[MacTUG] AD authentication

Steve Hellyer phasetwo at apple.com
Fri Nov 27 16:13:37 EST 2009 

This look very good to me.  Just a couple of small changes and some background below....

Steve

On 2009-11-27, at 3:08 PM, Donald Duff-McCracken wrote:

> For years I have been getting our mac server to bind to AD so that users
> could authenticate via nexus (using MacAdministrator software). As we use
> MacAdmin to authenticate our lab machines, and we did not have a ton of
> desktop office macs, I did not bother with going the distance to get macs to
> authenticate to AD.
> 
> With the upswing in the number of desktop macs that are being used by
> faculty and staff I decided to get off my keester and start playing with it.
> It turns out I was 99% of the way there, and a big thanks to Keith McGowan
> for quickly helping me out with the remaining 1%.
> 
> At any rate, as the main mac support guy around here I try to document stuff
> in case things need doing when I am not around. I thought I would share my
> notes, I am assuming most if not all of you will learn anything here, but
> more the other way around to get any feedback on whether you do things
> differently or not. Comments welcome ;-)
> don
> 
> 
>> 1. Firstly, make sure you using the nexus DNS ‹ currently 129.97.50.86 &
>> 129.97.20.250 ‹ not IST ones.

Yes very important step. However why AD doesn't like other DNS server only MS knows for sure. :-)

>> 2. Open Directory Utility and enable and edit Active Directory. After OS X
>> 10.4 apple hid the Directory Utility in /System/Library/Core Services ‹
>> Arrrrrrrgh!!! 

Believe after 10.5 not 10.4 we moved to /System/Library/Core Services. Consider it a promotion.  Things in core service directory are key to Mac OS X and thus cements this functionality into future Mac OS X.
Yes it keeps it away from prying eyes like non-admins.  Keep in mind this is a set once and forget type of things. Not sure how Arrrrrrrrrgh!!!! that is. :-)

There is another way to get to this which is the preferred method in 10.6 (Snow Leopard).
System Preference -> Accounts -> Login Options -> then click the edit button when it says "Network Account Server".

>> 3. Set Forest to nexus.uwaterloo.ca and computer id to the name of the
>> computer 
>> 4. Cick on Bind button
>> 5. Authenticate with an account with sufficient AD privileges
>> 6. Set the Computer OU to the correct path, currently
>> OU=i_edited_out_the_rest_of_the_path_for_Mactugger,OU=Environmental
>> Studies,OU=Faculties,DC=NEXUS,DC=UWATERLOO,DC=CA .This will bind the mac in an
>> area that the bang account has privileges for. If we need to, we can move the
>> Mac to a spot that we like at a later date. You should be able to bind at this
>> point. 
>> 7. If we want to use AD to authenticate onto this machine you need to do a few
>> more things in the directory utility.
>>  * Under ³Active Directory>Advanced Options² check ³Force local home
> directory 
>>      on startup disk² to have the home directory be on the local mac hard
> disk 
>>  * If you want the N drive to mount, check ³Use UNC path from Active
>>      Directory...²
>> * Uncheck (to disable) LDAP
>> * Under ³Search Policy² drag Active Directory so it is above LDAP

Note... While you disabled LDAP in Directory Utility the Active Directory functionality really does use LDAP to talk to Windows servers. Think of it as a special adapted version of LDAP connector which knows how to do some special things like parse UNC field which contains location of where you network home directory is but formatted for Windows not UNIX or URL style.  AD connector translates this stuff.
(Note other setting allow AD admin in the directory to also have local admin privileges to your MAc as well.

Important to know this because if Windows admin has enabled firewall and blocks LDAP port it won't work.
Windows clients don't use LDAP to authenticate they use their own unique protocol.  So if one day all the Macs can't login but Windows machine are fine look to a firewall being enabled.
There are other ports as well but save that for another day.

>> OU=i_edited_out_the_rest_of_the_path_for_Mactugger,OU=Environmental
>> Studies,OU=Faculties,DC=NEXUS,DC=UWATERLOO,DC=CA

Wow above is rather unique to UWaterloo.  I would never have guess that.  This is why you need help of Windows admin to make this work. This is a VERY specific search path.

When you bind your Mac to AD the Windows admins should see you computer added as a computer record.  It will have a unique UUID.  Which brings me to final point.  You need to make sure you using imagining tools which clear out the unique kerberos and UUID properties of the master system you created an image on.  Otherwise your will have binding "weirdness".  Imaging tools which do this for you are Apple imaging tools provided with server and DeployStudio.  Windows admins making master images to deploy to client would use sysprep or Ghost which does the same sort of thing to their master images.

Final thought. Password policy set on AD will now also be your policy you have to follow.  Includes password change interval, uniqueness and length. Good idea to know what that policy is in detail because if it expires you will be prompted to change and dialog box will not hint at to what policy is. There is no way to glean that policy from an Ldap database perspective. Also in 10.6 your keychain password is synced with the AD password change. Not the case in 10.4 and 10.5.

Nice work Don...

Steve

> ------------------------------------
> Donald Duff-McCracken
> Technical Services Manager
> Mapping, Analysis & Design
> Faculty of Environmental Studies
> University of Waterloo
> (519) 888-4567 x32151
> http://www.fes.uwaterloo.ca/computing/people/don.html
> ------------
> To request help from MAD please us Request Tracker. For info see:
> http://www.fes.uwaterloo.ca/computing/faculty_staff/
> ------------
> This email communication is intended as a private communication for the sole
> use of the primary addressee and those individuals listed for copies in the
> original message. The information contained in this email is private and
> confidential and If you are not an intended recipient you are hereby
> notified that copying, forwarding or other dissemination or distribution of
> this communication by any means is prohibited.  If you are not specifically
> authorized to receive this email and if you believe that you received it in
> error please notify the original sender immediately.
> 
> 
> 
> 
> _______________________________________________
> MacTUG mailing list
> MacTUG at lists.uwaterloo.ca
> https://lists.uwaterloo.ca/mailman/listinfo/mactug

More information about the MacTUG mailing list