samba - Jun 2018 - How to Join Mac OSX workstation as AD domain member

On Wed, 27 Jun 2018 13:58:46 -0400
Mark Foley via samba <samba at lists.samba.org> wrote:
> Well, I've made some progress. Excuse the detail, but this might help
> others as I've so far found NOTHING on this, including with the Mac
> Enterprise maillist (so far).
> 
> If I unchecked all the Directory Utility mapping options, I was able
> to log in! Yeah! But, the UID.GID numbers were 1793602029.1840809715. 
> 
> Next I tried just setting the "Map group GID to attribute" to
10000
> (my 'Domain Users' group). That did nothing to change the GID, but
I
> could still log on.
> 
> Leaving the above setting in place, I next I tried setting "Map user
> GID to attribute" to 10000.  That gave me UID.GIDs of 1793602029.20.
> Strange. 
> 
> Next I tried setting "Map user GID to attribute" to the string
> "gidNumber".  That worked and my UID.GIDs were now
1793602029.10000.
> 
> Next I tried setting "Map UID to attribute" to 10001 (my domain
> UID).  I couldn't log on at all as the domain user. 
> 
> Next I tried setting "Map UID to Attribute" to the string
> "uidNumber".  That worked and my UID.GIDs were then 10001.10000. 
> 
> At this point, I do have correct domain user UID and GID. Upon login
> the Mac creates folders in the home directory:
> 
> $ ls -ln
> total 0
> drwx------+  3 10001  10000   102 Jun 27 13:16 Desktop
> drwx------+  3 10001  10000   102 Jun 27 13:16 Documents
> drwx------+  3 10001  10000   102 Jun 27 13:16 Downloads
> drwx------@ 46 10001  10000  1564 Jun 27 13:26 Library
> drwx------+  3 10001  10000   102 Jun 27 13:16 Movies
> drwx------+  3 10001  10000   102 Jun 27 13:16 Music
> drwx------+  3 10001  10000   102 Jun 27 13:16 Pictures
> drwxr-xr-x+  4 10001  10000   136 Jun 27 13:16 Public
> 
> These folders are empty and NOT connected to the redirected desktop.
> I'm guessing the Mac AD setup doesn't bother much with Group
> Policies.
Only Windows uses GPO's (as yet). GPO's operate on the registry and
only Windows has the registry.
 
>  Not necessarily a big deal as the Linux domain members
> also do not auto-map to the redirected folders on the DC.  However,
> Linux does create the home folder as specified in sam.ldb and does
> designate that as $HOME which Mac is not doing. 
I have never used an Apple machine, so I have no idea about the apple
OS, but does it have anything similar to PAM ?
> So, some questions:
> 
> If I were either to change this user's unixHomeDirectory (sam.ldb)
> from /home/HPRS/mark to /Users/mark, would that make a difference?
Only if '/Users' exists on the MACOS machine and there is something to
create the users homedir.
> I supposed I could also try creating the /home/HPRS directory on the
> Mac and see if a login plops me there.
If '/home/HPRS' doesn't exist, this could well be your problem.
> 
> On Linux, I've used NFS export on the DC and autofs on the domain
> member to mount the user's redirected folders. I could try the same
> thing on Mac.
As far as I am aware, the  great-granddaddy of MACOS was some form of
BSD, so I suppose you should treat it more like Linux than Windows.
> Rowland has mentioned vfs_fruit, which I've done some
> reading on. Is vfs_fruit the recommended way of doing remote mounts
> on Mac? 
I have never used it myself, but from my understanding, it is a layer
between Samba, MACOS and the Unix OS.
>I have done basic smb mounts from mac using CMD-K >
> sbm:\\host\share. Suggestions on this?
I have no idea, perhaps someone who actually uses MACOS would care to
comment.

Rowland

PS Have you considered hitting the MACOS machines with a very big
hammer ? It won't fix the problem, but it would make it go away,
permanently. LOL

On Wed, 27 Jun 2018 19:31:58 +0100 Rowland Penny wrote:
>
> On Wed, 27 Jun 2018 13:58:46 -0400
> Mark Foley via samba <samba at lists.samba.org> wrote:
>
> > Well, I've made some progress. Excuse the detail, but this might
help
> > others as I've so far found NOTHING on this, including with the
Mac
> > Enterprise maillist (so far).
> > 
> > If I unchecked all the Directory Utility mapping options, I was able
> > to log in! Yeah! But, the UID.GID numbers were 1793602029.1840809715. 
> > 
> > Next I tried just setting the "Map group GID to attribute"
to 10000
> > (my 'Domain Users' group). That did nothing to change the GID,
but I
> > could still log on.
> > 
> > Leaving the above setting in place, I next I tried setting "Map
user
> > GID to attribute" to 10000.  That gave me UID.GIDs of
1793602029.20.
> > Strange. 
> > 
> > Next I tried setting "Map user GID to attribute" to the
string
> > "gidNumber".  That worked and my UID.GIDs were now
1793602029.10000.
> > 
> > Next I tried setting "Map UID to attribute" to 10001 (my
domain
> > UID).  I couldn't log on at all as the domain user. 
> > 
> > Next I tried setting "Map UID to Attribute" to the string
> > "uidNumber".  That worked and my UID.GIDs were then
10001.10000.
> > 
> > At this point, I do have correct domain user UID and GID. Upon login
> > the Mac creates folders in the home directory:
> > 
> > $ ls -ln
> > total 0
> > drwx------+  3 10001  10000   102 Jun 27 13:16 Desktop
> > drwx------+  3 10001  10000   102 Jun 27 13:16 Documents
> > drwx------+  3 10001  10000   102 Jun 27 13:16 Downloads
> > drwx------@ 46 10001  10000  1564 Jun 27 13:26 Library
> > drwx------+  3 10001  10000   102 Jun 27 13:16 Movies
> > drwx------+  3 10001  10000   102 Jun 27 13:16 Music
> > drwx------+  3 10001  10000   102 Jun 27 13:16 Pictures
> > drwxr-xr-x+  4 10001  10000   136 Jun 27 13:16 Public
> > 
> > These folders are empty and NOT connected to the redirected desktop.
> > I'm guessing the Mac AD setup doesn't bother much with Group
> > Policies.
>
> Only Windows uses GPO's (as yet). GPO's operate on the registry and
> only Windows has the registry.
I suspected that, but didn't know for sure. That's great! I'm not a
fan of GPOs. I think
they're a "fake" security layer that constrains and often
frustrates legitimate users, but pose
absolutly no threat to sophisticated hackers. It's MS's attempt to prop
up a fundamentally
insecure OS and, given the number of serious and successful attacks targeting
Windows, is not
very effective. 
  
> >  Not necessarily a big deal as the Linux domain members
> > also do not auto-map to the redirected folders on the DC.  However,
> > Linux does create the home folder as specified in sam.ldb and does
> > designate that as $HOME which Mac is not doing. 
>
> I have never used an Apple machine, so I have no idea about the apple
> OS, but does it have anything similar to PAM ?
I know it uses kerberos. I can successfully log in as a domain user.
> > So, some questions:
> > 
> > If I were either to change this user's unixHomeDirectory (sam.ldb)
> > from /home/HPRS/mark to /Users/mark, would that make a difference?
>
> Only if '/Users' exists on the MACOS machine and there is something
to
> create the users homedir.
/Users does exist and that's where Mac users' home directories are
located. I should have
mentioned that in my previous posts.
> > I supposed I could also try creating the /home/HPRS directory on the
> > Mac and see if a login plops me there.
>
> If '/home/HPRS' doesn't exist, this could well be your problem.
Very interesting. I tried creating /home/HPRS and got the error "Operation
not supported". I
found this comment on
https://apple.stackexchange.com/questions/88797/how-to-execute-mkdir-in-home-directory:

"/home is used as a mount point for the automounter (see /etc/auto_master
and /etc/auto_home),
you can't create your own directories in there."

That's potentially good news.  autofs is *exactly* what I used to mount
users' home directories
and redirected desktops on Linux.  It took me a while to work out, but domain
users logging
onto Linux domain members get the exact same desktop (and Documents, etc.) that
they get when
logging onto a Windows domain member. My next step is to explore this
(https://gist.github.com/rudelm/7bcc905ab748ab9879ea) and possibly I can come up
with the same
or similar solution I developed for Linux.
> > On Linux, I've used NFS export on the DC and autofs on the domain
> > member to mount the user's redirected folders. I could try the
same
> > thing on Mac.
>
> As far as I am aware, the  great-granddaddy of MACOS was some form of
> BSD, so I suppose you should treat it more like Linux than Windows.
Well, I "speak" BSD - lotsa BSD386 back in the 90's at Compuserve!
> > Rowland has mentioned vfs_fruit, which I've done some
> > reading on. Is vfs_fruit the recommended way of doing remote mounts
> > on Mac? 
>
> I have never used it myself, but from my understanding, it is a layer
> between Samba, MACOS and the Unix OS.
>
> >I have done basic smb mounts from mac using CMD-K >
> > sbm:\\host\share. Suggestions on this?
>
> I have no idea, perhaps someone who actually uses MACOS would care to
> comment.
>
> Rowland
>
> PS Have you considered hitting the MACOS machines with a very big
> hammer ? It won't fix the problem, but it would make it go away,
> permanently. LOL
Oh! Noooo! I am stroking the Mac, speaking nurturing things to it, playing New
Age iTunes to
sooth it. I have Steve Jobs' favorite incense burning beside it. I want it
to LIVE!

Back Story: I spent nearly 2 years getting a Linux domain member to work
seemlessly as a domain
member workstation and enlisted 2 office guinea pigs a year ago to give it a
shot.  I used KDE
and made it look as identical as possible to Windows 7, even using the Windows 7
background.
Unfortunately, Linux doesn't run MS Office and my replacements of
LibreOffice and Thunderbird
are not quite exact enough, especially with Calc and doing collaberative
document exchange with
external users using MS Word.  Even installing a VM to run Windows-only programs
like
QuickBooks, Adobe and Foxit had user complications.  Therefore, Management
decided to pull the
plug on going Linux instead of Windows.  I, being horrified at the prospect of
Windows 10's
lack of security and privacy, suggested Mac.  Mac potentially incorporates the
best of both
worlds: the office productivity suite of MS Office, support for QuickBooks and
Adobe and the
security benefits of Unix. 

I'm going for an all out revolution in the business world: Samba4 instead of
Windows Server,
and Mac workstations instead of Windows 10.  If it works well, I'll
evangelize!

Meanwhile, I will continue experimenting with autofs. Confidence is High!

BTW - In all my verbiage in my preceeding post, I probably obfuscated my
progress so far. To
summarize, simply:

Directory Utility/Mapping:

Set 'Map UID to attribute' to the string "uidNumber"

Set 'Map user GID to attribute' to the string "gidNumber"

Not sure about 'Map group GID to attribute'. Doesn't seem to do
anything. More experimentation
needed, but not urgent.

This causes the Mac to pick up the 'Domain Users' group and this
user's domain UID. When that
domain user logs in all files and folders on the Mac for that user have the AD
UID.GID.

More later after autofs experiments.

--Mark

On Wed, 27 Jun 2018 23:11:05 -0400
Mark Foley via samba <samba at lists.samba.org> wrote:
> On Wed, 27 Jun 2018 19:31:58 +0100 Rowland Penny wrote:
> > Only Windows uses GPO's (as yet). GPO's operate on the
registry and
> > only Windows has the registry.
> 
> I suspected that, but didn't know for sure. That's great! I'm
not a
> fan of GPOs. I think they're a "fake" security layer that
constrains
> and often frustrates legitimate users, but pose absolutly no threat
> to sophisticated hackers. It's MS's attempt to prop up a
> fundamentally insecure OS and, given the number of serious and
> successful attacks targeting Windows, is not very effective. 
> > >  Not necessarily a big deal as the Linux domain members
> > > also do not auto-map to the redirected folders on the DC.
> > > However, Linux does create the home folder as specified in
> > > sam.ldb and does designate that as $HOME which Mac is not doing. 
> >
> > I have never used an Apple machine, so I have no idea about the
> > apple OS, but does it have anything similar to PAM ?
> 
> I know it uses kerberos. I can successfully log in as a domain user.
> 
> > > So, some questions:
> > > 
> > > If I were either to change this user's unixHomeDirectory
(sam.ldb)
> > > from /home/HPRS/mark to /Users/mark, would that make a
difference?
> >
> > Only if '/Users' exists on the MACOS machine and there is
something
> > to create the users homedir.
> 
> /Users does exist and that's where Mac users' home directories are
> located. I should have mentioned that in my previous posts.
> 
> > > I supposed I could also try creating the /home/HPRS directory on
> > > the Mac and see if a login plops me there.
> >
> > If '/home/HPRS' doesn't exist, this could well be your
problem.
> 
> Very interesting. I tried creating /home/HPRS and got the error
> "Operation not supported". I found this comment on
>
https://apple.stackexchange.com/questions/88797/how-to-execute-mkdir-in-home-directory:
> 
> "/home is used as a mount point for the automounter
> (see /etc/auto_master and /etc/auto_home), you can't create your own
> directories in there."
> 
> That's potentially good news.  autofs is *exactly* what I used to
> mount users' home directories and redirected desktops on Linux.  It
> took me a while to work out, but domain users logging onto Linux
> domain members get the exact same desktop (and Documents, etc.) that
> they get when logging onto a Windows domain member. My next step is
> to explore this (https://gist.github.com/rudelm/7bcc905ab748ab9879ea)
> and possibly I can come up with the same or similar solution I
> developed for Linux.
The problem with MACOS (as I understand it) is it is a 'locked' in
system and it uses its own versions of packages, for instance, it has
its own implementation of Samba.

Locking /home into their automounter, is, in my opinion, a stupid
idea, but there is probably nothing stopping you creating something
like '/home2'
 
> 
> > > On Linux, I've used NFS export on the DC and autofs on the
domain
> > > member to mount the user's redirected folders. I could try
the
> > > same thing on Mac.
> >
> > As far as I am aware, the  great-granddaddy of MACOS was some form
> > of BSD, so I suppose you should treat it more like Linux than
> > Windows.
> 
> Well, I "speak" BSD - lotsa BSD386 back in the 90's at
Compuserve!
> 
> > > Rowland has mentioned vfs_fruit, which I've done some
> > > reading on. Is vfs_fruit the recommended way of doing remote
> > > mounts on Mac? 
> >
> > I have never used it myself, but from my understanding, it is a
> > layer between Samba, MACOS and the Unix OS.
> >
> > >I have done basic smb mounts from mac using CMD-K >
> > > sbm:\\host\share. Suggestions on this?
> >
> > I have no idea, perhaps someone who actually uses MACOS would care
> > to comment.
> >
> > Rowland
> >
> > PS Have you considered hitting the MACOS machines with a very big
> > hammer ? It won't fix the problem, but it would make it go away,
> > permanently. LOL
> 
> Oh! Noooo! I am stroking the Mac, speaking nurturing things to it,
> playing New Age iTunes to sooth it. I have Steve Jobs' favorite
> incense burning beside it. I want it to LIVE!
> 
> Back Story: I spent nearly 2 years getting a Linux domain member to
> work seemlessly as a domain member workstation and enlisted 2 office
> guinea pigs a year ago to give it a shot.  I used KDE and made it
> look as identical as possible to Windows 7, even using the Windows 7
> background. Unfortunately, Linux doesn't run MS Office and my
> replacements of LibreOffice and Thunderbird are not quite exact
> enough, especially with Calc and doing collaberative document
> exchange with external users using MS Word.  Even installing a VM to
> run Windows-only programs like QuickBooks, Adobe and Foxit had user
> complications.  Therefore, Management decided to pull the plug on
> going Linux instead of Windows.  I, being horrified at the prospect
> of Windows 10's lack of security and privacy, suggested Mac.  Mac
> potentially incorporates the best of both worlds: the office
> productivity suite of MS Office, support for QuickBooks and Adobe and
> the security benefits of Unix. 
Oh come on, I was joking ;-)
You do however raise valid points, until such time that LibreOffice
works identically to Office, then you are going to have problems. Users
will not learn how to use the new packages, they just whine for their
old packages.

Rowland