[MacTUG] AD authentication

Fri Nov 27 15:08:02 EST 2009

For years I have been getting our mac server to bind to AD so that users
could authenticate via nexus (using MacAdministrator software). As we use
MacAdmin to authenticate our lab machines, and we did not have a ton of
desktop office macs, I did not bother with going the distance to get macs to
authenticate to AD.

With the upswing in the number of desktop macs that are being used by
faculty and staff I decided to get off my keester and start playing with it.
It turns out I was 99% of the way there, and a big thanks to Keith McGowan
for quickly helping me out with the remaining 1%.

At any rate, as the main mac support guy around here I try to document stuff
in case things need doing when I am not around. I thought I would share my
notes, I am assuming most if not all of you will learn anything here, but
more the other way around to get any feedback on whether you do things
differently or not. Comments welcome ;-)
don

> 1. Firstly, make sure you using the nexus DNS ‹ currently 129.97.50.86 &
> 129.97.20.250 ‹ not IST ones.
> 2. Open Directory Utility and enable and edit Active Directory. After OS X
> 10.4 apple hid the Directory Utility in /System/Library/Core Services ‹
> Arrrrrrrgh!!! 
> 3. Set Forest to nexus.uwaterloo.ca and computer id to the name of the
> computer 
> 4. Cick on Bind button
> 5. Authenticate with an account with sufficient AD privileges
> 6. Set the Computer OU to the correct path, currently
> OU=i_edited_out_the_rest_of_the_path_for_Mactugger,OU=Environmental
> Studies,OU=Faculties,DC=NEXUS,DC=UWATERLOO,DC=CA .This will bind the mac in an
> area that the bang account has privileges for. If we need to, we can move the
> Mac to a spot that we like at a later date. You should be able to bind at this
> point. 
> 7. If we want to use AD to authenticate onto this machine you need to do a few
> more things in the directory utility.
>   * Under ³Active Directory>Advanced Options² check ³Force local home
directory 
>       on startup disk² to have the home directory be on the local mac hard
disk 
>   * If you want the N drive to mount, check ³Use UNC path from Active
>       Directory...²
> * Uncheck (to disable) LDAP
> * Under ³Search Policy² drag Active Directory so it is above LDAP

------------------------------------
Donald Duff-McCracken
Technical Services Manager
Mapping, Analysis & Design
Faculty of Environmental Studies
University of Waterloo
(519) 888-4567 x32151
http://www.fes.uwaterloo.ca/computing/people/don.html
------------
To request help from MAD please us Request Tracker. For info see:
http://www.fes.uwaterloo.ca/computing/faculty_staff/
------------
This email communication is intended as a private communication for the sole
use of the primary addressee and those individuals listed for copies in the
original message. The information contained in this email is private and
confidential and If you are not an intended recipient you are hereby
notified that copying, forwarding or other dissemination or distribution of
this communication by any means is prohibited.  If you are not specifically
authorized to receive this email and if you believe that you received it in
error please notify the original sender immediately.