[Samba] How to Join Mac OSX workstation as AD domain member
Rowland Penny
rpenny at samba.org
Wed Jun 27 18:31:58 UTC 2018
On Wed, 27 Jun 2018 13:58:46 -0400
Mark Foley via samba <samba at lists.samba.org> wrote:
> Well, I've made some progress. Excuse the detail, but this might help
> others as I've so far found NOTHING on this, including with the Mac
> Enterprise maillist (so far).
>
> If I unchecked all the Directory Utility mapping options, I was able
> to log in! Yeah! But, the UID.GID numbers were 1793602029.1840809715.
>
> Next I tried just setting the "Map group GID to attribute" to 10000
> (my 'Domain Users' group). That did nothing to change the GID, but I
> could still log on.
>
> Leaving the above setting in place, I next I tried setting "Map user
> GID to attribute" to 10000. That gave me UID.GIDs of 1793602029.20.
> Strange.
>
> Next I tried setting "Map user GID to attribute" to the string
> "gidNumber". That worked and my UID.GIDs were now 1793602029.10000.
>
> Next I tried setting "Map UID to attribute" to 10001 (my domain
> UID). I couldn't log on at all as the domain user.
>
> Next I tried setting "Map UID to Attribute" to the string
> "uidNumber". That worked and my UID.GIDs were then 10001.10000.
>
> At this point, I do have correct domain user UID and GID. Upon login
> the Mac creates folders in the home directory:
>
> $ ls -ln
> total 0
> drwx------+ 3 10001 10000 102 Jun 27 13:16 Desktop
> drwx------+ 3 10001 10000 102 Jun 27 13:16 Documents
> drwx------+ 3 10001 10000 102 Jun 27 13:16 Downloads
> drwx------@ 46 10001 10000 1564 Jun 27 13:26 Library
> drwx------+ 3 10001 10000 102 Jun 27 13:16 Movies
> drwx------+ 3 10001 10000 102 Jun 27 13:16 Music
> drwx------+ 3 10001 10000 102 Jun 27 13:16 Pictures
> drwxr-xr-x+ 4 10001 10000 136 Jun 27 13:16 Public
>
> These folders are empty and NOT connected to the redirected desktop.
> I'm guessing the Mac AD setup doesn't bother much with Group
> Policies.
Only Windows uses GPO's (as yet). GPO's operate on the registry and
only Windows has the registry.
> Not necessarily a big deal as the Linux domain members
> also do not auto-map to the redirected folders on the DC. However,
> Linux does create the home folder as specified in sam.ldb and does
> designate that as $HOME which Mac is not doing.
I have never used an Apple machine, so I have no idea about the apple
OS, but does it have anything similar to PAM ?
> So, some questions:
>
> If I were either to change this user's unixHomeDirectory (sam.ldb)
> from /home/HPRS/mark to /Users/mark, would that make a difference?
Only if '/Users' exists on the MACOS machine and there is something to
create the users homedir.
> I supposed I could also try creating the /home/HPRS directory on the
> Mac and see if a login plops me there.
If '/home/HPRS' doesn't exist, this could well be your problem.
>
> On Linux, I've used NFS export on the DC and autofs on the domain
> member to mount the user's redirected folders. I could try the same
> thing on Mac.
As far as I am aware, the great-granddaddy of MACOS was some form of
BSD, so I suppose you should treat it more like Linux than Windows.
> Rowland has mentioned vfs_fruit, which I've done some
> reading on. Is vfs_fruit the recommended way of doing remote mounts
> on Mac?
I have never used it myself, but from my understanding, it is a layer
between Samba, MACOS and the Unix OS.
>I have done basic smb mounts from mac using CMD-K >
> sbm:\\host\share. Suggestions on this?
I have no idea, perhaps someone who actually uses MACOS would care to
comment.
Rowland
PS Have you considered hitting the MACOS machines with a very big
hammer ? It won't fix the problem, but it would make it go away,
permanently. LOL
More information about the samba
mailing list