Configuring a Macintosh Computer to Authenticate Against the CSCF Active Directory

This page needs updating

The following needs updates to handle the current MacOSX. It's possible that this can be replaced by the Mac image deployment page. It has an "AD BInd" section.

Requirements

• Apple Macintosh OSX (OS 10) or better.
• Physical Access to the Macintosh.
• Password for the local Macintosh's Admins account.
• Username and password for a Domain Administrator account in the domain which the Macintosh is to join.

DNS Considerations

When a Macintosh attempts to join an Active Directory domain, it makes several SRV queries to its DNS server. If the DNS server doesn't respond to such SRV queries, then the Macintosh will not be able to find the domain controllers which it needs to exchanging information. The attempt to join the domain fails. For example, in order to join the CSCF Active Directory in the CS-GENERAL domain (cs.uwaterloo.ca), a Macintosh makes the following SRV queries.

• _ldap._tcp.cs.uwaterloo.ca
• _gc._tcp.cs.uwaterloo.ca
• _kerberos._tcp.cs.uwaterloo.ca
• _kpasswd._tcp.cs.uwaterloo.ca
• _ldap._tcp.cscf.uwaterloo.ca
• _gc._tcp.cscf.uwaterloo.ca
• _kerberos._tcp.cscf.uwaterloo.ca
• _kpasswd._tcp.cscf.uwaterloo.ca

Client Macintosh Configuration

Here we will outline how to configure a Macintosh to authenticate as a member of the CS-TEACHING (student.cs.uwaterloo.ca) domain in the CSCF Active Directory.

1. Logon to the Macintosh using the local Admin account.
2. Open the Directory Access control panel (Applications\Utilities group) and enable Active Directory.
3. Highlight the Active Directory option and click the Configure button.
4. Specify the domain name for which the Macintosh is to be a member: student.cs.uwaterloo.ca
5. Specify the Macintosh's hostname as the name with which the AD will create a computer account.
6. Click on the button for Show Advanced Options and do the following:
   • Uncheck "Create mobile account at login".
   • Uncheck "Force local home directory on startup disk"
   • Under "Use UNC path from Active Directory to derive network home location", set the "Network protocol to be used:" to smb
   • * Important: if you are configuring an Open Directory Server, UNTICK the box "Use UNC path from Active Directory to derive network home location" * this will cause server panic dumps if enabled! **
   • Set the "Default user shell:" to /bin/tcsh
7. Select the BIND button:
   • You are prompted for a domain administrator username and password to admit the Macintosh into the CS-TEACHING domain.
   • About 30 seconds later the Mac was a domain member that even showed up in the ADs computer listings.
8. Now select the Administrative tab in the Active Directory config tool.
9. De-select the Allow Authentication from any Domain in the Forest option. IMPORTANT
10. Select the Allow Administration By: option.
    • Domain Admins and Enterprise Admins for CS-TEACHING should be present
11. Click OK.
12. Return to the Directory Access control panel and select the Authentication tab.
13. Ensure the Search method reads, "Custom Path"
14. If /Active Directory/All Domains is present, remove it. IMPORTANT
15. Click Add...
    • Select the domain for which you just made the Macintosh a member: /Active Directory/student.cs.uwaterloo.ca
16. Now select the Contacts tab
17. Ensure the Search method reads, "Custom Path"
18. If /Active Directory/All Domains is present, remove it. IMPORTANT
19. Click Add...
    • Select the domain for which you just made the Macintosh a member: /Active Directory/student.cs.uwaterloo.ca
20. Click on the Apply button.
21. Reboot the Macintosh

After reboot, a user account in CS-TEACHING should be able to logon using its CS-TEACHING password.

SMB Server Configuration

By default, the Macintosh client in Active Directory will attempt to mount a user's home disk space via SMB should it be defined for the user's account. This attempt will fail if the SMB server for the user's home disk space insists upon Packet Signing, or as it is called in Active Directory, Digitally Signed Communications. The current Macintosh OS does not support this form of security.

Most file support services for Macintosh (and Windows computers) in CSCF are provided by Samba (SMB) servers. Currently maintained Samba servers do not support Digitally Signed Communications. Therefore there are no modifications required on a Samba server for a Macintosh to mount user disk space.

However, all supported Windows servers insist upon Digitally Signed Communications by default. In order to disable Digitally Signed Communications on a Windows server, access the default server security policy or local group policy in the server's Administration Tools, look up the following security option and ensure it is DISABLED.

• \Security Settings\Local Policies\Security Options\Microsoft Network Server: Digitally Sign Communications (always)

Alternate Method for Client Macintosh Configuration

This is a direct access to the LDAP features of the Active Directory. It is well outlined in the following web article. http://www.bombich.com/mactips/activedir.html