ADAddMac < CF

CF Web>Infrastructure>CSCFActiveDirectory>ADAddMac (2024-11-01, MariHassanzada) (raw view)
---+ Configuring a Macintosh Computer to Authenticate Against the CSCF Active Directory
---+ This page needs updating 

The following needs updates to handle the current !MacOSX.
It's possible that this can be replaced by the [[MacImageDeployment][Mac image deployment]] page.
It has an "AD BInd" section.

---++ Requirements

   * Apple Macintosh OSX (OS 10) or better.
   * Physical Access to the Macintosh.
   * Password for the local Macintosh's <tt>Admins</tt> account.
   * Username and password for a Domain Administrator account in the domain which the Macintosh is to join.

---++ DNS Considerations

When a Macintosh attempts to join an Active Directory domain, it makes several SRV queries to its
DNS server.  If the DNS server doesn't respond to such SRV queries, then the Macintosh
will not be able to find the domain controllers which it needs to exchanging information. The attempt
to join the domain fails.
For example, in order to join the CSCF Active Directory
in the CS-GENERAL domain (<tt>cs.uwaterloo.ca</tt>), a Macintosh makes the following SRV queries.

<tt>
   * _ldap._tcp.cs.uwaterloo.ca 
   * _gc._tcp.cs.uwaterloo.ca 
   *  _kerberos._tcp.cs.uwaterloo.ca 
   * _kpasswd._tcp.cs.uwaterloo.ca
   * _ldap._tcp.cscf.uwaterloo.ca
   * _gc._tcp.cscf.uwaterloo.ca 
   * _kerberos._tcp.cscf.uwaterloo.ca
   * _kpasswd._tcp.cscf.uwaterloo.ca 
</tt>

---++ Client Macintosh Configuration

Here we will outline how to configure a Macintosh to authenticate as a member of the CS-TEACHING
(<tt>student.cs.uwaterloo.ca</tt>) domain in the CSCF Active Directory.

   1. Logon to the Macintosh using the local <tt>Admin</tt> account.
   1. Open the Directory Access control panel (Applications\Utilities group) and enable Active Directory. 
   1. Highlight the Active Directory option and click the Configure button.
   1. Specify the domain name for which the Macintosh is to be a member: <tt>student.cs.uwaterloo.ca</tt>
   1. Specify the Macintosh's hostname as the name with which the AD will create a computer account. 
   1. Click on the button for Show Advanced Options and do the following:
      * Uncheck "Create mobile account at login".
      * Uncheck "Force local home directory on startup disk"
      * Under "Use UNC path from Active Directory to derive network home location", set the "Network protocol to be used:" to  <tt>smb</tt> 
      * ** Important: if you are configuring an Open Directory Server, UNTICK the box "Use UNC path from Active Directory to derive network home location"   ** this will cause server panic dumps if enabled! **
      * Set the "Default user shell:" to <tt>/bin/tcsh</tt>
   1. Select the BIND button: 
      * You are prompted for a domain administrator username and password to admit the Macintosh into the
        CS-TEACHING domain. 
      * About 30 seconds later the Mac was a domain member that even showed up in the ADs computer listings.
   1. Now select the Administrative tab in the Active Directory config tool. 
   1. De-select the Allow Authentication from any Domain in the Forest option. *IMPORTANT*
   1. Select the Allow Administration By: option.
      * Domain Admins and Enterprise Admins for CS-TEACHING should be present
   1. Click OK.
   1. Return to the Directory Access control panel and select the Authentication tab.
   1. Ensure the Search method reads, "Custom Path"
   1. If /Active Directory/All Domains is present, remove it. *IMPORTANT*
   1. Click Add...
      * Select the domain for which you just made the Macintosh a member: <tt>/Active Directory/student.cs.uwaterloo.ca</tt>
   1. Now select the Contacts tab
   1. Ensure the Search method reads, "Custom Path"
   1. If /Active Directory/All Domains is present, remove it. *IMPORTANT*
   1. Click Add...
      * Select the domain for which you just made the Macintosh a member: <tt>/Active Directory/student.cs.uwaterloo.ca</tt>
   1. Click on the Apply button.
   1. Reboot the Macintosh

After reboot, a user account in CS-TEACHING should be able to logon using its
CS-TEACHING password.

---++SMB Server Configuration

By default, the Macintosh client in Active Directory will attempt to mount a user's home disk space via SMB should it be defined for the user's account. This attempt will fail if the SMB server for the user's home disk space insists upon Packet Signing, or as it is called in Active Directory, Digitally Signed Communications. The current Macintosh OS does not support this form of security. 

Most file support services for Macintosh (and Windows computers) in CSCF are provided by Samba (SMB) servers. Currently maintained Samba servers do not support Digitally Signed Communications. Therefore there are no modifications required on a Samba server for a Macintosh to mount user disk space.

However, all supported Windows servers insist upon Digitally Signed Communications by default.  In order to disable Digitally Signed Communications on a Windows server, access the default server security policy or local group policy in the server's Administration Tools, look up the following security option and ensure it is DISABLED.

   * <tt>\Security Settings\Local Policies\Security Options\Microsoft Network Server: Digitally Sign Communications (always)</tt>

---++ Alternate Method for Client Macintosh Configuration

This is a direct access to the LDAP features of the Active Directory. It is well outlined in the following web article.
http://www.bombich.com/mactips/activedir.html
Topic revision: r12 - 2024-11-01 - MariHassanzada
Information in this area is meant for use by CSCF staff and is not official documentation, but anybody who is interested is welcome to use it if they find it useful.
Other Webs
My links
- People
- CERAS
- WatForm
- Tetherless lab
- Ubuntu Main.HowTo
- eDocs
- RGG NE notes
- RGG
- CS infrastructure
- Grad images
Edit