**Active Directory Authentication How To**

[Rozzer]

Hello,

 

As requested by a few PMs i have put together a How to authenticate to Active Directory on Apple Mac OS X 10.4. You can find the article on How-To-Mac by going to the following address: http://www.howtomac.co.uk/index.php?option=com_content&task=view&id=16&Itemid=30

 

How to authenticate to active directory.

 

The following information you will require to be able to authenticate into Active Directory.

 

 

Active Directory Domain name

Domain admin User Name and Account

 

First you will need to run a application called Directory Access. You can find this application in /Applications/Utilities

 

You may need to unlock the padlock in order to be able to do anything in this application.

 

Once you are in Directory Access you will then need to enable the Active Directory plug in by clicking enable. When enabled you can then start to configure the plugin.

 

Once in the configuration pane you then need to type in your active directory domain. So for example I could type in "achme.com". You will then need to type in a computer ID. If you have named your computer correctly it should pick the computer name from there. After all above all you need to do now is click bind. You will then be asked to put in your username and password. If you put in your Domain Admin username it will start to bind to the Active Directory Server. I suggest if you are planning on using Bootcamp on the domain i would suggest you use different computer names for either operating system. Otherwise the trust for each OS will be different and you will find yourself binding to the domain everytime you change operating system.

 

Now you are binded to Active Directory you will need to set a authentication search path. This tells OS X to search active directory for a login account. So if you click Authentication tab and click add you will see /Active Directory/All Domains. if you add that and then apply you should now be able to log in.

 

If you go back to the configure pane on Active Directory in Directory Access you can set the home drive to either be a local home drive in /Users or you can set it to use the Home Drive of Active Directory. But in order to do this you need to make sure the user accounts can read folders before there home drive. make sure its not inherited to every folder only to the previous folder.

 

If you are experiencing problems for example the login screen vibrates on any login you try, you may want to check that the time settings are in sync and not over by a couple of minutes. I would suggest you point your timeserver to your active directory box.

 

 

Good Luck.

 

Ross

Edited February 1, 2008 by Rozzer

[localzuk]

If you can update it, you may wish to point out that they also need to ensure that the time on the mac needs to be the same (within a couple of minutes) as that on the AD servers.

[Rozzer]

If you can update it, you may wish to point out that they also need to ensure that the time on the mac needs to be the same (within a couple of minutes) as that on the AD servers.

 

Thank you feel free to add any other known issues

[DMcCoy]

OD managed preferences work more reliably when the Sharing name (the one OD sees) and the AD name (used to join AD) are not identical. I've had issues in the past where it won't update after the first retrieval if they are the same

[GrumbleDook]

OD managed preferences work more reliably when the Sharing name (the one OD sees) and the AD name (used to join AD) are not identical. I've had issues in the past where it won't update after the first retrieval if they are the same

 

Ooh ... not come across that one before. I'll have a play on Monday.

[mtdant]

Hi

 

Thanks for that - wish I had found this a while ago. I worked this out the hard way by trial and error. What I can't get to work is that it seems that student accounts on my AD cannot see a hidden share from the Mac so I had to create a non hidden share which I called Mac Stuff "Username". They then open the network icon on the Mac and trawl down to the AD server (DATA-1) on my network, and it "maps" a drive on the Apple Desktop. Problem is when they log out it doesn't save it because they are not an admin on the Mac. This is really annoying. Does anyone out there know how to get round this other than buying an OSX Server and building an Apple Domain? I am trying to force my Mac users (only 12 physical Macs) to save to their windows home area (h: ) so that files are backed up and they don't have local profiles on the Macs at all. I found a good use for the Macs because you can load RDP Client for Mac and remotely control a PC!

[jashworth1990]

when i tried adding my mac computer to AD i got an error stating 2 unable to find domain" but the computer can see the domain and is accesing the web please help and advise on this

 

thanks jay

[petroz]

Great tip,

Just to add to this great tip, check out the dsconfigad, this little command has the same functionality of Directory Access, but it can be scripted!!

[c13ggr]

Hi

Thanks for this - I'm new to MAC world, just used to Windows so far. How do you then set restrictions for users using MACs since AD restrictions don't work on MACs? I have OS X server and have looked at WGM but can't seem to use it as it's using AD only. Also, can set up printer in AD for MACs ok, but user doesn't see this and can't select printer as needs admin rights.

 

Thanks for any info

[jashworth1990]

this is simple, go into system preferances and select user acounts, uncheck the lock so that you can modify settings then click on the student profile and select perental controls... everything is accessable from there...

 

hope this helps

 

Jay

[HodgeHi]

Hi

Thanks for this - I'm new to MAC world, just used to Windows so far. How do you then set restrictions for users using MACs since AD restrictions don't work on MACs? I have OS X server and have looked at WGM but can't seem to use it as it's using AD only. Also, can set up printer in AD for MACs ok, but user doesn't see this and can't select printer as needs admin rights.

 

Thanks for any info

 

If you have a XServe and an AD and are feeling adventurous then you would be looking at an AD-OD integration setup. There is an AD-OD paper on how to do it here:

 

http://www.edugeek.net/forums/mac/18340-new-od-ad-integration-paper.html

 

Before you do anyof this make sure that your OS X Server has a dns record in either your AD or OD DNS server and is resolving fully both forward and reverse. I think there is an issue/conflict with using the .local domain suffix as well with OS X as it uses it for Bonjour to find services and devices on the local network.

 

Basically what you will have afterwards is an XServe that is connected to your AD server and has joined the AD servers kerberos realm. This gives your users single sign on access to the services on your XServe.

 

you would then set up your XServe as an OD master. So you have an XServe connected to a directory system and the same Server running as an OD Master. Since you have joined the AD kerberos realm the setup will skip this part of the OD Master setup (it didn't do this in 10.4).

 

Once this is done you would then go to your WGM and configure some groups in the LDAPv3/127.0.0.1 directory. Then you drag the AD groups in to the appropriate groups. What this now does is allows you to mange the preferences on the groups, which in turn manages the preferences for the AD groups and the users inside those, thus giving you managed prefernces for AD users. You will need to bind the OS X clients to both the AD and OD servers as well. Make sure that the times are all synched for kerberos though. Really important that bit. Anyhow, have fun.

 

I also recommend that you read the AD-OD paper as it will make more sense than me

Edited September 23, 2008 by HodgeHi

[c13ggr]

That's great - though seems to work better for groups of people rather than computers - not sure why. Printer works this way too, so well chuffed.

 

Any idea why when you log out as an 'other' network user, you then have to restart the MAC before another network user can logon? (all users are ticked in Log In/Window option).

 

Thanks

[HodgeHi]

I don't have this issue but you may find more info here:

 

http://www.edugeek.net/forums/mac/21932-revenge.html

 

Its the last but one post on this page. It mentions something about the home dir mount points being different. Not too sure i knew what he meant. I have a Staff mount point and a Pupil mount point for the home dirs. They are on the same disk/RAID. I have found though that if you set kerberos only authentication for AFP and then create a new user in AD, the new user will not be able to log in. Why? I have no idea. But it seems to fail pre-authentication. If you change the AFP access method to any (you can do this without disconnecting everyone) then the new AD user seems to be able to log in fine. Then if you switch it back to kerberos only, they can still log in OK. Weird but thats what i found to happen here. PS I use AFP to mount AD user home dirs and not SMB. The SMB service on the OD is running but only so AD users can access the shares when logging into XP. I have redirected documents onto the XRAID share so they are all in one location.

 

Seems to load a bit quicker too.

[eddyh7]

I'm having real problems authenticating with AD from my Mac clients.

 

The set up I have is as follows:

OD bound to AD and Kerberised to AD Kerberos Relm.

DNS is on AD server, with Forward and reverse zones set up and all hostnames and IP resolve correctly.

AD, OD and Mac Clients all have reserved DHCP addresses.

Mac Clients are bound to AD & OD, AD is first in the search path.

 

At seeming random intervals the ball in the log-in window is orange and if I log on with an Admin account and have a look in System preferences > Accounts > Login Options >Network Account Server I can see that I am still connected to the OD server, but not the AD. AD is still in this list and I am still bound to it, but it reports "This domain is not responding".

 

The only way to kick it back into life seems to be to "sudo killall Directory Service", rebooting sometimes works but not always...

 

Any ideas at all would be much appreciated?

 

Thanks

[HodgeHi]

This issue seemsto be very random. Not everyone has the issue and so is hard to trace the issue. Some believe it to be issues with DNS, others with the bind to the AD. I also believe that there may be some sort of issue with DeployStudio's imaging process.

 

I'm afraid to inform you that no one really knows for sure. Are you running 10.5 or 10.6? 10.6 seems to be better at kicking the DirectoryService whilst sitting at the loginWindow than 10.5. Maybe consult the logs in Console when you experience the issue. You can log in as a local admin to do this. Just make a note of the time on the system so you roughly know where to look in the logs.

 

Hope this helps a little

[eddyh7]

Thanks for the reply, hum, I've not found any useful info on the web about this as yet either.

 

I've searched for some stuff I found in the console logs, but I think it's unrelated, it's quite hard to pin it down to when it's happening.

 

I'm running 10.6 Server and Clients, and I'm not using Deploy Studio, in fact this is my first test client that I'm having the problem with.

 

Thanks, Ed

[eddyh7]

I've now tried a number of other things:

I stopped the clients from sleeping and it didn't drop the connection to AD for over 24hr, but then I tried a reboot and it didn't reconnect.

I've restarted a number of times today and sometimes it comes back up with both AD and OD connected, sometimes without OD.

It always looks bound in Directory Utility and it's always in the search path though

 

I've rebound to OD using the command line and this has changed nothing.

 

I'm getting to the point where I might try to run a script to "killall DirectoryService" as a startup item in order to kick it back into life, but I'm not too sure how to get this working and it would certainly be bodging it.

 

I have noticed this in my DirectoryService.error.log

 

2010-06-21 00:08:56 BST - T[0x00007FFF705F6BE0] - DNSServiceProcessResult returned -65563

2010-06-21 00:10:24 BST - T[0x00007FFF705F6BE0] - DNSServiceProcessResult returned -65563

2010-06-21 00:11:41 BST - T[0x00007FFF705F6BE0] - DNSServiceProcessResult returned -65563

2010-06-21 00:21:12 BST - T[0x00007FFF705F6BE0] - DNSServiceProcessResult returned -65563

 

I'm also seeing

21/06/2010 00:23:34 ServerScanner[148] Not scanning because node /LDAPv3/Mac0.oakwood.local is in searchPath

Sometime this refers to OD and sometimes AD?

 

Any ideas please?

[eddyh7]

Here's a System log where the client fails to reconnect to AD:

Jun 21 01:04:46 macosx1 com.apple.launchd.peruser.501[129] (com.apple.AirPortBaseStationAgent[154]): Exited: Killed

Jun 21 01:04:46 macosx1 SecurityAgent[273]: NSDocumentController's invocation of -[NSFileManager URLForDirectory:inDomain:appropriateForURL:create:error:] returned nil for NSAutosavedInformationDirectory. Here's the error:\nError Domain=NSCocoaErrorDomain Code=513 UserInfo=0x100140a40 "You don’t have permission to save the file “Library” in the folder “empty”." Underlying Error=(Error Domain=NSPOSIXErrorDomain Code=13 "The operation couldn’t be completed. Permission denied")

Jun 21 01:04:47 macosx1 loginwindow[42]: DEAD_PROCESS: 42 console

Jun 21 01:04:47 macosx1 com.apple.loginwindow[42]: LogoutHook: Executing /etc/hooks/LOcleanupclean.hook...

Jun 21 01:04:47 macosx1 macadmin[311]: LogoutHook: Starting for macadmin

Jun 21 01:04:47 macosx1 shutdown[316]: reboot by macadmin:

Jun 21 01:04:47 macosx1 shutdown[316]: SHUTDOWN_TIME: 1277078687 279376

Jun 21 01:04:47 macosx1 mDNSResponder[18]: mDNSResponder mDNSResponder-214.3 (Feb 11 2010 04:49:16) stopping

Jun 21 01:04:47 macosx1 mDNSResponder[18]: mDNS_Deregister_internal: 51 _kerberos.macosx1.local. TXT LKDC:SHA1.4DC7A1D1C03651E88DAFDF1E20B08E8FAE91136B already marked kDNSRecordTypeDeregistering

Jun 21 01:04:47 macosx1 WindowServer[65]: hidd died. Reestablishing connection.

Jun 21 01:04:47 macosx1 DirectoryService[244]: dnssd_clientstub read_all(18) failed 0/28 0

Jun 21 01:04:47 macosx1 WindowServer[65]: bootstrap_look_ip failed: Unknown service name

Jun 21 01:04:47 macosx1 DirectoryService[244]: BUG in libdispatch: 10D578 - 1960 - 0x10004004

Jun 21 01:05:26 localhost com.apple.launchd[1]: *** launchd[1] has started up. ***

Jun 21 01:05:26 localhost com.apple.launchd[1]: *** Verbose boot, will log to /dev/console. ***

Jun 21 01:05:31 localhost blued[16]: Apple Bluetooth daemon started

Jun 21 01:05:31 localhost mDNSResponder[18]: mDNSResponder mDNSResponder-214.3 (Feb 11 2010 04:49:16) starting

Jun 21 01:05:32 macosx1 configd[14]: setting hostname to "macosx1.oakwood.local"

Jun 21 01:05:32 macosx1 configd[14]: network configuration changed.

Jun 21 01:05:34 macosx1 bootlog[53]: BOOT_TIME: 1277078726 0

Jun 21 01:05:35 macosx1 com.apple.usbmuxd[34]: usbmuxd-190 built for iTunesNineOne on Mar 8 2010 at 20:25:36, running 32 bit

Jun 21 01:05:35 macosx1 /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow[42]: Login Window Application Started

Jun 21 01:05:36 macosx1 configd[14]: network configuration changed.

Jun 21 01:05:38 macosx1 loginwindow[42]: Login Window Started Security Agent

Jun 21 01:05:38 macosx1 WindowServer[64]: kCGErrorFailure: Set a breakpoint @ CGErrorBreakpoint() to catch errors as they are logged.

Jun 21 01:05:38 macosx1 com.apple.WindowServer[64]: Mon Jun 21 01:05:38 macosx1.oakwood.local WindowServer[64] : kCGErrorFailure: Set a breakpoint @ CGErrorBreakpoint() to catch errors as they are logged.

Jun 21 01:06:08 macosx1 com.apple.DirectoryServices[11]: Enter machine password:

Jun 21 01:06:09 macosx1 com.apple.DirectoryServices[11]: DNS update failed!

Jun 21 01:06:56 macosx1 /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/MacOS/AppleVNCServer[78]: CGSKeyTranslateInitialize: KLGetCurrentKeyboardLayout or KLGetKeyboardLayoutProperty is not available, fall back to USA keymap

Jun 21 01:07:02 macosx1 SecurityAgent[86]: NSSecureTextFieldCell detected a field editor ((null)) that is not a NSTextView subclass designed to work with the cell. Ignoring...

Jun 21 01:07:03 macosx1 loginwindow[42]: Login Window - Returned from Security Agent

Jun 21 01:07:03 macosx1 com.apple.loginwindow[42]: LoginHook: Executing /etc/hooks/LIclean.hook...

Jun 21 01:07:04 macosx1 _mdnsresponder[127]: LoginHook: Starting for macadmin

Jun 21 01:07:04 macosx1 loginwindow[42]: USER_PROCESS: 42 console

Jun 21 01:07:04 macosx1 com.apple.launchd.peruser.501[135] (com.apple.ReportCrash): Falling back to default Mach exception handler. Could not find: com.apple.ReportCrash.Self

Jun 21 01:07:07 macosx1 ServerScanner[154]: Not scanning because node /LDAPv3/Mac0.oakwood.local is in searchPath

Jun 21 01:07:08 macosx1 com.apple.launchd.peruser.501[135] (com.apple.Kerberos.renew.plist[158]): Exited with exit code: 1

Jun 21 01:07:10 macosx1 com.apple.launchd.peruser.501[135] ([email protected][161]): Exited with exit code: 1

 

And Here's the console messages from the same reboot:

21/06/2010 01:05:26 com.apple.launchd[1] *** launchd[1] has started up. ***

21/06/2010 01:05:26 com.apple.launchd[1] *** Verbose boot, will log to /dev/console. ***

21/06/2010 01:05:38 com.apple.WindowServer[64] Mon Jun 21 01:05:38 macosx1.oakwood.local WindowServer[64] : kCGErrorFailure: Set a breakpoint @ CGErrorBreakpoint() to catch errors as they are logged.

21/06/2010 01:06:08 com.apple.DirectoryServices[11] Enter machine password:

21/06/2010 01:06:09 com.apple.DirectoryServices[11] DNS update failed!

21/06/2010 01:07:03 com.apple.loginwindow[42] LoginHook: Executing /etc/hooks/LIclean.hook...

21/06/2010 01:07:04 com.apple.launchd.peruser.501[135] (com.apple.ReportCrash) Falling back to default Mach exception handler. Could not find: com.apple.ReportCrash.Self

21/06/2010 01:07:07 ServerScanner[154] Not scanning because node /LDAPv3/Mac0.oakwood.local is in searchPath

21/06/2010 01:07:08 com.apple.launchd.peruser.501[135] (com.apple.Kerberos.renew.plist[158]) Exited with exit code: 1

21/06/2010 01:07:10 com.apple.launchd.peruser.501[135] ([email protected][161]) Exited with exit code: 1

21/06/2010 01:09:23 com.apple.WebKit.PluginAgent[185] Debugger() was called!

21/06/2010 01:09:39 com.apple.WebKit.PluginAgent[185] Debugger() was called!

21/06/2010 01:09:45 com.apple.WebKit.PluginAgent[185] Debugger() was called!

21/06/2010 01:09:46 com.apple.WebKit.PluginAgent[185] Debugger() was called!

 

Don't know if I'm looking in the right place here, but clutching at straws now!

[AntonioRocco]

Hi

 

Your problem is DNS. I'm surprised you could not find anything as this forum (as well as others) is full of threads such as yours. The platform will struggle and more than likely display the behaviour you're seeing if you're basing your domain around .local. Why? Because it reserves .local for Bonjour/Rendezvous Services. All macs will broadcast and discover themselves using it. It's not a good idea to switch it off either. How you name your macs could also display similar behaviour. Don't use hyphens or any other non letter/number character. Using .local can be made to work but don't be surprised if you see problems. Having said that other AD environments that don't use .local can also display similar or even different problems which could be due to something else.

 

The most successful integrations of my experience are invariably with environments that have (a) been built to accommodate macs in the first place (b) the AD structure/organisation is fairly flat/simple © don't base the internal domain around .local (d) are not using RM.

 

Antonio Rocco (ACSA)

[eddyh7]

Hi,

 

Thanks for your feedback, I have been wondering if it could be the .local domain name that I'm using for windows that's cauing me problems.

 

My Mac's are being added to an OU in the Root of the domain so I guess I have a fairly flat structure from that point of view and I'm not using any of that RM rubbish as we scrapped that years ago.

 

Could you tell me what you mean when you say "an enviroment that has been built to accomodate macs in the first place?

 

If in the future when I replace the DC and have the time to create a new domain in order to get rid of the .local issue what else must I do to ensure that it as easy for the Macs to integrate as possible?

 

Many thanks,

 

Ed

[AntonioRocco]

Hi

 

I mean building an environment that takes account of the platform rather than adding them to a mature/legacy environment that was only ever built to accommodate the Windows platform.

 

In no particular order I would say it would mean:

 

Correctly resolving DNS on both pointers

Making sure there are no malformed SRV Records

Not using .local for your TLD

Making sure the PDC Resolve itself to itself on both pointers

Not having a folder structure that nests folders within folders within folders etc

Making sure time synchronization is the same for all principals in the Realm

Removing 'ghost/dead' users and/or groups from Network Home Parent Container as these permissions will be honoured by the platform

Star Topology rather than a Cascading One

Gigabit to Desktop

WAPs that are N rated

 

The list is not exhaustive by any means. Basically all the things your PCs don't care really care about. If you build the environment 'properly' and along Microsoft's Best Practices you should not see too many problems.

 

If all of the above seems like too much hard work you could consider using a 3rd-Party Solution such as Likewise or Centrify. Or modify the Schema yourself. Any of these methods would not necessarily involve OSX Server.

 

Perhaps you should re-post in the main forum?That way others who've been a similar position to you will get a chance to offer some of the things they've tried that may or may not have worked.

 

Antonio Rocco (ACSA)

[eddyh7]

Thanks for all those surggestions, if I ever get the time I might set up a fresh domain.

 

What does seem a little odd is that my 10.6 server doesn't seem to drop the connection to AD in the same way as the clients? Can't really see how this is any differant?

 

Thanks,

 

Ed

[AntonioRocco]

Hi

 

I don't know why you would assume this because the Server should not configured the same as the clients. Perhaps you've forgotten? What I do is bind the Server to AD first, verify I can access and 'read' User and Group information from Active Directory and then promote to Open Directory Master with Kerberos stopped. This is 'classic' AD-OD Integration or - if you like - Magic Triangle Deployment. Once the Server has been promoted to OD Master it places itself automatically and by default above the Active Directory/All Domains entry in the Directory Utility's Search Policy field.

 

On the Server in a classic AD-OD Integration this is how it should be.

 

Clearly on the client this does not happen. Clients are generally bound to AD first and then joined to OD with no requirement for any authentication or contact information when configuring the LDAP plug-in.

 

Perhaps this is contributing to the problems you're seeing?

 

Antonio Rocco (ACSA)

[Nick_Parker]

Hi guys, I'm not sure if I should be replying in here or creating a new thread, it's regarding some issues we're having connecting 12 iMacs to our Active Directory domain.

I've successfully bound them to the Domain, however, only 8 of the 12 are able to log on at any one time.

The 8 that are able to connect are also random, so it's never the same 8.

Any suggestions would be greatly appreciated!

 

Thanks!

[Rozzer]

Those of you who maybe interested I have made a new article on AD integration for 10.7

 

| Active Directory integration 10.7