Mark Foley
2018-Jun-27 00:41 UTC
[Samba] How to Join Mac OSX workstation as AD domain member
On Tue, 26 Jun 2018 15:25:56 -0700 Kris Lou wrote:kvia samba <samba at lists.samba.org>> > There are basically 3 ways: > * dsconfigad (https://gist.github.com/bzerangue/6886182)OK, I ran 'dsconfigad -show' and got the following results. They basically look OK to my limited understanding except for the Mapping options. I did check those mapping boxes, but I guess it also wanted me to fill in actual values. I'll have to do a bit of research as I've no idea what these values should be, nor do I know what happens if I leave the mappings un-checked as it says it will then use "dynamically generated information for macOS" (whatever that means). If any of these other settings look obviously suspect, please advise. Active Directory Forest = hprs.local Active Directory Domain = hprs.local Computer Account = labmac$ Advanced Options - User Experience Create mobile account at login = Enabled Require confirmation = Disabled Force home to startup disk = Enabled Mount home as sharepoint = Enabled Use Windows UNC path for home = Enabled Network protocol to be used = smb Default user Shell = /bin/bash Advanced Options - Mappings Mapping UID to attribute = (null) Mapping user GID to attribute = (null) Mapping group GID to attribute = (null) Generate Kerberos authority = Enabled Advanced Options - Administrative Preferred Domain controller = mail Allowed admin groups = domain admins,enterprise admins Authentication from any domain = Enabled Packet signing = allow Packet encryption = allow Password change interval = 14 Restrict Dynamic DNS updates = not set Namespace mode = domain> * via Configuration ProfileWhat is that?> * via GUI, which you've found > > There's also a toggle "Allow Network Users to Log in" via System Prefs -> > Users -> Login OptionsI do have that checked, and it allows "All network users."> However ... > * Network Homes is difficult (at best)That's bad.> * Changing passwords on the DC does not automatically refresh the local > profile's KeychainThat's bad too! That's kind of the point of AD authentication -- not having to keep lots of separate passwords all over.> * Network Users require a constant connection to the DC -- which obviously > doesn't work well for 1:1.That's not a problem. If thd AD/DC is down there are other problem. Windows users do get a local copy of their desktop to work with, which is nice, but the AD/DC is also the only DNS, so users could not get to the Internet. With Linux domain members, there really isn't an option to have a local desktop copy (although, I could create a script to "fake" it), but it's pretty easy to NFS mount the user's home directory, which is then available to that domain user when he/she logs on per the AD configuration.> So more sites are favoring Mobile Users (with local homes).Not sure what that means (I'm a real Mac newbie). When you say "local homes", does that mean the home directory is stored on the workstation, only? No redirection? How does a "Mobile User" differ from any other kind of user?> https://nomad.menu/ helps to solve a lot of the above without binding to AD > -- but I haven't used it, so YMMV. You might also be interested in the > MacEnterprise mailing list. > > -KrisI'll look at the nomad stuff, but this Mac needs to work in an existing Active Directory system. I'll also look at the MacEnterprise maillist. Meanwhile, do you have any idea on what should go in the Mapping Options? "Mapping UID to attribute", what attribute? the UID of a specific domain user? That doesn't make sense. What is "dynamically generated mapping info"? I'll try doing some research on this. I have a feeling that these mapping options may be a big part of my problem. THX --Mark> > > > > > Kris Lou > klou at themusiclink.net > > On Tue, Jun 26, 2018 at 2:41 PM, Mark Foley via samba <samba at lists.samba.org > > wrote: > > > Does anyone know how to join a Mac OSX (High Sierra 10.13.5) workstation > > to a Samba4 domain, or > > know of a wiki/howto document describing this process? Web searches have > > turned up plenty of > > info on running OSX as a Samba4 server, but I can't find anything on > > joining as a domain > > member. > > > > I do believe I've actually joined (Bind in apple-speak) the workstation > > itself to the domain > > using the System Preferences > Users & Groups > Network Account Server. > > That does show my > > domain name with a green dot (OK status?). And when I list network > > computer on the AD server > > it does list this Mac computer. > > > > Problem is, I cannot log in as a domain user. I'm sure I'm doing something > > wrong, but I can't > > figure out what. > > > > Any help greatly appreciated. > > > > THX --Mark > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Mark Foley
2018-Jun-27 06:09 UTC
[Samba] How to Join Mac OSX workstation as AD domain member
I think I have my Mac AD mappings wrong. The following link https://support.apple.com/kb/PH26272?viewlocale=en_ME&locale=en_ME, says:> On a computer that's configured to use Directory Utility's Active Directory connector, you can > specify an Active Directory attribute to map to the group ID (GID), primary group ID (GID), and > unique user ID (UID) attribute in macOS. > > Usually, the Active Directory schema must be extended to include an attribute that's suitable > for mapping to the GID, primary GID, and UID: > > If the Active Directory administrator extends the Active Directory schema by installing > Microsoft's Services for UNIX, you can map the following: > > GID to the msSFU-30-Gid-Number attribute > Primary GID to the msSFU-30-Gid-Number attribute > UID to the msSFU-30-Uid-Number attributeI've looked in sam.ldb and the only msgSFU object categories I find are msSFU-30-NIS-Map-Config and msSFU-30-Domain-Info. What are msSFU-30-Gid-Number and UID to the msSFU-30-Uid-Number? Should I be using these? What are GID, primary GID and UID in this case? My 'Domain Users' GID is 10000. How does that correlate? Why would I specifically map a UID? Would not the AD server sort that out when I log in as a domain user?> If the Active Directory administrator manually extends the Active Directory schema to > include RFC 2307 attributes, you can map the following: > > GID to the gidNumber attribute > Primary GID to the gidNumber attribute > UID to the uidNumber attributeI do have 'idmap_ldb:use rfc2307 = yes' defined in the AD server smb.conf, but I'm still at a loss as to understanding what they are talking about with GID, Primary GID and UID.> If the Active Directory administrator manually extends the Active Directory schema to > include the macOS gidNumber, PrimaryGroupID, and UniqueID attributes, you can map the > following: > > GID to the gidNumber attribute > Primary GID to the PrimaryGroupID attribute > UID to the UniqueID attributeNot comprehending this mac-speak. Does anyone know what this is?> If mapping of the GID, primary GID, and UID is disabled, the Active Directory connector > generates a GID, primary GID, and UID based on Active Directory's standard GUID attribute.So, if I *don't* do any mapping (disabled) what happens?> Important: With the advanced options of the Active Directory connector, you can map the macOS > unique user ID (UID), primary group ID (GID), and group GID attributes to the correct > attributes in the Active Directory schema. However, if you change these settings later, users > might lose access to previously created files.Has anyone done any of this and perhaps understands what they're talking about? --Mark -----Original Message----- Date: Tue, 26 Jun 2018 20:41:25 -0400 To: samba at lists.samba.org User-Agent: Heirloom mailx 12.5 7/5/10 Subject: Re: [Samba] How to Join Mac OSX workstation as AD domain member From: Mark Foley via samba <samba at lists.samba.org> On Tue, 26 Jun 2018 15:25:56 -0700 Kris Lou wrote:kvia samba <samba at lists.samba.org>> > There are basically 3 ways: > * dsconfigad (https://gist.github.com/bzerangue/6886182)OK, I ran 'dsconfigad -show' and got the following results. They basically look OK to my limited understanding except for the Mapping options. I did check those mapping boxes, but I guess it also wanted me to fill in actual values. I'll have to do a bit of research as I've no idea what these values should be, nor do I know what happens if I leave the mappings un-checked as it says it will then use "dynamically generated information for macOS" (whatever that means). If any of these other settings look obviously suspect, please advise. Active Directory Forest = hprs.local Active Directory Domain = hprs.local Computer Account = labmac$ Advanced Options - User Experience Create mobile account at login = Enabled Require confirmation = Disabled Force home to startup disk = Enabled Mount home as sharepoint = Enabled Use Windows UNC path for home = Enabled Network protocol to be used = smb Default user Shell = /bin/bash Advanced Options - Mappings Mapping UID to attribute = (null) Mapping user GID to attribute = (null) Mapping group GID to attribute = (null) Generate Kerberos authority = Enabled Advanced Options - Administrative Preferred Domain controller = mail Allowed admin groups = domain admins,enterprise admins Authentication from any domain = Enabled Packet signing = allow Packet encryption = allow Password change interval = 14 Restrict Dynamic DNS updates = not set Namespace mode = domain> * via Configuration ProfileWhat is that?> * via GUI, which you've found > > There's also a toggle "Allow Network Users to Log in" via System Prefs -> > Users -> Login OptionsI do have that checked, and it allows "All network users."> However ... > * Network Homes is difficult (at best)That's bad.> * Changing passwords on the DC does not automatically refresh the local > profile's KeychainThat's bad too! That's kind of the point of AD authentication -- not having to keep lots of separate passwords all over.> * Network Users require a constant connection to the DC -- which obviously > doesn't work well for 1:1.That's not a problem. If thd AD/DC is down there are other problem. Windows users do get a local copy of their desktop to work with, which is nice, but the AD/DC is also the only DNS, so users could not get to the Internet. With Linux domain members, there really isn't an option to have a local desktop copy (although, I could create a script to "fake" it), but it's pretty easy to NFS mount the user's home directory, which is then available to that domain user when he/she logs on per the AD configuration.> So more sites are favoring Mobile Users (with local homes).Not sure what that means (I'm a real Mac newbie). When you say "local homes", does that mean the home directory is stored on the workstation, only? No redirection? How does a "Mobile User" differ from any other kind of user?> https://nomad.menu/ helps to solve a lot of the above without binding to AD > -- but I haven't used it, so YMMV. You might also be interested in the > MacEnterprise mailing list. > > -KrisI'll look at the nomad stuff, but this Mac needs to work in an existing Active Directory system. I'll also look at the MacEnterprise maillist. Meanwhile, do you have any idea on what should go in the Mapping Options? "Mapping UID to attribute", what attribute? the UID of a specific domain user? That doesn't make sense. What is "dynamically generated mapping info"? I'll try doing some research on this. I have a feeling that these mapping options may be a big part of my problem. THX --Mark> > > > > > Kris Lou > klou at themusiclink.net > > On Tue, Jun 26, 2018 at 2:41 PM, Mark Foley via samba <samba at lists.samba.org > > wrote: > > > Does anyone know how to join a Mac OSX (High Sierra 10.13.5) workstation > > to a Samba4 domain, or > > know of a wiki/howto document describing this process? Web searches have > > turned up plenty of > > info on running OSX as a Samba4 server, but I can't find anything on > > joining as a domain > > member. > > > > I do believe I've actually joined (Bind in apple-speak) the workstation > > itself to the domain > > using the System Preferences > Users & Groups > Network Account Server. > > That does show my > > domain name with a green dot (OK status?). And when I list network > > computer on the AD server > > it does list this Mac computer. > > > > Problem is, I cannot log in as a domain user. I'm sure I'm doing something > > wrong, but I can't > > figure out what. > > > > Any help greatly appreciated. > > > > THX --Mark > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2018-Jun-27 06:48 UTC
[Samba] How to Join Mac OSX workstation as AD domain member
On Wed, 27 Jun 2018 02:09:24 -0400 Mark Foley via samba <samba at lists.samba.org> wrote:> I think I have my Mac AD mappings wrong. The following link > https://support.apple.com/kb/PH26272?viewlocale=en_ME&locale=en_ME, > says: > > > On a computer that's configured to use Directory Utility's Active > > Directory connector, you can specify an Active Directory attribute > > to map to the group ID (GID), primary group ID (GID), and unique > > user ID (UID) attribute in macOS. > > > > Usually, the Active Directory schema must be extended to include an > > attribute that's suitable for mapping to the GID, primary GID, and > > UID: > > > > If the Active Directory administrator extends the Active Directory > > schema by installing Microsoft's Services for UNIX, you can map the > > following: > > > > GID to the msSFU-30-Gid-Number attribute > > Primary GID to the msSFU-30-Gid-Number attribute > > UID to the msSFU-30-Uid-Number attributeI think there is a clue there 'Microsoft's Services for UNIX', it used to be called that, but latterly it was called 'IDMU' or 'Identity Management for UNIX' and a lot of the 'msSFU-30' prefixes got dropped.> > I've looked in sam.ldb and the only msgSFU object categories I find > are msSFU-30-NIS-Map-Config and msSFU-30-Domain-Info. What are > msSFU-30-Gid-Number and UID to the msSFU-30-Uid-Number? Should I be > using these?You probably already are, 'msSFU-30-Gid-Number' became 'gidNumber'> > What are GID, primary GID and UID in this case? My 'Domain Users' GID > is 10000. How does that correlate? Why would I specifically map a > UID? Would not the AD server sort that out when I log in as a domain > user? > > > If the Active Directory administrator manually extends the Active > > Directory schema to include RFC 2307 attributes, you can map the > > following: > > > > GID to the gidNumber attribute > > Primary GID to the gidNumber attribute > > UID to the uidNumber attribute > > I do have 'idmap_ldb:use rfc2307 = yes' defined in the AD server > smb.conf, but I'm still at a loss as to understanding what they are > talking about with GID, Primary GID and UID. > > > If the Active Directory administrator manually extends the Active > > Directory schema to include the macOS gidNumber, PrimaryGroupID, > > and UniqueID attributes, you can map the following: > > > > GID to the gidNumber attribute > > Primary GID to the PrimaryGroupID attribute > > UID to the UniqueID attribute > > Not comprehending this mac-speak. Does anyone know what this is? > > > If mapping of the GID, primary GID, and UID is disabled, the Active > > Directory connector generates a GID, primary GID, and UID based on > > Active Directory's standard GUID attribute. > > So, if I *don't* do any mapping (disabled) what happens?Sounds like you end up using something very similar to the winbind 'rid' backend.> > > Important: With the advanced options of the Active Directory > > connector, you can map the macOS unique user ID (UID), primary > > group ID (GID), and group GID attributes to the correct attributes > > in the Active Directory schema. However, if you change these > > settings later, users might lose access to previously created files. > > Has anyone done any of this and perhaps understands what they're > talking about? >I have never done this (no apple clients) but if it works with one version of apple OS but not a later version, surely this means something changed in the apple OS and not in Samba. Perhaps you should ask Apple just what they changed, if anything. In the meantime, Samba has vfs_fruit, see 'man vfs_fruit' for more info. Rowland