[Samba] How to Join Mac OSX workstation as AD domain member

Mark Foley mfoley at ohprs.org
Wed Jun 27 17:58:46 UTC 2018 

Well, I've made some progress. Excuse the detail, but this might help others as I've so far
found NOTHING on this, including with the Mac Enterprise maillist (so far).

If I unchecked all the Directory Utility mapping options, I was able to log in! Yeah! But, the
UID.GID numbers were 1793602029.1840809715. 

Next I tried just setting the "Map group GID to attribute" to 10000 (my 'Domain Users' group).
That did nothing to change the GID, but I could still log on.

Leaving the above setting in place, I next I tried setting "Map user GID to attribute" to
10000.  That gave me UID.GIDs of 1793602029.20.  Strange. 

Next I tried setting "Map user GID to attribute" to the string "gidNumber".  That worked and my
UID.GIDs were now 1793602029.10000. 

Next I tried setting "Map UID to attribute" to 10001 (my domain UID).  I couldn't log on at all
as the domain user. 

Next I tried setting "Map UID to Attribute" to the string "uidNumber".  That worked and my
UID.GIDs were then 10001.10000. 

At this point, I do have correct domain user UID and GID. Upon login the Mac creates folders in
the home directory:

$ ls -ln
total 0
drwx------+  3 10001  10000   102 Jun 27 13:16 Desktop
drwx------+  3 10001  10000   102 Jun 27 13:16 Documents
drwx------+  3 10001  10000   102 Jun 27 13:16 Downloads
drwx------@ 46 10001  10000  1564 Jun 27 13:26 Library
drwx------+  3 10001  10000   102 Jun 27 13:16 Movies
drwx------+  3 10001  10000   102 Jun 27 13:16 Music
drwx------+  3 10001  10000   102 Jun 27 13:16 Pictures
drwxr-xr-x+  4 10001  10000   136 Jun 27 13:16 Public

These folders are empty and NOT connected to the redirected desktop.  I'm guessing the Mac AD
setup doesn't bother much with Group Policies.  Not necessarily a big deal as the Linux domain
members also do not auto-map to the redirected folders on the DC.  However, Linux does create
the home folder as specified in sam.ldb and does designate that as $HOME which Mac is not
doing.  So, some questions:

If I were either to change this user's unixHomeDirectory (sam.ldb) from /home/HPRS/mark to
/Users/mark, would that make a difference? I supposed I could also try creating the /home/HPRS
directory on the Mac and see if a login plops me there.

On Linux, I've used NFS export on the DC and autofs on the domain member to mount the user's
redirected folders. I could try the same thing on Mac. Rowland has mentioned vfs_fruit, which
I've done some reading on. Is vfs_fruit the recommended way of doing remote mounts on Mac? I
have done basic smb mounts from mac using CMD-K > sbm:\\host\share. Suggestions on this?

Meanwhile, I'll do more experimentation.

THX --Mark

On Wed, 27 Jun 2018 07:48:50 +0100 Rowland Penny <rpenny at samba.org> wrote:
>
> On Wed, 27 Jun 2018 02:09:24 -0400
> Mark Foley via samba <samba at lists.samba.org> wrote:
>
> > I think I have my Mac AD mappings wrong. The following link 
> > https://support.apple.com/kb/PH26272?viewlocale=en_ME&locale=en_ME,
> > says:
> > 
> > > On a computer that's configured to use Directory Utility's Active
> > > Directory connector, you can specify an Active Directory attribute
> > > to map to the group ID (GID), primary group ID (GID), and unique
> > > user ID (UID) attribute in macOS.
> > > 
> > > Usually, the Active Directory schema must be extended to include an
> > > attribute that's suitable for mapping to the GID, primary GID, and
> > > UID:
> > > 
> > > If the Active Directory administrator extends the Active Directory
> > > schema by installing Microsoft's Services for UNIX, you can map the
> > > following:
> > > 
> > >         GID to the msSFU-30-Gid-Number attribute
> > >         Primary GID to the msSFU-30-Gid-Number attribute
> > >         UID to the msSFU-30-Uid-Number attribute
>
> I think there is a clue there 'Microsoft's Services for UNIX', it used
> to be called that, but latterly it was called 'IDMU' or 'Identity
> Management for UNIX' and a lot of the 'msSFU-30' prefixes got dropped.
>
> > 
> > I've looked in sam.ldb and the only msgSFU object categories I find
> > are msSFU-30-NIS-Map-Config and msSFU-30-Domain-Info. What are
> > msSFU-30-Gid-Number and UID to the msSFU-30-Uid-Number? Should I be
> > using these?
>
> You probably already are, 'msSFU-30-Gid-Number' became 'gidNumber'
>
> > 
> > What are GID, primary GID and UID in this case? My 'Domain Users' GID
> > is 10000. How does that correlate? Why would I specifically map a
> > UID? Would not the AD server sort that out when I log in as a domain
> > user?
> > 
> > > If the Active Directory administrator manually extends the Active
> > > Directory schema to include RFC 2307 attributes, you can map the
> > > following:
> > > 
> > >         GID to the gidNumber attribute
> > >         Primary GID to the gidNumber attribute
> > >         UID to the uidNumber attribute
> > 
> > I do have 'idmap_ldb:use rfc2307 = yes' defined in the AD server
> > smb.conf, but I'm still at a loss as to understanding what they are
> > talking about with GID, Primary GID and UID.
> > 
> > > If the Active Directory administrator manually extends the Active
> > > Directory schema to include the macOS gidNumber, PrimaryGroupID,
> > > and UniqueID attributes, you can map the following:
> > > 
> > >         GID to the gidNumber attribute
> > >         Primary GID to the PrimaryGroupID attribute
> > >         UID to the UniqueID attribute
> > 
> > Not comprehending this mac-speak. Does anyone know what this is?
> > 
> > > If mapping of the GID, primary GID, and UID is disabled, the Active
> > > Directory connector generates a GID, primary GID, and UID based on
> > > Active Directory's standard GUID attribute.
> > 
> > So, if I *don't* do any mapping (disabled) what happens?
>
> Sounds like you end up using something very similar to the winbind
> 'rid' backend.
>
> >  
> > > Important: With the advanced options of the Active Directory
> > > connector, you can map the macOS unique user ID (UID), primary
> > > group ID (GID), and group GID attributes to the correct attributes
> > > in the Active Directory schema. However, if you change these
> > > settings later, users might lose access to previously created files.
> > 
> > Has anyone done any of this and perhaps understands what they're
> > talking about?
> > 
>
> I have never done this (no apple clients) but if it works with one
> version of apple OS but not a later version, surely this means
> something changed in the apple OS and not in Samba. Perhaps you should
> ask Apple just what they changed, if anything.
> In the meantime, Samba has vfs_fruit, see 'man vfs_fruit' for more info.
>
> Rowland
>

More information about the samba mailing list