Panther and Active Directory
Pages: 1, 2
Active Directory Plug-In: Architecture
Regardless of the configuration method, the data is written to the plug-in's configuration file, which exists at /Library/Preferences/DirectoryService/ActiveDirectory.plist (in the same directory as ADGroupCache.plist mentioned earlier). In addition to the settings specified in the Plug-in's graphical interface (user caching, Domain Admin groups, etc) there are several important and useful aspects of this file:
- AD GlobalCatalog Attribute List
- Mappings between Open Directory data types and specific LDAP attributes
- base64 encoded AD Computer Password
Active Directory Plug-In: Single Sign-on and Mac OS X Server
Supposing Windows Services are otherwise configured properly, a configured Active Directory Plug-in will allow AD users to log in via most services that Mac OS X offers. The Active Directory Plug-in for all intents and purposes proxies the credentials presented at file service log-in, authenticating the user via NTLMv1 (or, if NTLMv1 is disabled, via NTLMv2) via winbind's ntlm_auth tool. While this effectively allows access to Mac OS X resources based on AD credentials, it does not provide a single sign-on experience- something that has long been expected in Windows-based infrastructures. In order to preserve this user experience, Mac OS X can be configured to honor kerberos authentication principals from the Active Directory KDC.
|
Related Reading 
Kerberos: The Definitive Guide |
Mac OS X Server can accept kerberos authentication for a variety of services- FTP, ssh, AFP and SMB. For the purposes of this article we'll be focusing on SMB and AFP- although AFPdoesn't seem to work as of 10.3.1. More than anyhting this is an effort to keep the article to a managable, digestible length. Similarly, since this deals heavily with Kerberos, it would make sense to start with a basic discussion of that protocol. Unfortunatly this, even at a basic level, would be a lengthy discussion, so we'll forgo it. For a good basic description of kerberos see this site. For more in-depth coverage, O'Reilly's <blah> is a good choice.
Windows Services
We'll start with Windows File Services- which, in Mac OS X, are implemented by the open source Samba package. Samba has been modified in Mac OS X to work with Password Server- Apple's service for legacy (rather than kerberos) authentication methods. In the case of Active Directory integration, though, we don't want to use Password Server. Instead we'll make use of one of Samba 3.0's new features- the ability to be a member server in an Active Directory domain. Previous to 10.3.3, this process was somewhat more onerous. This article has been updated to reflect 10.3.3's newer, easier method.
1) Join Active Directory using the AD Plug-in.
2) Edit the /etc/smb.conf file, ensuring:
- that the NT name for the AD in question is specified in the workgroup setting
- "use spnego" is changed from "no" to "yes"
- a "security = ads" flag is added
- a "realm" flag is specified. This is the kerberos realm associated with your Active Directory. More often than not, it will be the DNS name of your AD in all caps. For our sample domain, ads.ecample.com, the flag looks like this: "realm = ADS.EXAMPLE.COM"
The resulting entries should look something like this:
security = ads
use spnego = yes
realm = ADS.EXAMPLE.COM
workgroup = ADS
Editing smb.conf in Jaguar was tricky- the sambadmind daemon would re-write it whenever Windows Services were re-started, sometimes (but not always) disgarding most manual changes. The bad news is that smb.conf is still re-written on a regular basis, making it very difficult to keep your edits organized. The good news is that manual changes are now preserved without any of the headache involved seen in Jaguar (they're just moved around in the file, makintg them quite a headache to locate sometimes).
Finally, enable Windows Services using the Server Admin application or its command-line equivelent, serveradmin. Clients- both Mac OS X and Windows- who are logged in to the Active Directory should now be able access your server via SMB without re-authenticating. In our example, the user Sam Adams has logged into a Mac OS X client with his Active Directory account. Notice (either using the klist command or the Kerberos application in /System/Library/CoreServices) that he now has a TGT:
Browsing for file services is still a bit raw in Panther, so we'll connect to our smb server by specifying its address:
The user is not prompted to authenticate- instead a share is simply chosen:
...We now see a new service ticket in the Kerberos application or klist's output:
...and a new volume mounted on the user's desktop:
The Windows user experience is very similar, and in fact is identical the the experience of logging into any other member server in the domain.
This is a tremendously powerful capability, because it means that a Mac OS X Server- a commercial product from a traditional OS vendor- can seamlessly replace a windows file server, without sacrificing user experience (single sign-in) or password security (kerberos). Added to this is the inherent security advantage of running a non-Windows server (the next Blaster won't phase Mac OS X) and that's a valuable proposition in the IT space.
Apple File Services:
It should follow that native Mac file services- AFP, Apple's long-time standard filing protocol- should support similar user experience features. Unlike Samba package, though, the two weren't specifically designed to work with one another, and right now getting kerberized AFP to work is a little tricky. Given the resources, I will document it. My hope, though, is that Apple will make this an automatic part of the Join process for Mac OS X Server.
Conclusions
Panther ushers in a new, more dynamic era of directory integration in Mac OS X. From the client side, this means that Mac OS X becomes even more viable in the Media, Scientific and Administrative desktop enviorments where its currently meeting with great reviews. From a server side perspective, it means that te XServe and XServe RAID can really begin to make inroads into the cross platform workgroup enviornments where Windows has been so dominant in the past 10 years.In either case this signals a remakable opportunity for Apple, and something implementors have been working towards for a long time.
Return to the Mac DevCenter
You must be logged in to the O'Reilly Network to post a talkback.
Showing messages 1 through 14 of 14.
-
Domain Controller Problem
2006-01-28 20:24:43 shiffy [Reply | View]
Has anyone seemed to have a problem when adding the Mac to the Active Directory that the Mac shows up as a Domain Controller rather than a client?
-
client side almost there
2005-08-03 22:51:21 grist [Reply | View]
Firstly some tips for those experiencing difficulties, try setting your machine's time settings under "system preferences" to get date and time automatically from the same NTP source as your AD 'PDC emulator' role holder (Domain Controller). Kerboros is quite time sensitive.
for those who cannot get their AD accounts to even begin authenticating, try adding the following under the 'Authentication' tab.
Search: "Custom Path"
add "/Active Directory/domain.name.goes.here"
Now I am staring at a screen telling me my AD administrator account is logging in. I could be waiting for the 36 hours or so mentioned in the article - hope not.
Perhaps someone could answer the following Qs for me.
* Is there some tweak available to stop the machine creating the AD Group Membership Cache?
* Is this going to happen to every user as they log in for the first time? 36 hours will be viewed as excessive login time by my management :)
-
Passwd Change
2005-01-18 11:38:37 NetSyphon [Reply | View]
yeah lets not forget that if you have password expiration, you will have to expire and reset your password on a windows machine in order to log into the mac if your password expires. extremely annoying. whats wierd is that my gentoo box will prompt me! so there is something (open source) missing from Samba or kerberos.
-
Active Directory Plugin required fields?
2004-10-22 07:44:26 kmcarthu@bates.edu [Reply | View]
Has anyone found a definative list of which fields the Active Directory Plugin is requiring to have populated in Active Directory? We appear to be having problems relating to missing data in AD, but cannot find what the Plugin is looking for. Our implementation of AD is minimal for operation.
-
It works great ... but I found a bug.
2004-08-19 06:34:56 sjones3 [Reply | View]
We (Vet School/UPENN) have figured out the little nuances of getting machines bound and multiple smb shares to mount since 10.3.4 rolled out. We wish Apple would provide more of a step-by-step to configure this for its user base as we spent a lot of time figuring it out.
For those who can't get it to work, make sure you add the custom paths in the active directory plugin under authentication and contacts once you have bound the machine. To get additional smb shares to mount, add your domain to the relms 'out of the box' kerberos settings:
/System/Library/Core Services/Kerberos
After that, we just made a run only applescript application to add additional smb shares by adding it to the startup items per account.
Works like a champ, unless your users' login is under four characters. It seems that three character logins (I haven't tested two or one) create an unusual circumstance where somehow the AD plugin doesn't jive with the GobalCatalogue. The end result? Your user will not be able to empty their trash from the GUI. (it's not locked files, immutable flags, improper permissions either). No joke. While you can simply add a character to the users login name to fix this it is still a little bizarre.
The user can open a terminal and rm any files in the .Trash folder, just not through the Finder. This affects 10.3.4 and 10.3.5 and has been reported to Apple by yours truley but so far there has been no aknowledgement from Cupertino.
I'm curious if anyone else has run across this.
-
AD login
2004-07-26 03:39:40 gavin_counahan [Reply | View]
So has anyone actually got this working? Binding doesn't seem to cause any problems, but then what?
-
AD login
2004-01-13 18:29:46 anonymous2 [Reply | View]
I have got my powerbook + panther to bind to my w2k domain at work, but I can't/don't know how to log in with my domain account.
Any ideas?
email tim_hollingsworth(nospam)@lasata.com.au
-
Great article - watch DNS reverse lookups!
2004-01-06 07:59:53 csoto [Reply | View]
We finally figured out some issues related to binding our Panther Macs. Works great now (haven't tested single-sign on for shares yet, though). However, a few systems wouldn't bind, despite performing the exact same steps as other systems. It turns out this was because those systems had a DNS "cname" (alias) that differs from its "true" hostname. Well, we just used that name instead (created it in Active Directory Users and Computers) when binding. Works fine.
Another issue we're having is that with our HUGE AD (million+ users), we're not able to use the "allow administration by" feature. It simply does not notice that particular users are in that group. The directory utilities (e.g. lookupd) don't report the proper group associations. I hope this gets fixed, because that is a HUGE benefit to using a directory service (no need to configure "admins" on every single box).
Charles
-
It doesn't work.
2004-01-02 17:21:51 anonymous2 [Reply | View]
i can't seem to get authentication to SMB services working AT ALL with these instructions, let alone without re-authenticating. It doesn't recognize any AD users, just local ones.
-
Binding works; pass-thru authentication doesn't
2003-12-16 13:48:57 anonymous2 [Reply | View]
I have had the same issue come up every time I work with AD and Panther: I can get the computer to bind; I can get users to authenticate; I can't access share points on domain controllers (using SMB or AFP) without reauthenticating. Has anybody had this issue and been able to resolve it?
Email: admin@moreyevans.com
Bob