[Samba] How to Join Mac OSX workstation as AD domain member (SOLVED)

[Mark Foley]

After manifold hours of toil and research, I've finally got the Mac Mini (High Sierra 10.13.5)
joined to the AD domain AND have the domain users get their redirected desktops and other
redirected folders.  I'll omit all the included message from earlier posts for this thread and
briefly (for me) give the instructions immediately below; and give some whys and wherefores of
explanation after that -- totally skippable if the reader isn't interested in detail. 

Of interest, Mac does not have 'getent', but a 'getent passwd user'-like command is 'id':

$ id -P mark
mark:********:10001:10000::0:0:Mark Foley:/home/HPRS/mark:/bin/bash

The following instruction should permit anyone to join a Mac to an AD domain and also get
redirected folders:

1. System Preferences > Users & Groups > (unlock)

2.  Change login window to "Name and Password".  This step is optional.  However, if you decide
later to change your login window, you will actually have to un-join and rejoin the domain. 
Nonsensical, illogical, crazy but true.  For security purposes, I do not like systems which
give a list of users to select from for logging in.  To me, you're giving away half your login
credential.  I prefer simply a box to enter the ID and a box to enter the password, that's it. 
To do this:

Check: 'Display login window as: Name and password'

3. (not optional) Check: 'Allow network users to log in at login window'

There is no 'Save' or 'OK' button. After changing these settings on this dialog you can either
close the dialog or use the back-arrow < which does the same thing as closing.

4. (Again) System Preferences > Users & Groups > (unlock) > Network Account Server: click 'Join'.

5. You will be prompted for your Server.  Enter your AD server's FQDN, e.g. adhost.samdom. You
will be asked to enter your Domain Administrator's ID and PW. 

6. Click 'Open Directory Utility' > (unlock) > highlight "Active Directory" > click 'edit' icon
(pencil icon at lower-left).

7. In 'Active Directory Domain' enter your domain name, e.g. samdom.

8. Click 'Show Options'

Options/User Experience

Check "Create mobile account at login"
Uncheck "Use UNC path from Active Directory to derive network home location". (Doesn't work,
discussed below)

Options/Mappings - note the uidNumber and gidNumber are those actual strings, not numeric values.

Map UID to attribute: uidNumber

Map user GID to attribute: gidNumber

Map group GID to attribute: (doesn't appear to do anything, but I went ahead and entered my
domain gidNumber: 10000).

Options/Administrative

Check 'Prefer this domain server' and enter the name of your AD server, e.g. adhost. 

Check 'Allow administration by' = domain admins.  (Probably OK to remove 'enterprise admins',
but need more experimentation to confirm).

Check "Allow authentication from any domain in the forest" (probably n/a unless you've got a forest)

9.  Do not click OK! That will save your options, but not do the join.  Instead, click 'Bind'
(this is Mac's term for "join").  This will save your options and actually do the join to the
domain. After clicking 'Bind':

10. Enter your local administrator credentials again (this is for saving options). 

11. Enter your Domain Administrator credentials again. Click 'OK'.

12. Ener local admin credentials, again (yes, monotonous).

13. Click 'Modify Configuration'

14. wait ...

13. Click OK

15. Enter local admin credentials yet again.

Done! You should now be joined to the domain and domain users should now be able to log in.


REDIRECTED DESKTOP

As root (either sudo or login as root), add the following line to /etc/auto_master:

/- auto.domUsers -nobrowse,hidefromfinder

Comment the original "/-" line.

The -nobrowse,hidefromfinder options are needed or the user will never be able to log in even
after waiting an hour.

In /etc/auto.domUsers put:

/Users/mark -fstype=nfs,rw,resvport mail:/redirectedFolders/Users/mark

Where "mark" is the domain user and "mail" is the AD host.  Note that you must have exported
this directory on the AD server. 

The resvport option is needed or the user's group gets 'wheel' (0), not the 'domain users' GID. 
For the reason why see: https://www.cyberciti.biz/faq/apple-mac-osx-nfs-mount-command-tutorial. 

restart automount: [sudo] automount -cv

Done! Now when user mark logs onto the mac he gets his redirected desktop. Note that
/redirected/Folders/Users is the same place that Windows domain members look for their desktop,
so mark get's his desktop regardless of which OS he logs in with.

DETAILS

For this configuration, the AD server needs to be running nfs.  I've experimented with cifs
(samba), but as is advertised in the samba wiki docs, the Samba AD server should not also be a
file server.  I did try this anyway and got the error on the AD server in log.samba:

[2018/06/29 03:39:22.594345,  0] ../source4/smbd/server.c:618(binary_smbd_main)
  At this time the 'samba' binary should only be used for either:
  'server role = active directory domain controller' or to access the ntvfs file server with 'server services = +smb' or the rpc proxy with 'dcerpc endpoint servers = remote'
  You should start smbd/nmbd/winbindd instead for domain member and standalone file server tasks
[2018/06/29 03:39:22.594375,  0] ../lib/util/become_daemon.c:124(exit_daemon)
  exit_daemon: STATUS=daemon failed to start: Samba detected misconfigured 'server role' and exited. Check logs for details, error code 22

Hence using nfs.


Even though the 'id' command shows mark's home directory as /home/HPRS/mark, the Mac won't use
that. It puts all users home directories in /Users. You cannot create subfolders in /home, even
as root. It's permissions are:

dr-xr-xr-x  2 root  wheel  1 Jul  2 00:07 /home

Mac uses /home as a special mount-point for autofs mounts. The /etc/auto_master file has the
line:

/home   auto_home    -nobrowse,hidefromfinder

for the purposes of accomplishing this automount. The /etc/auto_home file specifies two
mechanisms for getting the user's home directory: directory services and synthesized using
od_user_homes. Despite all this I could not, after hours upon hours of research and
experimentation, get any of this to work. Hence the solution using /Users posted above. If
someone out there has dones this successfully, please post.

Here's something NOT to try. Do no put anything like the following line in /etc/fstab:

mail:/redirectedFolders/Users/mark /Users/mark  nfs     noauto,user,rw     0 0

Even though it has "noauto", the Mac does something with this either at boot time or when the
user logs in.  What is does is create the directory /Users/mark with the same immutable
permissions as /home:

dr-xr-xr-x   2 root       admin    68 Jun 30 23:19 mark

The user cannot log in.  While the fstab entry exists, this directory CANNOT be removed, even
by root.  I didn't suspect the fstab entry to begin with, so I ended up having to do a time
machine restore of the whole computer to get rid of that folder -- which got recreated the next
time the user tried to log in anyway.  Finally, I figured out the problem was the fstab entry. 
I removed that, rebooted, and was then able to delete the /Users/mark folder. 


Other issues remain, like what does Mac do with password expiration? More experimentation
needed.

OK - there are the instructions and a bit of the back story. If few people   Tell your bosses horror stories
about Windows attacks, malicious state actors, personal data collection and so on.  Suggest
converting workstations to Linux if they're adventuous or Mac if they absolutely need Outlook. 

Have fun

--Mark