Fwd: [Samba] Joining Mac OSX 10.8.4 Small contribution for the documentation/wiki?...

"David González Herrera - [DGHVoIP]" info at dghvoip.com
Sun Jun 23 14:52:01 MDT 2013

Hello list,

I'd like to share with you my experience with Samba4 AD-DC and Mac OSX
Mountain Lion 10.8.4 joining it to the domain and using kerberos
implementation on OSX to authenticate users against the AD.

Maybe it's useful to anyone here

My scenario:
My domain controller is on a remote location and I've got my router
(Mikrotik) setup to create a PPTP tunnel to the w2k8 server as a domain
user, NAT and routes setup accordingly, not covered here.

Desktop computer running OSX ML 10.8.4 (mine is a custom build)
Domain: example.local
PDC: samba.example.local ( Samba4
BDC1: bdc.example.local ( Samba4
BDC2:  w2k8.example.local ( W2K8 R2

Now for the exciting part

1. Configure OSX for Kerberos authentication
     Copy krb5.conf from your Samba4 Domain controller to your Mac then
from a Terminal:

|$ sudo mv /Path/To/krb5.conf /etc/|
|$ sudo chown root:wheel /etc/krb5.conf|
|$ sudo chmod ||644| |/etc/krb5.conf|

Confirm that you can successfully obtain a Kerberos Ticket Granting
Ticket (TGT):

Use "kinit" with your username to generate a ticket. Use "kilst" to show
that your userID has a "krbtgt" ticket, then use "kdestroy" to
destroy/invalidate the ticket.

Last login: Sat Jun 22 20:59:53 on console
localhost:~ dave$ kinit david  [PRESS ENTER]
localhost:~ dave$ klist [PRESS ENTER]
Credentials cache: API:501:5
         Principal: david at EXAMPLE.LOCAL

   Issued                Expires               Principal
Jun 23 15:02:28 2013  Jun 24 01:02:20 2013

localhost:~ dave$ kdestroy [PRESS ENTER]
localhost:~ dave$

If everything goes as expected you've got Kerberos working on your OSX ML

2) Configure Active Directory for Authorization
Enable Directory Services with Active Directory for Authorization

 From a Finder window
- open /System/Library/CoreServices/Directory\ Utility.app
- Unlock, authenticate as the local admin.
- Select Active Directory
- On active directory forest nothing, it'll automatocally be filled
- On active directory domain input your domain name in our case
- On computerID input your computer's name
- Optional: check create mobile account at login (roaming profile-like
account I guess)
- Hit Bind button
- You'll be prompted for the administrator credentials, so input them
- Computer OU leave as default CN=Computers,DC=example,DC=local
- Check Use for authentication
- Check Use for Contacts (optional)

You'll see the litle thing spinning and if you've got your samba running
on another terminal you'll see how the computer account is created and
the workstation is joined to the domain and the Bind button will change
to Unbind, so if no errors showed you've just joined your Mac OSX 10.8.4
to your Samba 4 domain.

Enable logins for Network Users at OSX's Login Window:
- Apple Menu -> System Preferences
- Users & Groups Pref Pane
- Unlock the Pad Lock and Authenticate as local admin
- Click "Login Options"
- Turn OFF Automatic Login
- Set "Display login window as" to "Name and password"
- This setting can also be configured with a command. Run the following
line in the terminal to set the login window to show username and
password fields:

/usr/bin/defaults write /Library/Preferences/com.apple.loginwindow

- Enable "Allow network users to log in at login window",
- Click "Options..." and set "All Network users", Click DONE.
- Network Account Server: EXAMPLE server should be listed and showing a
green "gum drop" icon.

Confirm that you can identify Active Directory users:

localhost:~ dave$ id david
uid=2002409141(david) gid=2125881087(EXAPLE\Domain Users)
groups=2125881087(EXAPLE\Domain Users),704058724(EXAPLE\Group Policy
Creator Owners),1845177527(EXAPLE\Denied RODC Password Replication
Group),2097499953(EXAPLE\RAS and IAS Servers),316274987(EXAPLE\VPN
localhost:~ dave$

3) Enable Kerberos tickets at login
Applying the below configuration changes will enable OSX to
automatically obtain a Kerberos TGT for the logged in user. This is
quite handy when you want the user to be able to mount servers that are

First make a backup copy of the file, edit the /etc/pam.d/authorization
file and add two additional lines to the top:

Insert these two additional lines:

auth       optional       pam_krb5.so use_first_pass use_kcminit
auth       sufficient     pam_krb5.so use_first_pass default_principal

Use a Terminal.app text editor like 'vi' or 'nano', use a GUI editor
like TextWrangler, BBEdit, or TextMate, or use this terminal command:

/usr/bin/perl -pi -e 's/auth       optional       pam_krb5.so
use_first_pass use_kcminit/auth       optional       pam_krb5.so
use_first_pass use_kcminit default_principal
auth       sufficient     pam_krb5.so use_first_pass
default_principal/g' "/etc/pam.d/authorization"

Check the /etc/pam.d/authorization looks like the following example:

$ cat /etc/pam.d/authorization
# authorization: auth account
auth       optional       pam_krb5.so use_first_pass use_kcminit
auth       sufficient     pam_krb5.so use_first_pass default_principal
auth       optional       pam_ntlm.so use_first_pass
auth       required       pam_opendirectory.so use_first_pass nullok
account    required       pam_opendirectory.so
4) Test Logins
Restart, login with your Penn State Access ID, open terminal and verify
that you have a ticket with "klist". Open System Preferences and
"Accounts" to verify you are a network user.

If you have some users that can login and others that can't, it's
possible that they are not yet listed in LDAP, OR their LDAP attributes
might be missing or have the wrong case. To check for a userid, do the
follow from the command line (terminal.app):

$ ldapsearch -h example.local -x -b "dc=example,dc=local" "uid=david" >

$ grep "uid:" /tmp/ldap-data.txt ; grep "psDirIDN:" /tmp/ldap-data.txt ;
grep "cn:" /tmp/ldap-data.txt ; grep "psUidNumber:" /tmp/ldap-data.txt
  uid: david
  psDirIDN: 367777
  psUidNumber: 493417

If any of the attributes do NOT appear, then there might be an issue
with the user's Active Directory record, with either missing attributes
or attributes with non matching case of letters.

5) Additional System Changes

LoginWindow StartupDelay

To help curb the loginwindow from showing the status of the EXAMPLE
server as red, you can use this command to tell the it to wait until DNS
is ready before starting. Doing this helps keep the "red dot of despair"
from appearing after boot.

sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow
StartupDelay -int 60

Voila, you can now have your Mac joined to your shinny samba4 DC and you
can login with any domain user and use your mac as usual with the added
benefit of the network shares and the thrill and pride that you made it

I changed some of the steps to work on Samba / Active Directory as these
steps were all for LDAP.

Note: This was also on the PSU site but I haven't tried it yet as I
don't use scrren saver and Ialso hate it when I have to type a password
to get out of it.

I hope this comes in handy for someone out there.

Note 2: This is on a production environment for the company I do IT for
and it's been working like a charm.



so k$ that won't go to Micro$oft's pockets but neither to mine :-(

David Gonzalez
MOBILE: +1.646.559.6200
COL: +57.1.382.6718
COL: +
URL: www.dghvoip.com
Skype: davidgonzalezh
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba-technical mailing list