Web lists-archives.com

Re: [Samba] How to Join Mac OSX workstation as AD domain member

On Wed, 27 Jun 2018 19:31:58 +0100 Rowland Penny wrote:
> On Wed, 27 Jun 2018 13:58:46 -0400
> Mark Foley via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > Well, I've made some progress. Excuse the detail, but this might help
> > others as I've so far found NOTHING on this, including with the Mac
> > Enterprise maillist (so far).
> > 
> > If I unchecked all the Directory Utility mapping options, I was able
> > to log in! Yeah! But, the UID.GID numbers were 1793602029.1840809715. 
> > 
> > Next I tried just setting the "Map group GID to attribute" to 10000
> > (my 'Domain Users' group). That did nothing to change the GID, but I
> > could still log on.
> > 
> > Leaving the above setting in place, I next I tried setting "Map user
> > GID to attribute" to 10000.  That gave me UID.GIDs of 1793602029.20.
> > Strange. 
> > 
> > Next I tried setting "Map user GID to attribute" to the string
> > "gidNumber".  That worked and my UID.GIDs were now 1793602029.10000. 
> > 
> > Next I tried setting "Map UID to attribute" to 10001 (my domain
> > UID).  I couldn't log on at all as the domain user. 
> > 
> > Next I tried setting "Map UID to Attribute" to the string
> > "uidNumber".  That worked and my UID.GIDs were then 10001.10000. 
> > 
> > At this point, I do have correct domain user UID and GID. Upon login
> > the Mac creates folders in the home directory:
> > 
> > $ ls -ln
> > total 0
> > drwx------+  3 10001  10000   102 Jun 27 13:16 Desktop
> > drwx------+  3 10001  10000   102 Jun 27 13:16 Documents
> > drwx------+  3 10001  10000   102 Jun 27 13:16 Downloads
> > drwx------@ 46 10001  10000  1564 Jun 27 13:26 Library
> > drwx------+  3 10001  10000   102 Jun 27 13:16 Movies
> > drwx------+  3 10001  10000   102 Jun 27 13:16 Music
> > drwx------+  3 10001  10000   102 Jun 27 13:16 Pictures
> > drwxr-xr-x+  4 10001  10000   136 Jun 27 13:16 Public
> > 
> > These folders are empty and NOT connected to the redirected desktop.
> > I'm guessing the Mac AD setup doesn't bother much with Group
> > Policies.
> Only Windows uses GPO's (as yet). GPO's operate on the registry and
> only Windows has the registry.

I suspected that, but didn't know for sure. That's great! I'm not a fan of GPOs. I think
they're a "fake" security layer that constrains and often frustrates legitimate users, but pose
absolutly no threat to sophisticated hackers. It's MS's attempt to prop up a fundamentally
insecure OS and, given the number of serious and successful attacks targeting Windows, is not
very effective. 
> >  Not necessarily a big deal as the Linux domain members
> > also do not auto-map to the redirected folders on the DC.  However,
> > Linux does create the home folder as specified in sam.ldb and does
> > designate that as $HOME which Mac is not doing. 
> I have never used an Apple machine, so I have no idea about the apple
> OS, but does it have anything similar to PAM ?

I know it uses kerberos. I can successfully log in as a domain user.

> > So, some questions:
> > 
> > If I were either to change this user's unixHomeDirectory (sam.ldb)
> > from /home/HPRS/mark to /Users/mark, would that make a difference?
> Only if '/Users' exists on the MACOS machine and there is something to
> create the users homedir.

/Users does exist and that's where Mac users' home directories are located. I should have
mentioned that in my previous posts.

> > I supposed I could also try creating the /home/HPRS directory on the
> > Mac and see if a login plops me there.
> If '/home/HPRS' doesn't exist, this could well be your problem.

Very interesting. I tried creating /home/HPRS and got the error "Operation not supported". I
found this comment on https://apple.stackexchange.com/questions/88797/how-to-execute-mkdir-in-home-directory:

"/home is used as a mount point for the automounter (see /etc/auto_master and /etc/auto_home),
you can't create your own directories in there."

That's potentially good news.  autofs is *exactly* what I used to mount users' home directories
and redirected desktops on Linux.  It took me a while to work out, but domain users logging
onto Linux domain members get the exact same desktop (and Documents, etc.) that they get when
logging onto a Windows domain member. My next step is to explore this
(https://gist.github.com/rudelm/7bcc905ab748ab9879ea) and possibly I can come up with the same
or similar solution I developed for Linux.

> > On Linux, I've used NFS export on the DC and autofs on the domain
> > member to mount the user's redirected folders. I could try the same
> > thing on Mac.
> As far as I am aware, the  great-granddaddy of MACOS was some form of
> BSD, so I suppose you should treat it more like Linux than Windows.

Well, I "speak" BSD - lotsa BSD386 back in the 90's at Compuserve!

> > Rowland has mentioned vfs_fruit, which I've done some
> > reading on. Is vfs_fruit the recommended way of doing remote mounts
> > on Mac? 
> I have never used it myself, but from my understanding, it is a layer
> between Samba, MACOS and the Unix OS.
> >I have done basic smb mounts from mac using CMD-K >
> > sbm:\\host\share. Suggestions on this?
> I have no idea, perhaps someone who actually uses MACOS would care to
> comment.
> Rowland
> PS Have you considered hitting the MACOS machines with a very big
> hammer ? It won't fix the problem, but it would make it go away,
> permanently. LOL

Oh! Noooo! I am stroking the Mac, speaking nurturing things to it, playing New Age iTunes to
sooth it. I have Steve Jobs' favorite incense burning beside it. I want it to LIVE!

Back Story: I spent nearly 2 years getting a Linux domain member to work seemlessly as a domain
member workstation and enlisted 2 office guinea pigs a year ago to give it a shot.  I used KDE
and made it look as identical as possible to Windows 7, even using the Windows 7 background. 
Unfortunately, Linux doesn't run MS Office and my replacements of LibreOffice and Thunderbird
are not quite exact enough, especially with Calc and doing collaberative document exchange with
external users using MS Word.  Even installing a VM to run Windows-only programs like
QuickBooks, Adobe and Foxit had user complications.  Therefore, Management decided to pull the
plug on going Linux instead of Windows.  I, being horrified at the prospect of Windows 10's
lack of security and privacy, suggested Mac.  Mac potentially incorporates the best of both
worlds: the office productivity suite of MS Office, support for QuickBooks and Adobe and the
security benefits of Unix. 

I'm going for an all out revolution in the business world: Samba4 instead of Windows Server,
and Mac workstations instead of Windows 10.  If it works well, I'll evangelize!

Meanwhile, I will continue experimenting with autofs. Confidence is High!

BTW - In all my verbiage in my preceeding post, I probably obfuscated my progress so far. To
summarize, simply:

Directory Utility/Mapping:

Set 'Map UID to attribute' to the string "uidNumber"

Set 'Map user GID to attribute' to the string "gidNumber"

Not sure about 'Map group GID to attribute'. Doesn't seem to do anything. More experimentation
needed, but not urgent.

This causes the Mac to pick up the 'Domain Users' group and this user's domain UID. When that
domain user logs in all files and folders on the Mac for that user have the AD UID.GID.

More later after autofs experiments.


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba