[MacTUG] Notes on authenticating to Nexus, lets share ahead of the meeting

Wed Oct 3 12:36:18 EDT 2012

Hi guys

I usually keep what I consider pretty good notes on the big tasks that I do on a regular basis. At least they are good enough for me to remind myself when I say "why did i do that??" haha. They also serve as backup for my coworkers if I am hit by a bus/win a huge lottery/become a monk or for some other reason do not show up for work one day ;-) These notes are mainly done with the context of setting up lab macs to authenticate to Nexus as that is all we have formally done at this point. It is also assuming 10.6 server and client.

Frankly, I am working at home today as I am fighting a bug, and these documents are at work. I do have a 2 year old version that I think I have not modified appreciably which I will include below. I will look at my new copy of the notes at work when I am back tomorrow (i hope) and let you know if there are any differences. I would suggest you do not make any huge corrections until I ensure that these are my current notes. Here are my notes:

Intro
You are going to set up the client Mac to authenticate using the Golden or Magic Triangle (I prefer Golden). This is called this because the Mac Server (the Open Directory Server-- OD) and the Active Directory (AD) are going to both work together to let users log on, and to control the user’s access to the computer. The Authentication to log on is controlled by AD, but AD does not have the ability to control the settings of the users’ experience on the Mac. OD can do this. Now to complete the Golden Triangle You must also bind the Mac Server to AD, so the first step will be to go through the process on the server of Binding it to AD as listed in the Section below. Obviously this only needs to be done once, so if you already have the Golden Triangle working, then you are fine.

First do the following preliminary setup:

  1.  Get the latest and greatest mac. This will be used to build the disk image we will deploy, and it is therefore called “Cient Zero” For the time being, create a local account. (This can be deleted before cloning)
  2.  Open System Preferences>Accounts>Login Options and set “Display Login Window” and turn off automatic login
  3.  System Preferences>Network: Set the mac up to get its IP address from DHCP (if the mac is a server do not do this). Despite the fact that DHCP may populate these settings, YOU MUST manually set you DNS Server entries to the current settings (eg 129.97.50.86, 129.97.20.250), and also manually set your Search Domain to be “uwaterloo.ca”. Things may not work right if you do not do this!
  4.  Make sure the client machine has the correct time as if the time is off (from the domain controler) by 5 minutes, things will not work.
  5.  You will use the Workgroup Manager to alter most of the users’ preferences, but it may not be able to do all of them. Check out the linked note “OS X - Workgroup Manager Tips and Tricks” for more into on this.) For those it cannot modify, alter the default settings that the Mac uses to create accounts. This is mainly done by altering stuff in System>Library
     *   In CoreServices, DefaultDesktop.jpg can be replaced (you may want to burn some message into it) to change the background screen. This does not seem to change the default desktop pattern for new users, however.
     *   To do that, Go to Library>Desktop Pictures>Nature, and rename the Aurora.jpg file to something else and put a new file in there named Aurora.jpg
     *   In User Template, you can put prefs for things like finder, mouse settings, 3rd party apps, etc. You should only put things in here that the Server cannot control (for example, the server can control what is in the dock. In fact as described below, Workgroup Manager can control almost every setting you may have.

To bind a Mac to Open Directory (10.6)
This gives the Mac Server control (via the Workgroup Manager) of who accesses the computer and what privilages they have and how their environment is setup. When the Mac Server is providing this authorization information, if is called the MCX (Macintosh Client for OS X) server. It is possible that you could let the client join automatically when you set it up (it may see the mac server — env-macserver1.uwaterloo.ca — but I would suggest for now we do it automatically).  PLEASE NOTE: YOU CAN SET UP DEPLOYSTUDIO TO BIND TO OD, and this is described in another linked Note.

  1.  Open System Preferences > Accounts > Login Options
  2.  Click on the Network Account Server button
  3.  Click on Open Directory Utility
  4.  Click on LDAPv3 and double click on it to edit it
  5.  Click on the New button and enter the complete server name and click on the Continue button (you will likely need to authenticate with a local admin account)
  6.  Enter the computer name, the Directory Administrator's name (usually diradmin) and password (currently fesadmin’s password)

To bind with Active Directory
This part of the Golden Triangle is determining the authentication of the User. We are doing this with AD (nexus). While AD will determine if the users credentials are correct, the OD Mac Server (or MCX Server as they are often called) will then be providing all the info as to what the user can access. PLEASE NOTE: YOU CAN SET UP DEPLOYSTUDIO TO BIND TO AD, and this is described in another linked Note.
Open System Preferences > Accounts > Login Options

  1.  Click on the Network Account Server button
  2.  Click on Open Directory Utility
  3.  Click on Active Directory and double click on it to edit it
  4.  For Active Directory Domain, enter “nexus.uwaterloo.ca”
  5.  Give the IPname for Computer ID
  6.  Click on the “Show Advanced Options”
  7.  Turn on the “Create Mobile Account on Login”, and make sure that you deselect “Require confirmation before creating account”
  8.  Everything else should for this Tab can be left as default
  9.  Under the Administrative Tab, check the “Allow administration by” button, and add NEXUS\env-admins to the administration privileges so that they can administer the computer.
  10. Now click on the Bind button and authenticate using a Bang! account and password
  11. Set the computer OU to the correct value.
     *   For Labs
        *   OU=DMC,OU=public access,OU=StudentLabs,OU=Computers,OU=Resources,OU=Environmental Studies,OU=Faculties,DC=NEXUS,DC=UWATERLOO,DC=CA
        *   OU= Digital Video Lab,OU=public access,OU=StudentLabs,OU=Computers,OU=Resources,OU=Environmental Studies,OU=Faculties,DC=NEXUS,DC=UWATERLOO,DC=CA
        *   Click the OK button
     *   For staff & faculty computers they go in the appropriate spot in AD for example:
        *   OU= Stafffaculty, OU=Computers,OU=Resources,OU=Environmental Studies,OU=Faculties,DC=NEXUS,DC=UWATERLOO,DC=CA
        *   OU= MAD, OU=Computers,OU=Resources,OU=Environmental Studies,OU=Faculties,DC=NEXUS,DC=UWATERLOO,DC=CA
        *   OU=Alternatives,OU=Units,OU=Computers,OU=Resources,OU=Environmental Studies,OU=Faculties,DC=NEXUS,DC=UWATERLOO,DC=CA
     *   For testing: OU=Macs,OU=No Policies,OU=Testing,OU=Computers,OU=Resources,OU=Environmental Studies,OU=Faculties,DC=NEXUS,DC=UWATERLOO,DC=CA
  12. To set up binding for two directory services, the MCX server (the Mac OD Server) is listed first, then the authentication (AD). (This is according to Apple Client Management White Paper available in the Resources below.)

------------------------------------
Donald Duff-McCracken
Technical Services Manager
Mapping, Analysis & Design
Faculty of Environment
University of Waterloo
(519) 888-4567 x32151
http://www.environment.uwaterloo.ca/computing/people/don.html
------------
To request help from MAD please us "Request Tracker". For info see: http://www.fes.uwaterloo.ca/computing/faculty_staff/
------------
This email communication is intended as a private communication for the sole use of the primary addressee and those individuals listed for copies in the original message. The information contained in this email is private and confidential and If you are not an intended recipient you are hereby notified that copying, forwarding or other dissemination or distribution of this communication by any means is prohibited.  If you are not specifically authorized to receive this email and if you believe that you received it in error please notify the original sender immediately.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.uwaterloo.ca/pipermail/mactug/attachments/20121003/1e81bef2/attachment-0001.html>