[Samba] How to Join Mac OSX workstation as AD domain member

Mark Foley mfoley at ohprs.org
Wed Jun 27 00:41:25 UTC 2018

On Tue, 26 Jun 2018 15:25:56 -0700 Kris Lou wrote:kvia samba <samba at lists.samba.org>
> There are basically 3 ways:
> * dsconfigad (https://gist.github.com/bzerangue/6886182)

OK, I ran 'dsconfigad -show' and got the following results. They basically look OK to my limited
understanding except for the Mapping options. I did check those mapping boxes, but I guess it
also wanted me to fill in actual values. I'll have to do a bit of research as I've no idea what
these values should be, nor do I know what happens if I leave the mappings un-checked as it
says it will then use "dynamically generated information for macOS" (whatever that means).

If any of these other settings look obviously suspect, please advise.

Active Directory Forest          = hprs.local
Active Directory Domain          = hprs.local
Computer Account                 = labmac$

Advanced Options - User Experience
  Create mobile account at login = Enabled
     Require confirmation        = Disabled
  Force home to startup disk     = Enabled
     Mount home as sharepoint    = Enabled
  Use Windows UNC path for home  = Enabled
     Network protocol to be used = smb
  Default user Shell             = /bin/bash

Advanced Options - Mappings
  Mapping UID to attribute       = (null)
  Mapping user GID to attribute  = (null)
  Mapping group GID to attribute = (null)
  Generate Kerberos authority    = Enabled

Advanced Options - Administrative
  Preferred Domain controller    = mail
  Allowed admin groups           = domain admins,enterprise admins
  Authentication from any domain = Enabled
  Packet signing                 = allow
  Packet encryption              = allow
  Password change interval       = 14
  Restrict Dynamic DNS updates   = not set
  Namespace mode                 = domain

> * via Configuration Profile

What is that?

> * via GUI, which you've found
> There's also a toggle "Allow Network Users to Log in" via System Prefs ->
> Users -> Login Options

I do have that checked, and it allows "All network users."

> However ...
> * Network Homes is difficult (at best)

That's bad.

> * Changing passwords on the DC does not automatically refresh the local
> profile's Keychain

That's bad too! That's kind of the point of AD authentication -- not having to keep lots of
separate passwords all over.

> * Network Users require a constant connection to the DC -- which obviously
> doesn't work well for 1:1.

That's not a problem. If thd AD/DC is down there are other problem. Windows users do get a
local copy of their desktop to work with, which is nice, but the AD/DC is also the only DNS, so
users could not get to the Internet. With Linux domain members, there really isn't an option to
have a local desktop copy (although, I could create a script to "fake" it), but it's pretty
easy to NFS mount the user's home directory, which is then available to that domain user when
he/she logs on per the AD configuration.

> So more sites are favoring Mobile Users (with local homes).

Not sure what that means (I'm a real Mac newbie). When you say "local homes", does that mean
the home directory is stored on the workstation, only? No redirection? How does a "Mobile User"
differ from any other kind of user?

> https://nomad.menu/ helps to solve a lot of the above without binding to AD
> -- but I haven't used it, so YMMV.  You might also be interested in the
> MacEnterprise mailing list.
> -Kris

I'll look at the nomad stuff, but this Mac needs to work in an existing Active Directory
system. I'll also look at the MacEnterprise maillist.

Meanwhile, do you have any idea on what should go in the Mapping Options? "Mapping UID to
attribute", what attribute? the UID of a specific domain user? That doesn't make sense. What is
"dynamically generated mapping info"? I'll try doing some research on this. I have a feeling
that these mapping options may be a big part of my problem.

THX --Mark
> Kris Lou
> klou at themusiclink.net
> On Tue, Jun 26, 2018 at 2:41 PM, Mark Foley via samba <samba at lists.samba.org
> > wrote:
> > Does anyone know how to join a Mac OSX (High Sierra 10.13.5) workstation
> > to a Samba4 domain, or
> > know of a wiki/howto document describing this process? Web searches have
> > turned up plenty of
> > info on running OSX as a Samba4 server, but I can't find anything on
> > joining as a domain
> > member.
> >
> > I do believe I've actually joined (Bind in apple-speak) the workstation
> > itself to the domain
> > using the System Preferences > Users & Groups > Network Account Server.
> > That does show my
> > domain name with a green dot (OK status?).  And when I list network
> > computer on the AD server
> > it does list this Mac computer.
> >
> > Problem is, I cannot log in as a domain user. I'm sure I'm doing something
> > wrong, but I can't
> > figure out what.
> >
> > Any help greatly appreciated.
> >
> > THX --Mark
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list