[Samba] How to Join Mac OSX workstation as AD domain member
Mark Foley
mfoley at ohprs.org
Wed Jun 27 06:09:24 UTC 2018
I think I have my Mac AD mappings wrong. The following link
https://support.apple.com/kb/PH26272?viewlocale=en_ME&locale=en_ME, says:
> On a computer that's configured to use Directory Utility's Active Directory connector, you can
> specify an Active Directory attribute to map to the group ID (GID), primary group ID (GID), and
> unique user ID (UID) attribute in macOS.
>
> Usually, the Active Directory schema must be extended to include an attribute that's suitable
> for mapping to the GID, primary GID, and UID:
>
> If the Active Directory administrator extends the Active Directory schema by installing
> Microsoft's Services for UNIX, you can map the following:
>
> GID to the msSFU-30-Gid-Number attribute
> Primary GID to the msSFU-30-Gid-Number attribute
> UID to the msSFU-30-Uid-Number attribute
I've looked in sam.ldb and the only msgSFU object categories I find are msSFU-30-NIS-Map-Config
and msSFU-30-Domain-Info. What are msSFU-30-Gid-Number and UID to the msSFU-30-Uid-Number?
Should I be using these?
What are GID, primary GID and UID in this case? My 'Domain Users' GID is 10000. How does that
correlate? Why would I specifically map a UID? Would not the AD server sort that out when I log
in as a domain user?
> If the Active Directory administrator manually extends the Active Directory schema to
> include RFC 2307 attributes, you can map the following:
>
> GID to the gidNumber attribute
> Primary GID to the gidNumber attribute
> UID to the uidNumber attribute
I do have 'idmap_ldb:use rfc2307 = yes' defined in the AD server smb.conf, but I'm still at a
loss as to understanding what they are talking about with GID, Primary GID and UID.
> If the Active Directory administrator manually extends the Active Directory schema to
> include the macOS gidNumber, PrimaryGroupID, and UniqueID attributes, you can map the
> following:
>
> GID to the gidNumber attribute
> Primary GID to the PrimaryGroupID attribute
> UID to the UniqueID attribute
Not comprehending this mac-speak. Does anyone know what this is?
> If mapping of the GID, primary GID, and UID is disabled, the Active Directory connector
> generates a GID, primary GID, and UID based on Active Directory's standard GUID attribute.
So, if I *don't* do any mapping (disabled) what happens?
> Important: With the advanced options of the Active Directory connector, you can map the macOS
> unique user ID (UID), primary group ID (GID), and group GID attributes to the correct
> attributes in the Active Directory schema. However, if you change these settings later, users
> might lose access to previously created files.
Has anyone done any of this and perhaps understands what they're talking about?
--Mark
-----Original Message-----
Date: Tue, 26 Jun 2018 20:41:25 -0400
To: samba at lists.samba.org
User-Agent: Heirloom mailx 12.5 7/5/10
Subject: Re: [Samba] How to Join Mac OSX workstation as AD domain member
From: Mark Foley via samba <samba at lists.samba.org>
On Tue, 26 Jun 2018 15:25:56 -0700 Kris Lou wrote:kvia samba <samba at lists.samba.org>
>
> There are basically 3 ways:
> * dsconfigad (https://gist.github.com/bzerangue/6886182)
OK, I ran 'dsconfigad -show' and got the following results. They basically look OK to my limited
understanding except for the Mapping options. I did check those mapping boxes, but I guess it
also wanted me to fill in actual values. I'll have to do a bit of research as I've no idea what
these values should be, nor do I know what happens if I leave the mappings un-checked as it
says it will then use "dynamically generated information for macOS" (whatever that means).
If any of these other settings look obviously suspect, please advise.
Active Directory Forest = hprs.local
Active Directory Domain = hprs.local
Computer Account = labmac$
Advanced Options - User Experience
Create mobile account at login = Enabled
Require confirmation = Disabled
Force home to startup disk = Enabled
Mount home as sharepoint = Enabled
Use Windows UNC path for home = Enabled
Network protocol to be used = smb
Default user Shell = /bin/bash
Advanced Options - Mappings
Mapping UID to attribute = (null)
Mapping user GID to attribute = (null)
Mapping group GID to attribute = (null)
Generate Kerberos authority = Enabled
Advanced Options - Administrative
Preferred Domain controller = mail
Allowed admin groups = domain admins,enterprise admins
Authentication from any domain = Enabled
Packet signing = allow
Packet encryption = allow
Password change interval = 14
Restrict Dynamic DNS updates = not set
Namespace mode = domain
> * via Configuration Profile
What is that?
> * via GUI, which you've found
>
> There's also a toggle "Allow Network Users to Log in" via System Prefs ->
> Users -> Login Options
I do have that checked, and it allows "All network users."
> However ...
> * Network Homes is difficult (at best)
That's bad.
> * Changing passwords on the DC does not automatically refresh the local
> profile's Keychain
That's bad too! That's kind of the point of AD authentication -- not having to keep lots of
separate passwords all over.
> * Network Users require a constant connection to the DC -- which obviously
> doesn't work well for 1:1.
That's not a problem. If thd AD/DC is down there are other problem. Windows users do get a
local copy of their desktop to work with, which is nice, but the AD/DC is also the only DNS, so
users could not get to the Internet. With Linux domain members, there really isn't an option to
have a local desktop copy (although, I could create a script to "fake" it), but it's pretty
easy to NFS mount the user's home directory, which is then available to that domain user when
he/she logs on per the AD configuration.
> So more sites are favoring Mobile Users (with local homes).
Not sure what that means (I'm a real Mac newbie). When you say "local homes", does that mean
the home directory is stored on the workstation, only? No redirection? How does a "Mobile User"
differ from any other kind of user?
> https://nomad.menu/ helps to solve a lot of the above without binding to AD
> -- but I haven't used it, so YMMV. You might also be interested in the
> MacEnterprise mailing list.
>
> -Kris
I'll look at the nomad stuff, but this Mac needs to work in an existing Active Directory
system. I'll also look at the MacEnterprise maillist.
Meanwhile, do you have any idea on what should go in the Mapping Options? "Mapping UID to
attribute", what attribute? the UID of a specific domain user? That doesn't make sense. What is
"dynamically generated mapping info"? I'll try doing some research on this. I have a feeling
that these mapping options may be a big part of my problem.
THX --Mark
>
>
>
>
>
> Kris Lou
> klou at themusiclink.net
>
> On Tue, Jun 26, 2018 at 2:41 PM, Mark Foley via samba <samba at lists.samba.org
> > wrote:
>
> > Does anyone know how to join a Mac OSX (High Sierra 10.13.5) workstation
> > to a Samba4 domain, or
> > know of a wiki/howto document describing this process? Web searches have
> > turned up plenty of
> > info on running OSX as a Samba4 server, but I can't find anything on
> > joining as a domain
> > member.
> >
> > I do believe I've actually joined (Bind in apple-speak) the workstation
> > itself to the domain
> > using the System Preferences > Users & Groups > Network Account Server.
> > That does show my
> > domain name with a green dot (OK status?). And when I list network
> > computer on the AD server
> > it does list this Mac computer.
> >
> > Problem is, I cannot log in as a domain user. I'm sure I'm doing something
> > wrong, but I can't
> > figure out what.
> >
> > Any help greatly appreciated.
> >
> > THX --Mark
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list