[Samba] How to Join Mac OSX workstation as AD domain member

[Rowland Penny]

On Wed, 27 Jun 2018 23:11:05 -0400
Mark Foley via samba <samba at lists.samba.org> wrote:

> On Wed, 27 Jun 2018 19:31:58 +0100 Rowland Penny wrote:
> > Only Windows uses GPO's (as yet). GPO's operate on the registry and
> > only Windows has the registry.
> 
> I suspected that, but didn't know for sure. That's great! I'm not a
> fan of GPOs. I think they're a "fake" security layer that constrains
> and often frustrates legitimate users, but pose absolutly no threat
> to sophisticated hackers. It's MS's attempt to prop up a
> fundamentally insecure OS and, given the number of serious and
> successful attacks targeting Windows, is not very effective. 
> > >  Not necessarily a big deal as the Linux domain members
> > > also do not auto-map to the redirected folders on the DC.
> > > However, Linux does create the home folder as specified in
> > > sam.ldb and does designate that as $HOME which Mac is not doing. 
> >
> > I have never used an Apple machine, so I have no idea about the
> > apple OS, but does it have anything similar to PAM ?
> 
> I know it uses kerberos. I can successfully log in as a domain user.
> 
> > > So, some questions:
> > > 
> > > If I were either to change this user's unixHomeDirectory (sam.ldb)
> > > from /home/HPRS/mark to /Users/mark, would that make a difference?
> >
> > Only if '/Users' exists on the MACOS machine and there is something
> > to create the users homedir.
> 
> /Users does exist and that's where Mac users' home directories are
> located. I should have mentioned that in my previous posts.
> 
> > > I supposed I could also try creating the /home/HPRS directory on
> > > the Mac and see if a login plops me there.
> >
> > If '/home/HPRS' doesn't exist, this could well be your problem.
> 
> Very interesting. I tried creating /home/HPRS and got the error
> "Operation not supported". I found this comment on
> https://apple.stackexchange.com/questions/88797/how-to-execute-mkdir-in-home-directory:
> 
> "/home is used as a mount point for the automounter
> (see /etc/auto_master and /etc/auto_home), you can't create your own
> directories in there."
> 
> That's potentially good news.  autofs is *exactly* what I used to
> mount users' home directories and redirected desktops on Linux.  It
> took me a while to work out, but domain users logging onto Linux
> domain members get the exact same desktop (and Documents, etc.) that
> they get when logging onto a Windows domain member. My next step is
> to explore this (https://gist.github.com/rudelm/7bcc905ab748ab9879ea)
> and possibly I can come up with the same or similar solution I
> developed for Linux.

The problem with MACOS (as I understand it) is it is a 'locked' in
system and it uses its own versions of packages, for instance, it has
its own implementation of Samba.

Locking /home into their automounter, is, in my opinion, a stupid
idea, but there is probably nothing stopping you creating something
like '/home2'
 
> 
> > > On Linux, I've used NFS export on the DC and autofs on the domain
> > > member to mount the user's redirected folders. I could try the
> > > same thing on Mac.
> >
> > As far as I am aware, the  great-granddaddy of MACOS was some form
> > of BSD, so I suppose you should treat it more like Linux than
> > Windows.
> 
> Well, I "speak" BSD - lotsa BSD386 back in the 90's at Compuserve!
> 
> > > Rowland has mentioned vfs_fruit, which I've done some
> > > reading on. Is vfs_fruit the recommended way of doing remote
> > > mounts on Mac? 
> >
> > I have never used it myself, but from my understanding, it is a
> > layer between Samba, MACOS and the Unix OS.
> >
> > >I have done basic smb mounts from mac using CMD-K >
> > > sbm:\\host\share. Suggestions on this?
> >
> > I have no idea, perhaps someone who actually uses MACOS would care
> > to comment.
> >
> > Rowland
> >
> > PS Have you considered hitting the MACOS machines with a very big
> > hammer ? It won't fix the problem, but it would make it go away,
> > permanently. LOL
> 
> Oh! Noooo! I am stroking the Mac, speaking nurturing things to it,
> playing New Age iTunes to sooth it. I have Steve Jobs' favorite
> incense burning beside it. I want it to LIVE!
> 
> Back Story: I spent nearly 2 years getting a Linux domain member to
> work seemlessly as a domain member workstation and enlisted 2 office
> guinea pigs a year ago to give it a shot.  I used KDE and made it
> look as identical as possible to Windows 7, even using the Windows 7
> background. Unfortunately, Linux doesn't run MS Office and my
> replacements of LibreOffice and Thunderbird are not quite exact
> enough, especially with Calc and doing collaberative document
> exchange with external users using MS Word.  Even installing a VM to
> run Windows-only programs like QuickBooks, Adobe and Foxit had user
> complications.  Therefore, Management decided to pull the plug on
> going Linux instead of Windows.  I, being horrified at the prospect
> of Windows 10's lack of security and privacy, suggested Mac.  Mac
> potentially incorporates the best of both worlds: the office
> productivity suite of MS Office, support for QuickBooks and Adobe and
> the security benefits of Unix. 

Oh come on, I was joking ;-)
You do however raise valid points, until such time that LibreOffice
works identically to Office, then you are going to have problems. Users
will not learn how to use the new packages, they just whine for their
old packages.

Rowland