Mark Foley
2018-Jun-26 21:41 UTC
[Samba] How to Join Mac OSX workstation as AD domain member
Does anyone know how to join a Mac OSX (High Sierra 10.13.5) workstation to a Samba4 domain, or know of a wiki/howto document describing this process? Web searches have turned up plenty of info on running OSX as a Samba4 server, but I can't find anything on joining as a domain member. I do believe I've actually joined (Bind in apple-speak) the workstation itself to the domain using the System Preferences > Users & Groups > Network Account Server. That does show my domain name with a green dot (OK status?). And when I list network computer on the AD server it does list this Mac computer. Problem is, I cannot log in as a domain user. I'm sure I'm doing something wrong, but I can't figure out what. Any help greatly appreciated. THX --Mark
Kris Lou
2018-Jun-26 22:25 UTC
[Samba] How to Join Mac OSX workstation as AD domain member
There are basically 3 ways: * dsconfigad (https://gist.github.com/bzerangue/6886182) * via Configuration Profile * via GUI, which you've found There's also a toggle "Allow Network Users to Log in" via System Prefs -> Users -> Login Options However ... * Network Homes is difficult (at best) * Changing passwords on the DC does not automatically refresh the local profile's Keychain * Network Users require a constant connection to the DC -- which obviously doesn't work well for 1:1. So more sites are favoring Mobile Users (with local homes). https://nomad.menu/ helps to solve a lot of the above without binding to AD -- but I haven't used it, so YMMV. You might also be interested in the MacEnterprise mailing list. -Kris Kris Lou klou at themusiclink.net On Tue, Jun 26, 2018 at 2:41 PM, Mark Foley via samba <samba at lists.samba.org> wrote:> Does anyone know how to join a Mac OSX (High Sierra 10.13.5) workstation > to a Samba4 domain, or > know of a wiki/howto document describing this process? Web searches have > turned up plenty of > info on running OSX as a Samba4 server, but I can't find anything on > joining as a domain > member. > > I do believe I've actually joined (Bind in apple-speak) the workstation > itself to the domain > using the System Preferences > Users & Groups > Network Account Server. > That does show my > domain name with a green dot (OK status?). And when I list network > computer on the AD server > it does list this Mac computer. > > Problem is, I cannot log in as a domain user. I'm sure I'm doing something > wrong, but I can't > figure out what. > > Any help greatly appreciated. > > THX --Mark > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Mark Foley
2018-Jun-27 00:41 UTC
[Samba] How to Join Mac OSX workstation as AD domain member
On Tue, 26 Jun 2018 15:25:56 -0700 Kris Lou wrote:kvia samba <samba at lists.samba.org>> > There are basically 3 ways: > * dsconfigad (https://gist.github.com/bzerangue/6886182)OK, I ran 'dsconfigad -show' and got the following results. They basically look OK to my limited understanding except for the Mapping options. I did check those mapping boxes, but I guess it also wanted me to fill in actual values. I'll have to do a bit of research as I've no idea what these values should be, nor do I know what happens if I leave the mappings un-checked as it says it will then use "dynamically generated information for macOS" (whatever that means). If any of these other settings look obviously suspect, please advise. Active Directory Forest = hprs.local Active Directory Domain = hprs.local Computer Account = labmac$ Advanced Options - User Experience Create mobile account at login = Enabled Require confirmation = Disabled Force home to startup disk = Enabled Mount home as sharepoint = Enabled Use Windows UNC path for home = Enabled Network protocol to be used = smb Default user Shell = /bin/bash Advanced Options - Mappings Mapping UID to attribute = (null) Mapping user GID to attribute = (null) Mapping group GID to attribute = (null) Generate Kerberos authority = Enabled Advanced Options - Administrative Preferred Domain controller = mail Allowed admin groups = domain admins,enterprise admins Authentication from any domain = Enabled Packet signing = allow Packet encryption = allow Password change interval = 14 Restrict Dynamic DNS updates = not set Namespace mode = domain> * via Configuration ProfileWhat is that?> * via GUI, which you've found > > There's also a toggle "Allow Network Users to Log in" via System Prefs -> > Users -> Login OptionsI do have that checked, and it allows "All network users."> However ... > * Network Homes is difficult (at best)That's bad.> * Changing passwords on the DC does not automatically refresh the local > profile's KeychainThat's bad too! That's kind of the point of AD authentication -- not having to keep lots of separate passwords all over.> * Network Users require a constant connection to the DC -- which obviously > doesn't work well for 1:1.That's not a problem. If thd AD/DC is down there are other problem. Windows users do get a local copy of their desktop to work with, which is nice, but the AD/DC is also the only DNS, so users could not get to the Internet. With Linux domain members, there really isn't an option to have a local desktop copy (although, I could create a script to "fake" it), but it's pretty easy to NFS mount the user's home directory, which is then available to that domain user when he/she logs on per the AD configuration.> So more sites are favoring Mobile Users (with local homes).Not sure what that means (I'm a real Mac newbie). When you say "local homes", does that mean the home directory is stored on the workstation, only? No redirection? How does a "Mobile User" differ from any other kind of user?> https://nomad.menu/ helps to solve a lot of the above without binding to AD > -- but I haven't used it, so YMMV. You might also be interested in the > MacEnterprise mailing list. > > -KrisI'll look at the nomad stuff, but this Mac needs to work in an existing Active Directory system. I'll also look at the MacEnterprise maillist. Meanwhile, do you have any idea on what should go in the Mapping Options? "Mapping UID to attribute", what attribute? the UID of a specific domain user? That doesn't make sense. What is "dynamically generated mapping info"? I'll try doing some research on this. I have a feeling that these mapping options may be a big part of my problem. THX --Mark> > > > > > Kris Lou > klou at themusiclink.net > > On Tue, Jun 26, 2018 at 2:41 PM, Mark Foley via samba <samba at lists.samba.org > > wrote: > > > Does anyone know how to join a Mac OSX (High Sierra 10.13.5) workstation > > to a Samba4 domain, or > > know of a wiki/howto document describing this process? Web searches have > > turned up plenty of > > info on running OSX as a Samba4 server, but I can't find anything on > > joining as a domain > > member. > > > > I do believe I've actually joined (Bind in apple-speak) the workstation > > itself to the domain > > using the System Preferences > Users & Groups > Network Account Server. > > That does show my > > domain name with a green dot (OK status?). And when I list network > > computer on the AD server > > it does list this Mac computer. > > > > Problem is, I cannot log in as a domain user. I'm sure I'm doing something > > wrong, but I can't > > figure out what. > > > > Any help greatly appreciated. > > > > THX --Mark > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >