Tiger and Active Directory

[yellow]

The purpose of this thread:

There are a few of us out there lucky (unlucky?) enough to integrate our Macs into Active Directory. I intend this thread to be a Q&A where perhaps we can swap knowledge and experiences that we've had trying to make OS X and AD play nice.

10.6 = http://forums.macosxhints.com/showthread.php?t=104825
10.5 = http://forums.macosxhints.com/showthread.php?t=66101

I'm going to unstick this in favor of the two newer OS' linked above.

[yellow]

So, I'm quite happy with Tiger & AD. Why?

It's super easy to bind to AD. Yes it was pretty easy in Panther too. Because it auto-magically mounts the networked home folder, it actually seems to be reading (some of) the profile on the AD server. Nice. It also can be set up to auto-magically sync (every 20 minutes) the user's networked home folder and the user's local directory! Sweet! No more worries about a user forgetting to copy data to the server! You can now authenticate from multiple domains for binding.

Some things to watch out for (in my experiences so far)..

Filenames can still be a problem copying from local to remote server. Illegal characters are still a gotcha in Windows, so it takes quite a bit of education and reminders to smooth this problem out.

Encourage your user to only work/save on the local directory, let the OS sync it. It can be confusing if the user doesn't know what they're saving where and the sync is constantly asking which copy of the file to keep.

Don't delete off the networked share! This will delete the local copy at next sync. Yikes!

Still some software out there that isn't Tiger compliant (Now Up-To-Date, I'm looking at you!).


"Real" Problems (in my experiences so far)..

I think this is a bug.

If you cache a login locally, you cannot specify that the user change their password. You also cannot change the password locally. This is a pain in the ass. For a user to change their password, they have to come and change it on the AD plug-in for XP, and then I have to log in as root, move /Users/foo to the Desktop, delete the (cached) user account from Account prefpane, get the user to log in with their new password, log them out after it's created, log back in as root, move their stuff to the new /Users/foo directory, make sure to chown/chmod the old stuff to their new UID/GID (just in case). Pain in the ass. Still looking for a better solution.

[Raven]

Pretty much same type of experience with Mac AD binding as Yellow has... Very happy with the improvements in Tiger.

My only issue for now is that using the built-in Tiger and Panther tools, you cannot limit user access to computers, which in our case is primordial as we have (some few) knowledgeable casual workers who could easily gain access to other people's accounts, which we don't want... Using things such as login hooks (can't remember the replacement in Tiger) will not work as they still allow the user to login (since it will only kill processes). I need to have a way to checkup the AD user database eannd only allow access to users from specific groups... (an option that is great on LINUX, pam modules, is incomplete on Mac so haven't been able tuo use that either) The only "workarounds" I've seen are: using Thursby software (more expensive than the OS per user) and a Mac OS X server machine acting as a bridge) but our admins will not even hear that suggestion.

In my case we also use Exchange with it so once again happy users as they have a choice between Entourage (which I must say has improved with 2004 for Excahnge support) and Mail (if they don't need calendaring, though for that they can simply use Outlook Web Access as our org will not pay for anythiing like groupcal and users feel they should not pay for it, aka Joys of Windows oriented company)...
Up to know that works fine for Exchange and loading network drives(we are not implimenting Home folders) and I've even made a script so our Mac users can check their exchange mail account size without going to Outlook on Windows...

So thats my pick on it...
Will gladly work with other around issues or try to find solutions to our common problems too !

[furly37]

Yellow,
I am with you man, not very many places out there for us OS X techs that have to integrate with AD.

We are currently in test mode with Tiger, Home Syncing, and such. We are authenticating and syncing. I have even followed an article off of AFP548 about including the Library in my syncing which makes the clients almost to the point of Windows Roaming profiles.

The main issue I am seeing is that there is no login/logout hook for the syncing. It is set up for about every 15/20 minutes, so if a user synced 5 minutes before and forgets, logs out, goes to another machine and logs in his stuff will not be there.

If you figure out how to deal with this please let me know.

[Raven]

You should try AD integration when the admins say we will never allow an OS X server on our network

[dom9inic]

Can anyone here who has had an easy time binding to AD help me out?

I can bind successfully, what does not happen, is my Network Home Dir (Windows) does not show up on login. Sure I get a Kerberos Ticket and can manually mount the drive without auth challenge, but no automount.

Yes, I have disabled localhome.

I'm on a clean 10.4.1 install. Binding to a Win2K AD domain.

lookupd -d
userWithName: myUname

shows that I am only getting a local home dir and not my network dir.

I am almost certain this must be something on the Win2K side.

Please help.

[yellow]

The home directory mount point is specified in the user's profile (on the AD server), right?

[Raven]

I hope so... Otherwise you don't get very far...

[dom9inic]

Yes it is specified. Interestingly enough, I appear to be the only one with a Home Dir path specified.

I'll explain. This is a college. I know that all staff have a home folder as I can mount the staff drive and see all staff home dirs.

However, using an LDAP Browser I see I appear to be the only staff member with an explicit home dir path. The path is to the same smb share I'm manually mounting to reach mine and staff members home dirs. Odd!

So, to answer the question, yes my home dir is specified as:

home Directory : \\serverName\GroupFolder\myUserName

Not sure what the next step is.

I need to get with the AD admins and sort out what their system is.

[Raven]

Hum... I've been in contact with Apple about possible solutions to limit user access to Macs while bound to AD so that only specific groups will be able to login. I got a very interesting responsse formt hem and wanted to post it here so every one can try it out.

Quote: You can create a local group in NetInfo: com.apple.loginwindow This will set up a service ACL for loginwindow. Using dseditgroup from the command line, you can add (nest) an AD group inside the com.apple.loginwindow NetInfo group and voila! Read the dseditgroup man page for instructions.

Haven't tried it yet... I'm off tomorrow so its going to be on monday... If anyone else tries it out, do post back your experience with this tip !

[lancepr]

WE had some clients get some new OS X machines and I am able to bind to the AD, but my problem seems to be a local permission problem with the Mac.
Anytime I try and use soemthing it says my AD user does not have permission, so I have to type the local machine user and pass to get the chooser to work. Anyone else seen a problem like this?
The mac is 10.4.2, newest I think.

Lance

[Raven]

Did you specify anything in the "Allow Administration by" field ? If a user logins in and is not part of an group that has been granted admin access to the machine before binding the machine, then that user will not have admin priviledges... A "lasy" way around this if the suers already have their mobiler account listed in the /users folder is to go to System Prefs, to Accounts, and go put a check mark to "Allow user to administer this computer" for that account.
Any user logging in from AD will by default only have a standard account access on the local machine.

[snowjay]

I found it very easy to add my Mac to AD. But other than that I do have some weird issues with it.

I am able to map drives fine and share files, but when I try to log into the domain, it tries to log me into the wrong one even though I have unchecked to use any domain in forest in Directory Access. When I use lookupd -d and type my user name in it responds with the wrong domain. But when I use either domain\name or name@domain it reponds correctly. However when I try to use either of the latter 2 options it still doesn't work in the login window. So because of that I actually haven't been able to create a mobile account and see how that works when I'm not in the office. I just keep using locally created users and mapped drives.

Printing is another issue for me. I get a list of all my print servers, I can select a printer, set options, everything looks nicey, nice. I try and print, and get an SMB error. Once I was able to get a print job to print so I'm not sure what I did then to make it work. Right now I just IP mapped the printers and don't go thru my print server.

[Raven]

Did you specify the domain in the SMB configuration in Directory Access ? When you bound the machine, did you put in the proper Domain address of a general one ?
Also, if you added custom items to the Authentication and Contacts tab in DA, once you unckeck the "Any domain" option, you need to go back in, remove the All Domains entry and click on add again to see the proper entries that you need to add. They should appear in the list when you click on Add under Custom in those two tabs.

[snowjay]

Thanks Raven! Actually I just found that tab and was posting here that I fixed my problem. I had specified the pre-2000 domain in SMB and the AD name under AD, thats why it seemed strange to me. Didn't realize I had to change the other Authentication tab too. GMTA!

[Raven]

So was it all because there was a wrong entry in the Authentication tab ? Does printing now work as well ?
Would just like to know out of curiosity.

[snowjay]

Well I logged in, created a mobile account, all seems well. Now I gotta redo all my preferences unless there is an easy way to migrate/share them with a local account?

But printing still doesn't work. I see the print server, choose printer, then I get a SAMBA error with some debug text (PS Matching Mode = Match on host), then if I wait the 60 seconds I get an NT_STATUS_ACCESS_DENIED.

[Raven]

To transfer the user account take a look at the links I posted in this thread. It gives a few options as to how to procede.
For printing, I'm wondering if the issue is not related to your going through a print server instead of connecting directly to printers mapped in AD... Also, when you take a look at the list of printers you can add that are listed by default in Printer Setup Utility, do you see any printers listed there ?

[snowjay]

Thanks for the profile "moving" link.

Here is something interesting, my AD user account got locked out. I wonder if it's related to my not printing and getting an access_denied. Perhaps the password is being sent wrong?

I do see a list of printers in the first screen, they show as Server-Printer. That is where I have been choosing them, so I guess thats the AD list of printers? I've also tried going to More Printers, selecting my domain, then the server and then the printer and I get identical results. I'm going to look the logs on the server to see if it gives me a clue...

[Raven]

If your account is locked, then indeed you will get that type of message.
Also, I discovered when checking on my side that I had two entries I could add in the Authentication tab adn it just happens that all the printers in our AD domain are located on a separate authentication tree... Example:

Users And Computers: ads.company.com
Printers: printers.domain.company.com

That prevented me from viewing all thre printers properly for one and also prevented authentication on some others.
Do you know if there is any authentication being used when users try to connect to print servers ? even if its sent via AD and permissions...
Also check to make sure you do have rights to those printers with your user account.