As requested by a few PMs i have put together a How to authenticate to Active Directory on Apple Mac OS X 10.4. You can find the article on How-To-Mac by going to the following address: http://www.howtomac.co.uk/index.php?...d=16&Itemid=30
Good Luck.How to authenticate to active directory.
The following information you will require to be able to authenticate into Active Directory.
Active Directory Domain name
Domain admin User Name and Account
First you will need to run a application called Directory Access. You can find this application in /Applications/Utilities
You may need to unlock the padlock in order to be able to do anything in this application.
Once you are in Directory Access you will then need to enable the Active Directory plug in by clicking enable. When enabled you can then start to configure the plugin.
Once in the configuration pane you then need to type in your active directory domain. So for example I could type in "achme.com". You will then need to type in a computer ID. If you have named your computer correctly it should pick the computer name from there. After all above all you need to do now is click bind. You will then be asked to put in your username and password. If you put in your Domain Admin username it will start to bind to the Active Directory Server. I suggest if you are planning on using Bootcamp on the domain i would suggest you use different computer names for either operating system. Otherwise the trust for each OS will be different and you will find yourself binding to the domain everytime you change operating system.
Now you are binded to Active Directory you will need to set a authentication search path. This tells OS X to search active directory for a login account. So if you click Authentication tab and click add you will see /Active Directory/All Domains. if you add that and then apply you should now be able to log in.
If you go back to the configure pane on Active Directory in Directory Access you can set the home drive to either be a local home drive in /Users or you can set it to use the Home Drive of Active Directory. But in order to do this you need to make sure the user accounts can read folders before there home drive. make sure its not inherited to every folder only to the previous folder.
If you are experiencing problems for example the login screen vibrates on any login you try, you may want to check that the time settings are in sync and not over by a couple of minutes. I would suggest you point your timeserver to your active directory box.
Last edited by Rozzer; 1st February 2008 at 03:07 PM.
If you can update it, you may wish to point out that they also need to ensure that the time on the mac needs to be the same (within a couple of minutes) as that on the AD servers.
OD managed preferences work more reliably when the Sharing name (the one OD sees) and the AD name (used to join AD) are not identical. I've had issues in the past where it won't update after the first retrieval if they are the same
Thanks for that - wish I had found this a while ago. I worked this out the hard way by trial and error. What I can't get to work is that it seems that student accounts on my AD cannot see a hidden share from the Mac so I had to create a non hidden share which I called Mac Stuff "Username". They then open the network icon on the Mac and trawl down to the AD server (DATA-1) on my network, and it "maps" a drive on the Apple Desktop. Problem is when they log out it doesn't save it because they are not an admin on the Mac. This is really annoying. Does anyone out there know how to get round this other than buying an OSX Server and building an Apple Domain? I am trying to force my Mac users (only 12 physical Macs) to save to their windows home area (h: ) so that files are backed up and they don't have local profiles on the Macs at all. I found a good use for the Macs because you can load RDP Client for Mac and remotely control a PC!
when i tried adding my mac computer to AD i got an error stating 2 unable to find domain" but the computer can see the domain and is accesing the web please help and advise on this
Just to add to this great tip, check out the dsconfigad, this little command has the same functionality of Directory Access, but it can be scripted!!
talksr (9th January 2012)
Thanks for this - I'm new to MAC world, just used to Windows so far. How do you then set restrictions for users using MACs since AD restrictions don't work on MACs? I have OS X server and have looked at WGM but can't seem to use it as it's using AD only. Also, can set up printer in AD for MACs ok, but user doesn't see this and can't select printer as needs admin rights.
Thanks for any info
this is simple, go into system preferances and select user acounts, uncheck the lock so that you can modify settings then click on the student profile and select perental controls... everything is accessable from there...
hope this helps
New OD-AD integration paper.
Before you do anyof this make sure that your OS X Server has a dns record in either your AD or OD DNS server and is resolving fully both forward and reverse. I think there is an issue/conflict with using the .local domain suffix as well with OS X as it uses it for Bonjour to find services and devices on the local network.
Basically what you will have afterwards is an XServe that is connected to your AD server and has joined the AD servers kerberos realm. This gives your users single sign on access to the services on your XServe.
you would then set up your XServe as an OD master. So you have an XServe connected to a directory system and the same Server running as an OD Master. Since you have joined the AD kerberos realm the setup will skip this part of the OD Master setup (it didn't do this in 10.4).
Once this is done you would then go to your WGM and configure some groups in the LDAPv3/127.0.0.1 directory. Then you drag the AD groups in to the appropriate groups. What this now does is allows you to mange the preferences on the groups, which in turn manages the preferences for the AD groups and the users inside those, thus giving you managed prefernces for AD users. You will need to bind the OS X clients to both the AD and OD servers as well. Make sure that the times are all synched for kerberos though. Really important that bit. Anyhow, have fun.
I also recommend that you read the AD-OD paper as it will make more sense than me
Last edited by HodgeHi; 23rd September 2008 at 11:39 PM.
That's great - though seems to work better for groups of people rather than computers - not sure why. Printer works this way too, so well chuffed.
Any idea why when you log out as an 'other' network user, you then have to restart the MAC before another network user can logon? (all users are ticked in Log In/Window option).
I don't have this issue but you may find more info here:
Its the last but one post on this page. It mentions something about the home dir mount points being different. Not too sure i knew what he meant. I have a Staff mount point and a Pupil mount point for the home dirs. They are on the same disk/RAID. I have found though that if you set kerberos only authentication for AFP and then create a new user in AD, the new user will not be able to log in. Why? I have no idea. But it seems to fail pre-authentication. If you change the AFP access method to any (you can do this without disconnecting everyone) then the new AD user seems to be able to log in fine. Then if you switch it back to kerberos only, they can still log in OK. Weird but thats what i found to happen here. PS I use AFP to mount AD user home dirs and not SMB. The SMB service on the OD is running but only so AD users can access the shares when logging into XP. I have redirected documents onto the XRAID share so they are all in one location.
Seems to load a bit quicker too.
liamvaughan (29th May 2009)
I'm having real problems authenticating with AD from my Mac clients.
The set up I have is as follows:
OD bound to AD and Kerberised to AD Kerberos Relm.
DNS is on AD server, with Forward and reverse zones set up and all hostnames and IP resolve correctly.
AD, OD and Mac Clients all have reserved DHCP addresses.
Mac Clients are bound to AD & OD, AD is first in the search path.
At seeming random intervals the ball in the log-in window is orange and if I log on with an Admin account and have a look in System preferences > Accounts > Login Options >Network Account Server I can see that I am still connected to the OD server, but not the AD. AD is still in this list and I am still bound to it, but it reports "This domain is not responding".
The only way to kick it back into life seems to be to "sudo killall Directory Service", rebooting sometimes works but not always...
Any ideas at all would be much appreciated?
This issue seemsto be very random. Not everyone has the issue and so is hard to trace the issue. Some believe it to be issues with DNS, others with the bind to the AD. I also believe that there may be some sort of issue with DeployStudio's imaging process.
I'm afraid to inform you that no one really knows for sure. Are you running 10.5 or 10.6? 10.6 seems to be better at kicking the DirectoryService whilst sitting at the loginWindow than 10.5. Maybe consult the logs in Console when you experience the issue. You can log in as a local admin to do this. Just make a note of the time on the system so you roughly know where to look in the logs.
Hope this helps a little
There are currently 1 users browsing this thread. (0 members and 1 guests)