstation as AD domain member
On Tue, 26 Jun 2018 15:25:56 -0700 Kris Lou wrote:kvia samba <samba@xxxxxxxxxxxxxxx>
> There are basically 3 ways:
> * dsconfigad (https://gist.github.com/bzerangue/6886182)
OK, I ran 'dsconfigad -show' and got the following results. They basically look OK to my limited
understanding except for the Mapping options. I did check those mapping boxes, but I guess it
also wanted me to fill in actual values. I'll have to do a bit of research as I've no idea what
these values should be, nor do I know what happens if I leave the mappings un-checked as it
says it will then use "dynamically generated information for macOS" (whatever that means).
If any of these other settings look obviously suspect, please advise.
Active Directory Forest = hprs.local
Active Directory Domain = hprs.local
Computer Account = labmac$
Advanced Options - User Experience
Create mobile account at login = Enabled
Require confirmation = Disabled
Force home to startup disk = Enabled
Mount home as sharepoint = Enabled
Use Windows UNC path for home = Enabled
Network protocol to be used = smb
Default user Shell = /bin/bash
Advanced Options - Mappings
Mapping UID to attribute = (null)
Mapping user GID to attribute = (null)
Mapping group GID to attribute = (null)
Generate Kerberos authority = Enabled
Advanced Options - Administrative
Preferred Domain controller = mail
Allowed admin groups = domain admins,enterprise admins
Authentication from any domain = Enabled
Packet signing = allow
Packet encryption = allow
Password change interval = 14
Restrict Dynamic DNS updates = not set
Namespace mode = domain
> * via Configuration Profile
What is that?
> * via GUI, which you've found
> There's also a toggle "Allow Network Users to Log in" via System Prefs ->
> Users -> Login Options
I do have that checked, and it allows "All network users."
> However ...
> * Network Homes is difficult (at best)
> * Changing passwords on the DC does not automatically refresh the local
> profile's Keychain
That's bad too! That's kind of the point of AD authentication -- not having to keep lots of
separate passwords all over.
> * Network Users require a constant connection to the DC -- which obviously
> doesn't work well for 1:1.
That's not a problem. If thd AD/DC is down there are other problem. Windows users do get a
local copy of their desktop to work with, which is nice, but the AD/DC is also the only DNS, so
users could not get to the Internet. With Linux domain members, there really isn't an option to
have a local desktop copy (although, I could create a script to "fake" it), but it's pretty
easy to NFS mount the user's home directory, which is then available to that domain user when
he/she logs on per the AD configuration.
> So more sites are favoring Mobile Users (with local homes).
Not sure what that means (I'm a real Mac newbie). When you say "local homes", does that mean
the home directory is stored on the workstation, only? No redirection? How does a "Mobile User"
differ from any other kind of user?
> https://nomad.menu/ helps to solve a lot of the above without binding to AD
> -- but I haven't used it, so YMMV. You might also be interested in the
> MacEnterprise mailing list.
I'll look at the nomad stuff, but this Mac needs to work in an existing Active Directory
system. I'll also look at the MacEnterprise maillist.
Meanwhile, do you have any idea on what should go in the Mapping Options? "Mapping UID to
attribute", what attribute? the UID of a specific domain user? That doesn't make sense. What is
"dynamically generated mapping info"? I'll try doing some research on this. I have a feeling
that these mapping options may be a big part of my problem.
> Kris Lou
> On Tue, Jun 26, 2018 at 2:41 PM, Mark Foley via samba <samba@xxxxxxxxxxxxxxx
> > wrote:
> > Does anyone know how to join a Mac OSX (High Sierra 10.13.5) workstation
> > to a Samba4 domain, or
> > know of a wiki/howto document describing this process? Web searches have
> > turned up plenty of
> > info on running OSX as a Samba4 server, but I can't find anything on
> > joining as a domain
> > member.
> > I do believe I've actually joined (Bind in apple-speak) the workstation
> > itself to the domain
> > using the System Preferences > Users & Groups > Network Account Server.
> > That does show my
> > domain name with a green dot (OK status?). And when I list network
> > computer on the AD server
> > it does list this Mac computer.
> > Problem is, I cannot log in as a domain user. I'm sure I'm doing something
> > wrong, but I can't
> > figure out what.
> > Any help greatly appreciated.
> > THX --Mark
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
To unsubscribe from this list go to the following URL and read the