[Samba] Joining Mac OSX 10.8.4 Small contribution for the documentation/wiki?...

"David González Herrera - [DGHVoIP]" info at dghvoip.com
Sun Jun 23 14:50:32 MDT 2013

Hello list,

I'd like to share with you my experience with Samba4 AD-DC and Mac OSX 
Mountain Lion 10.8.4 joining it to the domain and using kerberos 
implementation on OSX to authenticate users against the AD.

Maybe it's useful to anyone here

My scenario:
My domain controller is on a remote location and I've got my router 
(Mikrotik) setup to create a PPTP tunnel to the w2k8 server as a domain 
user, NAT and routes setup accordingly, not covered here.

Desktop computer running OSX ML 10.8.4 (mine is a custom build)
Domain: example.local
PDC: samba.example.local ( Samba4
BDC1: bdc.example.local ( Samba4
BDC2:  w2k8.example.local ( W2K8 R2

Now for the exciting part

1. Configure OSX for Kerberos authentication
     Copy krb5.conf from your Samba4 Domain controller to your Mac then 
from a Terminal:

|$ sudo mv /Path/To/krb5.conf /etc/|
|$ sudo chown root:wheel /etc/krb5.conf|
|$ sudo chmod ||644| |/etc/krb5.conf|

Confirm that you can successfully obtain a Kerberos Ticket Granting 
Ticket (TGT):

Use "kinit" with your username to generate a ticket. Use "kilst" to show 
that your userID has a "krbtgt" ticket, then use "kdestroy" to 
destroy/invalidate the ticket.

Last login: Sat Jun 22 20:59:53 on console
localhost:~ dave$ kinit david  [PRESS ENTER]
localhost:~ dave$ klist [PRESS ENTER]
Credentials cache: API:501:5
         Principal: david at EXAMPLE.LOCAL

   Issued                Expires               Principal
Jun 23 15:02:28 2013  Jun 24 01:02:20 2013 

localhost:~ dave$ kdestroy [PRESS ENTER]
localhost:~ dave$

If everything goes as expected you've got Kerberos working on your OSX ML

2) Configure Active Directory for Authorization
Enable Directory Services with Active Directory for Authorization

 From a Finder window
- open /System/Library/CoreServices/Directory\ Utility.app
- Unlock, authenticate as the local admin.
- Select Active Directory
- On active directory forest nothing, it'll automatocally be filled
- On active directory domain input your domain name in our case 
- On computerID input your computer's name
- Optional: check create mobile account at login (roaming profile-like 
account I guess)
- Hit Bind button
- You'll be prompted for the administrator credentials, so input them
- Computer OU leave as default CN=Computers,DC=example,DC=local
- Check Use for authentication
- Check Use for Contacts (optional)

You'll see the litle thing spinning and if you've got your samba running 
on another terminal you'll see how the computer account is created and 
the workstation is joined to the domain and the Bind button will change 
to Unbind, so if no errors showed you've just joined your Mac OSX 10.8.4 
to your Samba 4 domain.

Enable logins for Network Users at OSX's Login Window:
- Apple Menu -> System Preferences
- Users & Groups Pref Pane
- Unlock the Pad Lock and Authenticate as local admin
- Click "Login Options"
- Turn OFF Automatic Login
- Set "Display login window as" to "Name and password"
- This setting can also be configured with a command. Run the following 
line in the terminal to set the login window to show username and 
password fields:

/usr/bin/defaults write /Library/Preferences/com.apple.loginwindow 

- Enable "Allow network users to log in at login window",
- Click "Options..." and set "All Network users", Click DONE.
- Network Account Server: EXAMPLE server should be listed and showing a 
green "gum drop" icon.

Confirm that you can identify Active Directory users:

localhost:~ dave$ id david
uid=2002409141(david) gid=2125881087(EXAPLE\Domain Users) 
groups=2125881087(EXAPLE\Domain Users),704058724(EXAPLE\Group Policy 
Creator Owners),1845177527(EXAPLE\Denied RODC Password Replication 
Group),2097499953(EXAPLE\RAS and IAS Servers),316274987(EXAPLE\VPN 
localhost:~ dave$

3) Enable Kerberos tickets at login
Applying the below configuration changes will enable OSX to 
automatically obtain a Kerberos TGT for the logged in user. This is 
quite handy when you want the user to be able to mount servers that are 

First make a backup copy of the file, edit the /etc/pam.d/authorization 
file and add two additional lines to the top:

Insert these two additional lines:

auth       optional       pam_krb5.so use_first_pass use_kcminit 
auth       sufficient     pam_krb5.so use_first_pass default_principal

Use a Terminal.app text editor like 'vi' or 'nano', use a GUI editor 
like TextWrangler, BBEdit, or TextMate, or use this terminal command:

/usr/bin/perl -pi -e 's/auth       optional       pam_krb5.so 
use_first_pass use_kcminit/auth       optional       pam_krb5.so 
use_first_pass use_kcminit default_principal
auth       sufficient     pam_krb5.so use_first_pass 
default_principal/g' "/etc/pam.d/authorization"

Check the /etc/pam.d/authorization looks like the following example:

$ cat /etc/pam.d/authorization
# authorization: auth account
auth       optional       pam_krb5.so use_first_pass use_kcminit 
auth       sufficient     pam_krb5.so use_first_pass default_principal
auth       optional       pam_ntlm.so use_first_pass
auth       required       pam_opendirectory.so use_first_pass nullok
account    required       pam_opendirectory.so
4) Test Logins
Restart, login with your Penn State Access ID, open terminal and verify 
that you have a ticket with "klist". Open System Preferences and 
"Accounts" to verify you are a network user.

If you have some users that can login and others that can't, it's 
possible that they are not yet listed in LDAP, OR their LDAP attributes 
might be missing or have the wrong case. To check for a userid, do the 
follow from the command line (terminal.app):

$ ldapsearch -h example.local -x -b "dc=example,dc=local" "uid=david" > 

$ grep "uid:" /tmp/ldap-data.txt ; grep "psDirIDN:" /tmp/ldap-data.txt ; 
grep "cn:" /tmp/ldap-data.txt ; grep "psUidNumber:" /tmp/ldap-data.txt
  uid: david
  psDirIDN: 367777
  psUidNumber: 493417

If any of the attributes do NOT appear, then there might be an issue 
with the user's Active Directory record, with either missing attributes 
or attributes with non matching case of letters.

5) Additional System Changes

LoginWindow StartupDelay

To help curb the loginwindow from showing the status of the EXAMPLE 
server as red, you can use this command to tell the it to wait until DNS 
is ready before starting. Doing this helps keep the "red dot of despair" 
from appearing after boot.

sudo /usr/bin/defaults write /Library/Preferences/com.apple.loginwindow 
StartupDelay -int 60

Voila, you can now have your Mac joined to your shinny samba4 DC and you 
can login with any domain user and use your mac as usual with the added 
benefit of the network shares and the thrill and pride that you made it 

I changed some of the steps to work on Samba / Active Directory as these 
steps were all for LDAP.

Note: This was also on the PSU site but I haven't tried it yet as I 
don't use scrren saver and Ialso hate it when I have to type a password 
to get out of it.

I hope this comes in handy for someone out there.

Note 2: This is on a production environment for the company I do IT for 
and it's been working like a charm.



so k$ that won't go to Micro$oft's pockets but neither to mine :-(

David Gonzalez
MOBILE: +1.646.559.6200
COL: +57.1.382.6718
COL: +
URL: www.dghvoip.com
Skype: davidgonzalezh

More information about the samba mailing list