- Windows Shares and Print Queues: Let the Server or the Mac Do the Work
- Integrating Macs with Active Directory
Like this article? We recommend
Like this article? We recommend
Like this article? We recommend
Integrating Macs with Active Directory
Now on to the more robust support of Macs in a Windows network. Macs can be integrated into Active Directory domains with or without modifying the Active Directory schema. The simplest solution is basic workstation authentication, which can be done without schema changes and allows users to log in to Mac OS X workstations using their Active Directory username and password. It also allows you to restrict users to specific workstations and login times (as you would do with a Windows workstation), to provide access to Windows home directories, and to provide Active Directory groups with local administrator access to Mac OS X workstations. If you are comfortable with modifying the Active Directory schema for Mac OS X support (a subject that goes well beyond what I could cover in this article), you can enable any level of integration you like, right up to supporting Mac OS X Server’s client management capabilities.
For pre-Mac OS X workstations, however, this is the end of the road for support options because they were not built with directory services in mind. The best you can do for network authentication (without relying on Mac OS X Server’s Mac Manager service) is to set them to mount a share point at startup, which can provide some authentication to them (as well as automatically mounting specific share points). However, users can elect not to mount the specified share point and still proceed to use the workstation.
Plugging Into Active Directory
With Mac OS X 10.3, Apple introduced the Active Directory plug-in for Directory Access (the Mac OS X utility that manages directory services configuration on each workstation). The Active Directory plug-in queries Active Directory using LDAP (as opposed to Microsoft’s proprietary Active Directory Services Interface, which is used by Windows clients). Apple designed the plug-in specifically for Active Directory’s default schema and took into account the common issues and concerns that exist when configuring LDAP access to Active Directory.
Unless the Active Directory schema is altered, Mac OS X Open Directory and Active Directory share three major user account attributes: username, password, and home directory. Apple’s Active Directory plug-in is designed to map several additional attributes to their counterparts (Mac OS X shortname to Windows logon name, for example). However, there are some attributes in the Open Directory schema that have no corresponding attributes in Active Directory. Attributes that specify user environment type, managed preferences settings, and the user ID number, for example. The Active Directory plug-in can make standardized assumptions about some of these items such as Environment type, which can generally be assumed to be the Mac OS X Finder (as opposed to the simplified Finder or command-line interface). Those that can’t be mapped or assumed, such as those that specify managed preferences settings, are ignored when the Active Directory plug-in is used, resulting the use of the standard Mac OS X default settings.
The user ID number (UID) is the most important attribute for the user account object for which Active Directory has no directly corresponding attribute. This csn create a problem because the Mac OS file system uses the UID to identify owners of files and to identify whether users are members of groups that have access to files. This isn’t a problem for files residing on a Windows server, because access to those files are assigned using Active Directory user accounts and therefore don’t require a UID. However, files created on Mac workstations still rely upon UIDs.
The Active Directory plug-in provides two options for working around this problem. The first (default) option is for the plug-in to dynamically generate UIDs for users that login using Active Directory accounts. It does this by combining information from the Global User ID (GUID) Active Directory attribute for a user’s account with information from the workstation’s MAC address. The dynamic UID is then used for access to any local files on the workstation that the user creates. This works well if users always log in at the same workstation because their dynamic UID will always be the same. If a user moves between workstations, his/her dynamic UID will be different at each workstation, but at each workstation, it will always be the same. If the user attempts to connect to a Mac where he/she has created files remotely or if there is a Mac OS X Server on the network, however, the UID from one workstation will not match that of the second workstation, and the user will not be able to access the files if he/she changes workstations. If you have only a handful of Macs and no Mac OS X Server (or users turning on file sharing on their workstations), you can generally be fine using dynamic UIDs.
The second way that the Active Directory plug-in can provide UIDs is that you can choose an attribute within the Active Directory schema to be mapped to the UID attribute of Open Directory. You can use one of the default Active Directory attributes that you are not using for its original purpose (such as telephone number or address, for example) or by extending the Active Directory schema with a custom attribute for the UID. This method allows you to assign actual UIDs to users (whether or not you extend the schema to include a UID attribute). Users will always have the same UID, regardless of workstation. However, you will need to populate the UID field manually for every user.
Configuring the Active Directory Plug-In
You use the Directory Access utility (located in the /Applications/Utilities directory on Mac OS X workstations) to configure Active Directory authentication. Ensure that the Active Directory plug-in is enabled on the Services tab. Then double-click the Active Directory plug (or select it and click the Configure button).
Enter the fully qualified DNS names for the forest and domain in the respective fields (see Figure 1). For forests containing a single domain, they will be the same. The Computer ID field indicates the NetBIOS name that will be used for the workstation’s account in the domain. Like any Windows workstation, a Mac OS X workstation joined to an Active Directory domain will be assigned a computer account. Because Mac OS X does not recognize Active Directory domain policies for computer accounts, it is possible (though not advisable) for multiple Mac workstations to use a single computer account. After entering the information in these three fields, you can join the workstation to the domain by clicking the Bind button. You will be asked to enter the username and password for an account with authority to join the computer to the domain (if a computer account doesn’t already exist, you’ll need to enter an account with the authority to create computer accounts). If the search base for your domain differs from a default Active Directory search base, you will be asked to specify the search base so that the Active Directory plug-in can locate the appropriate account.
)
Figure 1 Active Directory plug-in configuration dialog box for Directory Access.
There are also a number of advanced options available when joining Macs to an Active Directory domain. They are divided into three tabs (seen when Show Advanced Options is selected for the Active Directory plug-in configuration dialog box): User Experience, Mappings, and Administrative.
The User Experience tab includes options for creating a Mac OS X mobile account for users when they log in (which caches their credentials and allows them to log in when not connected to the network), to force a local home directory on the workstation rather than on a server (if one is designated in their Active Directory user account) and how that home directory is to be accessed, and to specify the default Unix shell for the user. The Mappings tab allows you to turn off dynamic UID generation and specify the Active Directory user object attributes to be used for UID, primary group ID, and group ID.
The Administrative tab allows you to designate a preferred domain controller for authentication. (This will override any settings made in Active Directory Sites and Subnets, although if the designated domain control cannot be contacted, the Mac will failover as appropriate to your Active Directory configuration.) It also allows you to specify domain groups whose members will be automatically granted local administrator access when they log in to the Mac workstation. Lastly it includes an option to allow authentication for login of users in any domain in the forest rather than just users in the domain to which the workstation was joined.
Once the Active Directory plug-in has been configured, you will need to add the Active Directory domain to the workstation’s search path using the Authentication tab in Directory Access. Choose Custom Path from the Search pop-up menu on the Authentication tab. Then use the Add button to locate and add the Active Directory domain to the search path. Also, make certain that the Login Options tab of the System Preferences Accounts pane specifies that users will type their username and password rather than using a list before logging out because the user list will not contain Active Directory accounts. Once this is done, you can log out of the workstation and log in using an Active Directory user account to test the configuration.
For more information on the Macintosh, visit our Macintosh Reference Guide or sign up for our Macintosh Newsletter.