+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 25
Mac Thread, **Active Directory Authentication How To** in Technical; Hello, As requested by a few PMs i have put together a How to authenticate to Active Directory on Apple ...
  1. #1
    Rozzer's Avatar
    Join Date
    Aug 2005
    Location
    South West
    Posts
    720
    Thank Post
    21
    Thanked 80 Times in 61 Posts
    Rep Power
    32

    Talking **Active Directory Authentication How To**

    Hello,

    As requested by a few PMs i have put together a How to authenticate to Active Directory on Apple Mac OS X 10.4. You can find the article on How-To-Mac by going to the following address: http://www.howtomac.co.uk/index.php?...d=16&Itemid=30

    How to authenticate to active directory.

    The following information you will require to be able to authenticate into Active Directory.


    Active Directory Domain name
    Domain admin User Name and Account

    First you will need to run a application called Directory Access. You can find this application in /Applications/Utilities

    You may need to unlock the padlock in order to be able to do anything in this application.

    Once you are in Directory Access you will then need to enable the Active Directory plug in by clicking enable. When enabled you can then start to configure the plugin.

    Once in the configuration pane you then need to type in your active directory domain. So for example I could type in "achme.com". You will then need to type in a computer ID. If you have named your computer correctly it should pick the computer name from there. After all above all you need to do now is click bind. You will then be asked to put in your username and password. If you put in your Domain Admin username it will start to bind to the Active Directory Server. I suggest if you are planning on using Bootcamp on the domain i would suggest you use different computer names for either operating system. Otherwise the trust for each OS will be different and you will find yourself binding to the domain everytime you change operating system.

    Now you are binded to Active Directory you will need to set a authentication search path. This tells OS X to search active directory for a login account. So if you click Authentication tab and click add you will see /Active Directory/All Domains. if you add that and then apply you should now be able to log in.

    If you go back to the configure pane on Active Directory in Directory Access you can set the home drive to either be a local home drive in /Users or you can set it to use the Home Drive of Active Directory. But in order to do this you need to make sure the user accounts can read folders before there home drive. make sure its not inherited to every folder only to the previous folder.

    If you are experiencing problems for example the login screen vibrates on any login you try, you may want to check that the time settings are in sync and not over by a couple of minutes. I would suggest you point your timeserver to your active directory box.
    Good Luck.

    Ross
    Last edited by Rozzer; 1st February 2008 at 03:07 PM.

  2. 2 Thanks to Rozzer:

    mac_shinobi (1st February 2008), Oops_my_bad (5th February 2008)

  3. #2

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,095
    Thank Post
    511
    Thanked 2,309 Times in 1,785 Posts
    Blog Entries
    24
    Rep Power
    803
    If you can update it, you may wish to point out that they also need to ensure that the time on the mac needs to be the same (within a couple of minutes) as that on the AD servers.

  4. #3
    Rozzer's Avatar
    Join Date
    Aug 2005
    Location
    South West
    Posts
    720
    Thank Post
    21
    Thanked 80 Times in 61 Posts
    Rep Power
    32
    Quote Originally Posted by localzuk View Post
    If you can update it, you may wish to point out that they also need to ensure that the time on the mac needs to be the same (within a couple of minutes) as that on the AD servers.
    Thank you feel free to add any other known issues

  5. #4
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,386
    Thank Post
    10
    Thanked 483 Times in 423 Posts
    Rep Power
    110
    OD managed preferences work more reliably when the Sharing name (the one OD sees) and the AD name (used to join AD) are not identical. I've had issues in the past where it won't update after the first retrieval if they are the same

  6. #5

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,881
    Thank Post
    1,316
    Thanked 1,738 Times in 1,087 Posts
    Blog Entries
    19
    Rep Power
    563
    Quote Originally Posted by DMcCoy View Post
    OD managed preferences work more reliably when the Sharing name (the one OD sees) and the AD name (used to join AD) are not identical. I've had issues in the past where it won't update after the first retrieval if they are the same
    Ooh ... not come across that one before. I'll have a play on Monday.

  7. #6

    Join Date
    Jul 2008
    Location
    Louth
    Posts
    14
    Thank Post
    4
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    "Mapping" desktop icon on Mac Desktop to AD home Rea

    Hi

    Thanks for that - wish I had found this a while ago. I worked this out the hard way by trial and error. What I can't get to work is that it seems that student accounts on my AD cannot see a hidden share from the Mac so I had to create a non hidden share which I called Mac Stuff "Username". They then open the network icon on the Mac and trawl down to the AD server (DATA-1) on my network, and it "maps" a drive on the Apple Desktop. Problem is when they log out it doesn't save it because they are not an admin on the Mac. This is really annoying. Does anyone out there know how to get round this other than buying an OSX Server and building an Apple Domain? I am trying to force my Mac users (only 12 physical Macs) to save to their windows home area (h: ) so that files are backed up and they don't have local profiles on the Macs at all. I found a good use for the Macs because you can load RDP Client for Mac and remotely control a PC!

  8. #7

    Join Date
    Aug 2008
    Location
    preston
    Posts
    31
    Thank Post
    10
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Exclamation bit of trouble

    when i tried adding my mac computer to AD i got an error stating 2 unable to find domain" but the computer can see the domain and is accesing the web please help and advise on this

    thanks jay

  9. #8

    Join Date
    Aug 2008
    Location
    Los Angeles
    Posts
    9
    Thank Post
    1
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Great tip,
    Just to add to this great tip, check out the dsconfigad, this little command has the same functionality of Directory Access, but it can be scripted!!

  10. Thanks to petroz from:

    talksr (9th January 2012)

  11. #9
    c13ggr's Avatar
    Join Date
    Jan 2008
    Location
    Halifax
    Posts
    6
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Hi
    Thanks for this - I'm new to MAC world, just used to Windows so far. How do you then set restrictions for users using MACs since AD restrictions don't work on MACs? I have OS X server and have looked at WGM but can't seem to use it as it's using AD only. Also, can set up printer in AD for MACs ok, but user doesn't see this and can't select printer as needs admin rights.

    Thanks for any info

  12. #10

    Join Date
    Aug 2008
    Location
    preston
    Posts
    31
    Thank Post
    10
    Thanked 1 Time in 1 Post
    Rep Power
    0
    this is simple, go into system preferances and select user acounts, uncheck the lock so that you can modify settings then click on the student profile and select perental controls... everything is accessable from there...

    hope this helps

    Jay

  13. #11

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,184
    Thank Post
    299
    Thanked 211 Times in 181 Posts
    Rep Power
    55
    Quote Originally Posted by c13ggr View Post
    Hi
    Thanks for this - I'm new to MAC world, just used to Windows so far. How do you then set restrictions for users using MACs since AD restrictions don't work on MACs? I have OS X server and have looked at WGM but can't seem to use it as it's using AD only. Also, can set up printer in AD for MACs ok, but user doesn't see this and can't select printer as needs admin rights.

    Thanks for any info
    If you have a XServe and an AD and are feeling adventurous then you would be looking at an AD-OD integration setup. There is an AD-OD paper on how to do it here:

    New OD-AD integration paper.

    Before you do anyof this make sure that your OS X Server has a dns record in either your AD or OD DNS server and is resolving fully both forward and reverse. I think there is an issue/conflict with using the .local domain suffix as well with OS X as it uses it for Bonjour to find services and devices on the local network.

    Basically what you will have afterwards is an XServe that is connected to your AD server and has joined the AD servers kerberos realm. This gives your users single sign on access to the services on your XServe.

    you would then set up your XServe as an OD master. So you have an XServe connected to a directory system and the same Server running as an OD Master. Since you have joined the AD kerberos realm the setup will skip this part of the OD Master setup (it didn't do this in 10.4).

    Once this is done you would then go to your WGM and configure some groups in the LDAPv3/127.0.0.1 directory. Then you drag the AD groups in to the appropriate groups. What this now does is allows you to mange the preferences on the groups, which in turn manages the preferences for the AD groups and the users inside those, thus giving you managed prefernces for AD users. You will need to bind the OS X clients to both the AD and OD servers as well. Make sure that the times are all synched for kerberos though. Really important that bit. Anyhow, have fun.

    I also recommend that you read the AD-OD paper as it will make more sense than me
    Last edited by HodgeHi; 23rd September 2008 at 11:39 PM.

  14. 2 Thanks to HodgeHi:

    c13ggr (1st October 2008), _Jo_ (14th December 2009)

  15. #12
    c13ggr's Avatar
    Join Date
    Jan 2008
    Location
    Halifax
    Posts
    6
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    That's great - though seems to work better for groups of people rather than computers - not sure why. Printer works this way too, so well chuffed.

    Any idea why when you log out as an 'other' network user, you then have to restart the MAC before another network user can logon? (all users are ticked in Log In/Window option).

    Thanks

  16. #13

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,184
    Thank Post
    299
    Thanked 211 Times in 181 Posts
    Rep Power
    55
    I don't have this issue but you may find more info here:

    Revenge!

    Its the last but one post on this page. It mentions something about the home dir mount points being different. Not too sure i knew what he meant. I have a Staff mount point and a Pupil mount point for the home dirs. They are on the same disk/RAID. I have found though that if you set kerberos only authentication for AFP and then create a new user in AD, the new user will not be able to log in. Why? I have no idea. But it seems to fail pre-authentication. If you change the AFP access method to any (you can do this without disconnecting everyone) then the new AD user seems to be able to log in fine. Then if you switch it back to kerberos only, they can still log in OK. Weird but thats what i found to happen here. PS I use AFP to mount AD user home dirs and not SMB. The SMB service on the OD is running but only so AD users can access the shares when logging into XP. I have redirected documents onto the XRAID share so they are all in one location.

    Seems to load a bit quicker too.

  17. Thanks to HodgeHi from:

    liamvaughan (29th May 2009)

  18. #14

    Join Date
    Jun 2010
    Location
    Sheffield
    Posts
    7
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I'm having real problems authenticating with AD from my Mac clients.

    The set up I have is as follows:
    OD bound to AD and Kerberised to AD Kerberos Relm.
    DNS is on AD server, with Forward and reverse zones set up and all hostnames and IP resolve correctly.
    AD, OD and Mac Clients all have reserved DHCP addresses.
    Mac Clients are bound to AD & OD, AD is first in the search path.

    At seeming random intervals the ball in the log-in window is orange and if I log on with an Admin account and have a look in System preferences > Accounts > Login Options >Network Account Server I can see that I am still connected to the OD server, but not the AD. AD is still in this list and I am still bound to it, but it reports "This domain is not responding".

    The only way to kick it back into life seems to be to "sudo killall Directory Service", rebooting sometimes works but not always...

    Any ideas at all would be much appreciated?

    Thanks

  19. #15

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,184
    Thank Post
    299
    Thanked 211 Times in 181 Posts
    Rep Power
    55
    This issue seemsto be very random. Not everyone has the issue and so is hard to trace the issue. Some believe it to be issues with DNS, others with the bind to the AD. I also believe that there may be some sort of issue with DeployStudio's imaging process.

    I'm afraid to inform you that no one really knows for sure. Are you running 10.5 or 10.6? 10.6 seems to be better at kicking the DirectoryService whilst sitting at the loginWindow than 10.5. Maybe consult the logs in Console when you experience the issue. You can log in as a local admin to do this. Just make a note of the time on the system so you roughly know where to look in the logs.

    Hope this helps a little

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 7
    Last Post: 31st January 2008, 12:17 PM
  2. PDA and Active Directory
    By localzuk in forum Windows
    Replies: 4
    Last Post: 10th October 2007, 03:54 PM
  3. script for active directory
    By chalkwellstu in forum Scripts
    Replies: 8
    Last Post: 24th September 2007, 01:53 PM
  4. Active Directory Web Administration
    By localzuk in forum Windows
    Replies: 12
    Last Post: 13th July 2007, 02:09 PM
  5. Website authentication with active directory
    By dhassen in forum Web Development
    Replies: 15
    Last Post: 6th April 2006, 01:13 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •