[Samba] How to Join Mac OSX workstation as AD domain member

Rowland Penny rpenny at samba.org
Wed Jun 27 18:31:58 UTC 2018


On Wed, 27 Jun 2018 13:58:46 -0400
Mark Foley via samba <samba at lists.samba.org> wrote:

> Well, I've made some progress. Excuse the detail, but this might help
> others as I've so far found NOTHING on this, including with the Mac
> Enterprise maillist (so far).
> 
> If I unchecked all the Directory Utility mapping options, I was able
> to log in! Yeah! But, the UID.GID numbers were 1793602029.1840809715. 
> 
> Next I tried just setting the "Map group GID to attribute" to 10000
> (my 'Domain Users' group). That did nothing to change the GID, but I
> could still log on.
> 
> Leaving the above setting in place, I next I tried setting "Map user
> GID to attribute" to 10000.  That gave me UID.GIDs of 1793602029.20.
> Strange. 
> 
> Next I tried setting "Map user GID to attribute" to the string
> "gidNumber".  That worked and my UID.GIDs were now 1793602029.10000. 
> 
> Next I tried setting "Map UID to attribute" to 10001 (my domain
> UID).  I couldn't log on at all as the domain user. 
> 
> Next I tried setting "Map UID to Attribute" to the string
> "uidNumber".  That worked and my UID.GIDs were then 10001.10000. 
> 
> At this point, I do have correct domain user UID and GID. Upon login
> the Mac creates folders in the home directory:
> 
> $ ls -ln
> total 0
> drwx------+  3 10001  10000   102 Jun 27 13:16 Desktop
> drwx------+  3 10001  10000   102 Jun 27 13:16 Documents
> drwx------+  3 10001  10000   102 Jun 27 13:16 Downloads
> drwx------@ 46 10001  10000  1564 Jun 27 13:26 Library
> drwx------+  3 10001  10000   102 Jun 27 13:16 Movies
> drwx------+  3 10001  10000   102 Jun 27 13:16 Music
> drwx------+  3 10001  10000   102 Jun 27 13:16 Pictures
> drwxr-xr-x+  4 10001  10000   136 Jun 27 13:16 Public
> 
> These folders are empty and NOT connected to the redirected desktop.
> I'm guessing the Mac AD setup doesn't bother much with Group
> Policies.

Only Windows uses GPO's (as yet). GPO's operate on the registry and
only Windows has the registry.
 
>  Not necessarily a big deal as the Linux domain members
> also do not auto-map to the redirected folders on the DC.  However,
> Linux does create the home folder as specified in sam.ldb and does
> designate that as $HOME which Mac is not doing. 

I have never used an Apple machine, so I have no idea about the apple
OS, but does it have anything similar to PAM ?

> So, some questions:
> 
> If I were either to change this user's unixHomeDirectory (sam.ldb)
> from /home/HPRS/mark to /Users/mark, would that make a difference?

Only if '/Users' exists on the MACOS machine and there is something to
create the users homedir.

> I supposed I could also try creating the /home/HPRS directory on the
> Mac and see if a login plops me there.

If '/home/HPRS' doesn't exist, this could well be your problem.

> 
> On Linux, I've used NFS export on the DC and autofs on the domain
> member to mount the user's redirected folders. I could try the same
> thing on Mac.

As far as I am aware, the  great-granddaddy of MACOS was some form of
BSD, so I suppose you should treat it more like Linux than Windows.

> Rowland has mentioned vfs_fruit, which I've done some
> reading on. Is vfs_fruit the recommended way of doing remote mounts
> on Mac? 

I have never used it myself, but from my understanding, it is a layer
between Samba, MACOS and the Unix OS.

>I have done basic smb mounts from mac using CMD-K >
> sbm:\\host\share. Suggestions on this?

I have no idea, perhaps someone who actually uses MACOS would care to
comment.

Rowland

PS Have you considered hitting the MACOS machines with a very big
hammer ? It won't fix the problem, but it would make it go away,
permanently. LOL
 





More information about the samba mailing list