This chapter is from the book
This chapter is from the book
Active Directory is Microsoft’s directory services solution that provides LDAP and Kerberos services for identification and authentication. Many organizations with Windows computers use Active Directory because it provides these features:
- Security and policy management for Windows computers
- Tight integration with popular application servers such as Microsoft Exchange and Microsoft SQL Server
- High availability, with the ability to place multiple replica servers across geographic locations in a multimaster configuration
It is easy to integrate Mac OS X into an Active Directory environment. Although Mac OS X computers can access directory information provided by Active Directory via the LDAPv3 plug-in, you should use the Active Directory plug-in, which provides the following capabilities:
- Creating a computer account for secure communication with Active Directory services
- Configuring mappings of Open Directory objects and attributes to Active Directory objects and attributes
- Setting up the Kerberos environment for seamless integration with Active Directory
- Enabling SMB packet signing and packet encryption
- Support of Active Directory password policies
- Support of Active Directory Sites, which directs Windows and Mac OS X client computers to the most appropriate services based on their IP network
- Caching information from Active Directory services so that Mac OS X computers can use the information even if they are not connected to the network
In this chapter you will learn how to use both Directory Utility and the command line to bind to Active Directory, and to modify the default settings for the Active Directory plug-in to enable login and access to a network home folder. You will learn how to overcome problems with your initial bind to Active Directory, and you will learn troubleshooting techniques for login problems with an Active Directory user account.
Configuring Mac OS X to Log In Using Active Directory
You can either use Directory Utility or dsconfigad to bind a Mac OS X client computer to an Active Directory domain. dsconfigad allows you to configure some features that Directory Utility does not expose, but if you use dsconfigad you need to take some additional steps (such as enabling the Active Directory plug-in and adding the Active Directory node to your search paths). Before you can bind with either method, however, you need to know a few things about your Active Directory service.
Understanding Active Directory Terms
When you bind to Active Directory, you need to know the domain name and you must have the credentials of a user who has authorization to join computers to Active Directory.
A domain is the building block of Active Directory; it is a collection of directory objects such as users, groups, and computers. An Active Directory domain requires a domain controller. which can be a computer running any version of Windows Server 2000 through Windows Server 2008. A domain is identified by its DNS namespace; in this book the example server windows-server.pretendco.com hosts the domain pretendco.com. Active Directory relies on DNS records generated by a DNS service that is tightly integrated with Active Directory, so you should configure Mac OS X to use the DNS service associated with the Active Directory domain before attempting to bind.
A tree is one or more domains in a contiguous name space. A forest is a set of domain trees that have a common schema and global catalog. which is used to describe a best-effort collection of all the resources in a domain. The global catalog is commonly used for email address lookups.
Like standard Windows clients, Mac OS X binds to only one Active Directory domain at a time.
Understanding the Active Directory Computer Object
When you bind a Mac OS X client computer to Active Directory, you use or create a computer object for Mac OS X. Just like user objects, computer objects are used for identification, authentication, and authorization. The computer object has rights to do certain things, such as to bind and update its own DNS record.
When you bind a Mac OS X computer to Active Directory, Mac OS X uses the user credentials you supply to set up a computer account and password. This password is a shared secret between your Mac OS X computer and the Active Directory service. Your Mac OS
X computer uses this password to authenticate to Active Directory and set up a secure channel to enable your Mac OS X computer to communicate with Active Directory. The password is randomly generated, and is unrelated to the user account you use to perform the bind. For more information, see “Confirming Your Active Directory Plug-in and the Samba Service Are Using the Same Active Directory Computer Password” in Chapter 8.
If you delete the computer object or reset the computer object password in Active Directory, you need to rebind Mac OS X to Active Directory in order for Mac OS X to access Active Directory.
When you use Directory Utility to bind to Active Directory, Directory Utility suggests a computer ID to use for the name of the Active Directory computer object. This computer ID is based on the computer name or Bonjour name that you set in the Sharing pane of System Preferences. If your computer name is longer than 15 characters, you may experience errors when binding to Active Directory. Also note that Directory Utility may replace any instance of a dash (- ) with an underscore (_ ) and change capital letters to lowercase in the suggested computer ID. You should use the same Mac OS X computer name and Active Directory computer name to help keep track of computer names, unless you have a good reason not to do so.
Specifying a User to Create the Computer Object
When binding to Active Directory, you need to supply the credentials of an Active Directory administrator or user who is authorized to create computer objects. By default, you can use a regular active directory user to bind to Active Directory ten times, but after that you will encounter an error. “Troubleshooting Binding Issues,” later in this chapter, offers some solutions for this problem.
Binding to Active Directory with Directory Utility
The simplest way to bind Mac OS X to Active Directory is to use Directory Utility with all the default settings in place. The steps are as follows:
- Quit Directory Utility if it is open.
- Use the Sharing preference in System Preferences to set your computer name to be the name of the computer object you want to create for binding to Active Directory.
- Open Directory Utility.
- If necessary, click the lock in the lower-left corner and provide credentials for a local administrator.
- Click the Add (+) button in the lower-left corner.
- Click the “Add a new directory of type” pop-up menu and choose Active Directory.
In the Active Directory Domain field, type the name of the Active Directory domain—in other words, “pretendco.com” not “windows-server.pretendco.com.”
This can be any domain in the forest, but remember that the domain name is the DNS namespace of the domain, not the DNS name of the domain controller.
Mac OS X attempts to bind to Active Directory with the default settings.
Logging In as an Active Directory User on Mac OS X
Once you bind your Mac OS X computer to Active Directory, you can log in with your Active Directory user account at your Mac OS X login window.
The following figure shows the default desktop for an Active Directory that logs in to a Mac OS X computer. Note that the home folder is located on the startup disk (Option-clicking the name of a folder in the title bar of a Finder window reveals the path to the folder). The user launched the Kerberos application (in /System/Library/CoreServices), which shows that Mac OS X obtained a Kerberos ticket-granting ticket (TGT) for the user as part of the login process.
By default the Mac OS X login window displays the names of local user accounts and Other to allow you to specify a user name from a different directory node, as shown in this figure.