Slashdot Mirror
"Seamless" Integration of Mac OS X w/ Active Directory
eexlebots asks: "I work for a small college which has a few Mac OS X 10.2 machines and a fairly standard Active Directory setup. Actual deployment of these clients rides on getting them to authenticate at login to our Active Directory server. Apple has stated that this is possible (easy! seamless!) with Jaguar without the use of an additional Mac OS X server, but I have found the case to be quite different. It is possible, but not without a good deal of nightmarish configuration issues. Documentation? HA! No sign of it anywhere on Apple's site. I'm not alone: at macwindows.com I found a good many people who think that Apple's claims of seamless Windows Network integration to be a bad joke and nothing more. I was wondering who else out there is having this problem, and what they have done to solve it."
Active desktop and Active directory are *slightly* different...
Get rid of that stupid AD and install a real catalogue system like LDAP or NDS. Active Directory is made for Windows and nothing but windows. Making anything else to work with it is very hard and not worth it. What on earth do you need from AD that cannot be solved otherwise? If its just a matter of a few machines there shoudnt be any significant gain in ease of admin in AD. If there are plenty then you should install a MAC server. Microsoft does not and will never play nice with anything else but Microsoft.
HTTP/1.1 400
Have you tried this?
Most likely, the configuration issues are with configuring the AD with the proper schema. When the AD is properly set up, then all you have to do is go into the Open Directory Assistant and create an LDAP service that is configured to use the Active Directory preset. Yes, it's a preset and so there is little or configuration on the OS X side. Once the LDAP service is created, then you select it as an authentication service (in the same utility) and you are done.
Apparently not. By entering "Active Directory under OS X" the very first entry is a PDF by Apple with instructions on page 35 on how to setup clients to authenticate to the active directory domain controller.
Here is the link for the uniniated:
MacOSXwithActiveDirectory.pdf
Read The Fucking Manual
You know, slashdot really isn't as good of a search engine as Google.
1) Go to google.com
2) search for "active directory mac os x"
3) click the third result.
4) prof- nah.
Or you can click this link:
Integrating Mac OS X with Active Directory
Who said anything about Active Desktop?
reech bee-yond ur clip-0n
A quick google returns this as the first reference: MacOSXwithActiveDirectory.pdf.
A quick searc for Active Directory on the Apple website turns up these results:
this
this and the PDF linked to on that page can be found here
There ae also links on Apple's site to third pary sites which deal specificaly with Mac - PC network integration.
T Money
World Domination with a plastic spoon since 1984
Just because OS X supports LDAP for authentication does not mean there will be seamless integration with Active Directory.
Active Directory (at least the MS implementation) is like a network-level "registry". It holds everything from integrated DNS records, to DHCP server authorization, users, permissions, replication controls and information....you get the idea.
To participate in most of this, you need to have client side stuff that can take advantage of all of this. OK, you get samba authentication without needing LDAP support on OS X, but who cares...that isn't enough for "seemless" integration.
Can you add users to OS X and have them appear in Active directory?....I don't think so.
Can you get your DHCP server (on OS X) to authenticate itself in Active Directory?...probably not.
Can you get user lists and permissions to replicate into OS X's user list? Maybe...but i'm still not sure about that.
Lastly...can you get a user to log into OS X and have OS X process login scripts replicated to domain controllers? Doubtful...most of the windows login scripts don't apply to the Unix world.
I may be wrong on this stuff. My experience with OS X has been a handful of workstations connecting to a windows file server via samba. It seems that the platforms are too far apart to get this "seemless" integration.
It appears the best you can do is simple user authentication....it might be worth it if the OS X server can get it's user list from the Active Directory machines. Does anyone know if this is possible? I'd love it if a Linux distribution could do that so I don't have to maintain two sets of user lists.
-ted
A disclaimer first: I haven't tried to do this on MacOS X, but just did the same for Linux; you can do it on any unix that supports PAM for authentication.
It is certainly possible, however I wouldn't call this integration a "seemless" one (I didn't use samba for that).
You can extend AD schema to support unix by using AD4Unix package.
After that you need to install nss_ldap and pam_ldap. A good starting point on how to configure these two can be found at Security Focus. You may want to use Kerberos for authentication, as pam_ldap transmits username and password over the network (although with SSL support this data will be encrypted).
Hope this helps,
AC
Actually, we have AD running, along with a bunch of OS X clients. We even had an Apple engineer here last week, and he couldn't figure out how to get the auth to handle such things as creating user dirs. It's a large, ugly mess.
political_news.c: warning: comparison is always true due to limited range of data type
Any reason not to try?
Yes. It's unnecessary. Active Directory can expose an LDAP interface, and Mac OS X is an LDAP client. The only tricky part is synchronizing the schemas, and Apple's documentation describes how to do that. On paper, it looks really simple. Since I don't have any Windows servers, I can't say whether it's simple in practice or not. The submitter evidently thinks it isn't.
I write in my journal
This is actually quite easy, all of my Solaris and Linux machines autheticate to AD, just fine. Never tried with OS X, but it sounds like it might be a bit easier, since Apple has a somewhat vested interest in making it work. I use the pam_ldap and nss_ldap modules from padl.com. Follow the newsgroup thread here: http://www.netsys.com/nssldap/2002/02/msg00031.htm l
and the "cookbook" here:
http://jaxen.ratisle.net/~jj/nss_ldap-AD_Integrati on_how-to.html
http://a1584.g.akamai.net/7/1584/51/7f99c60f0c08bf /www.apple.com/macosx/server/pdf/MacOSXwithActiveD irectory.pdf
Go to Google. Type "apple.com active.directory" in the search box, and mind the periods. The very first result is a PDF from Apple's site entitled "Integrating Mac OS X With Active Directory." (Just to be clear, that link is directly to the PDF, so don't click unless you're ready to download.) In it you can find step-by-step instructions for setting up both the clients (simple) and the server (complex, but only has to be done once).
Since you said in your submission, "Documentation? HA! No sign of it anywhere on Apple's site," it seems clear that you haven't read this document yet. Give it a try. As I wrote elsewhere, I don't have any Windows servers, but from reading the instructions, it looks like it will be very easy for you to set this up just the way you want it.
I write in my journal
Too bad about that "Flamebait" mod.......
What I'm listening to now on Pandora...
It's in the Samba configuration. It's something like "OS Level" and it will be set to some number, like maybe 50.
This number is how MS machines determine who is the Primary Domain Controller, basically the one with the highest OS level gets it, unless things are specifically configured otherwise. IIRC, Windows NT 4 has an OS level in the low 30s. Newer versions of Windows have higher OS levels, and server versions have higher levels than workstation or desktop versions.
So, all you have to do is use SWAT, or otherwise edit smb.conf, and set your OS level to some low number, like 1.
This site is a good introduction with lots of useful tips. If you really need to know Samba, though, I highly recomend this book.
Under capitalism man exploits man. Under communism it's the other way around.
I'm an IT admin, and we have Win2k running AD on our server, and we have 10+ Mac clients running OS 10.2. The key is, make sure the user accounts and the user alias on the domain controller are the same..meaning, if your user account is named joe smith, make sure the alias is the same. Hope that helps.
~~~ Nicole
Based on Apple's adverts of "seamless" we told people they'd be able to browse my organization's full list of local windows servers from MacOsX10.2's [Connect to Server] command. As stated in the linked article, it quickly became clear that browsing using active directory only works for severs on the local subnet. Fortunately, if you already know the name or address of the machine you're trying to connect to, you can log on directly by entering: . So far, this has worked just fine on non-local subnets.
So for my org, it's a mixed review. It's a long way from "seamless", but it's a LOT better connectivity than MacOS has ever had before. If Apple had advertised what they actually delivered ("Now you can log onto a windows server"), we'd be thrilled.
I beg to differ about NDS on Windows ever being a problem.
I have no great love for Windows. Novell, I happen to like very much but it is cost prohibitive. But is NDS worth the money? Yes. Also, GroupWise is capable of driving Outlook properly, even better than my beloved OpenMail [RIP, now Samsung Contact - yeach, thanks Carly] was.
My experience since Novell 4.x (I've used it back in the bindery days as well) and NDS has been flawless. It supports DOS, WinALL, and anything else. It has native file sharing so it can appear as a Winderz box. The server is ugly as sin at the console, but it runs more reliably that one would ever imagine, I had several servers stay up for more than a year. The Novell client integration with Windows NT based operations systems is superior, supporting advanced network trashcans, robust undelete for idiots, and does interesting things like server side searches (as in, if you are looking for the word "cat" on a network file system, the server does the searching 'for you.'
Also, NDS is much more scaleable than ADS. It has the proper notion of root, it is possible to merge trunks together, if you've ever used ConsoleOne, you'll see more granularity on this directory and its objects than was ever dreamed possible, cleanly integrated and rather fast.
Is Novell run by intelligent business people? No. Are the products of incredible quality? Yes. Novell's image has been so heinously stained, with angry red color schemes, idiotic pictures of polyester clad fools running around on my console dancing or holding up red N's.
Novell needs to do only this: Change colors to blue or something, and rip out that licensing shit and start offering to replace ADS/Exchange with NDS/GroupWise for $100 bucks. All it costs them is a CD. It would cost Microsoft a lot of pain.
If you haven't given Novell a shot, please do,. You'll realize that the free stuff right now is primitive compared to NDS. Any other comments on good directory service implementations are welcome.
I just setup a Novell 6 server the other day to stay sharp with that stuff. Besides the fools in the marketing department over there, I was impressed with it. I would take a job working with Novell and Unix, but if someone wanted me to deal with Windows ADS or NT4 DS again, and not be open to Samba, I would probably not take the job or demand a premium.
Legalize the constitution. Think for yourself question authority.
Had you actually *read* the document you linked to, rather than googling for forty seconds and then patting yourself on the back, you might have found that this is the sole reference to Active Directory:
The poster's problems are a very real issue and are well-deserving of a public question on Slashdot.four nine eighteen twenty-7 thirty-nine forty-7 fiftyeight sixty-nine seventy-9 eighty-8 one-hundred-and-nine one-twenty
It sounds like your real problem is getting AD to play nice with LDAP clients. The reason that Microsoft clients integrate "seamlessly" with AD is that they use some funky proprietary directory protocol, whereas everything else (Linux, Mac, etc.) speaks straight LDAP. I've found that 10.2 has pretty darn good LDAP integration, but getting it to work with Microsoft takes some accomodation on the AD side.
Remember that Macs use open protocols and tools for their Windows integration. Samba is used for the SMB stuff and LDAP for directories. Any time you're using proprietary MS protocols, you're going to run into problems. You'll run into the same situation with Linux, Novell, or anything non-MS. If your mandate is to make the Macs behave exactly like Windows, then they're setting you up for failure
That being said, you can really help yourself out by getting a 10.2 server to act as a bridge. Apple's OpenLDAP is still fairly young, but it really simplifies AD integration. With your modest requirements, you probably use an old iMac. The server software for 10.2 server is pretty cheap with educational discounts ($250 for 10 clients, $500 for unlimited), and it doesn't require much of a box. I'm using an iMac server to get a 20 station lab on AD and it works pretty well. You get some really cool deployment and workstation management tools, too. ;)
I hear you about the documentation, though. I don't mind so much, because I like tinkering with things and Apple's stuff is fairly intuitive. However, when you're just starting out, Apple's "Why would you need a manual?" attitude gets pretty annoying.
This
I read that sample chapter. It seems useless in relation to the topic. They list appletalk and netinfo as the legacy services, and then proceed to go into great detail on how to setup netinfo, not discussing any of the others at all... Why would we want to use the legacy directory service?
music lover since 1969
If you ever look at the properties in a typical user's account in AD vs LDAP you will get the screaming heebeejeebies!!! :)
LDAP user = a paragraph or two of logically arranged and named fields.
AD user = a page and a half of garble!
There's a reason MS has an AD "connector for LDAP" product (for a small fee).
AD might technically have the same modes of communication as LDAP but that's like saying just because I can use the same phone to call my Aunt and that friendly guy in Nigeria that they can and should talk to each other. (Okay, bad analogy, but I thought iwas funny.
So, to summarise for anyone who hasn't had the pleasure of attempting to integrate AD and LDAP, they ain't even close to compatible Jack!!
that is, create the NT user whenever you add a new LDAP user.
Have a OpenLDAP replica running on your Win2k box. Include a Perl trigger, that parses ldapadds and creates a local Win2k user whenever a new LDAP user gets added.
Perl can be used to synchronize the passwords as well, so you don't need Winbind.
checkout http://acctsync.sf.net/ For more info.
Based on upvotes, Ageism is the only "-ism" Slashdotters care about and think isn't SJW
Will do that. I think in the end, I think the benefits of few less win2k servers to maintain/buy is worth the client install.
Based on upvotes, Ageism is the only "-ism" Slashdotters care about and think isn't SJW
I work for a company that looked into it recently. We bought an XServe, read the docs, and when I tried to assemble it in a test environment (Fresh AD infrastructure, own address space, etc) I ran into problem after problem. Finally when all the people at the Apple Support Forums (http://discussions.info.apple.com/) we got an error. So I called apple support. Would they help? They said no. Would Apple Pro support help? They said no. They said "We can get you in touch with Apple Consulting Services to help you get it working."
WTF? I have to buy consulting? They won't even *help* you through it over the phone, they direct you to the discussion forums. Basically my point is that Apple won't even support vanilla test-only installs, let alone ones in production.
The way it basically works is that Apple's own LDAP flavor (OpenDirectory) only works with Apple clients. *But* you can make some additions to the Win2k/AD Schema (not that scary) and make it so Apple's OpenDirectory can read attributes (users and shares) from AD, letting AD users login locally to a mac. Great stuff, yet to see it work.
The documentation sends you all over the whitepaper, looking for info on how to do this and that, and leaves out crucial steps (enabling LDAPv2 in AD, for example, as well as enabling LDAPv2 write access).
I'm no apple basher, but at the very least they should stop saying it's easy.
Having worked on Active Directory interoperability in Linux along with giving a presentation at the recent CIFS conference on the topic, I can speak to this issue with a certain degree of confidence.
My understand of the OS X client is that it doesn't contain true Active Directory client support. Instead, it relies on the fact that most AD installations are in mixed-mode where they still accept old client logins. In fact, only the bleeding edge versions of Samba actually support true Active Directory client login as it erquires some pretty obscure protocols that only recently have been understood (LDAP over UDP and other various nonsense).
Chances are, your network is in native-mode. That would kill your chances of using the native OS X CIFS clients (although Samba should allow you to access network resources if you use a beta 3.0 version).
int func(int a);
func((b += 3, b));
Apple haven't broken LDAP by modifying it. They are using OpenLDAP, which is published under an open source licence.
All they have done is provide a bridge and NetInfo schema such that current NetInfo account information can be published via LDAP directly from the NetInfo database. They're not the bad guys here.
i don't read slashdot anymore.
You will need 10.2.
/Applications/Utilities, select Directory access. Select LDAPv3, click Configure, drop down the show options button, hit 'new', type a friendly name for your AD server, slap in its name or IP, Select Active Directory from the LDAP Mappings, use SSL if you want, fart around with the other options if you need to, OK everything, go back to Directory Access, Select Custom Path from the Search Drop Down, hit 'add', select '/LDAPv3/Your Friendly name'.
Browse to
Slap back wallop, you should now be authenticating with an AD server, seamlessly it is. Works Good for me, I dont like AD, but I really dont care, it authenticates me thats all I need, keeps management happy too, they love spending that money!!!.
T
I'd just like to back up everything that you are saying. I have been working with one of my clients to get OSX-AD integration set up for several months now, with no luck. First we started with 10.1, and we have now moved on to Jaguar. Although I am not an Apple expert, we are working with the top Apple support company in our city, which frightenlingly is also the only one that is supporting OS X in large environments yet (this is in a city of 3 million). We have also had two engineers from Apple come and assist us, and we've had no luck. My client was supposed to be a showcase for Apple, to show how great it integrates with Windows and how it can be used by large corporations and institutions, so Apple definately has an interest in making this work. But still, no luck. As a matter of fact, the IT department at my client sent me an email earlier today saying that they would like to end the project, since it is going nowhere. It is a great disappointment to me, since I would really love to make this work, but I can't blame them at all. It seems like the big problem is that no one really has any idea how to set this up correctly. We've spoken with places where they have been able to make it work, but either they haven't actually made all of it work like it should, or they have it setup in a convoluted manner that we can't emulate on a large scale. Apple's engineers have been little help. Although they know a lot about Macs in general, it seems like they really don't know what they are talking about when it comes to LDAP and the AD integration. I really get the feeling that they just think that it SHOULD work, with minimal effort, and when it doesn't they just fall apart. I am considered to be an LDAP and NDS expert, so I have a good knowledge of how this should work, but unfortunately it just doesn't. It's been a huge dissapointment. The worst part is, I had several other clients that were ready to implement this, but I have had to inform them that our pilot testing isn't working, so we won't be implementing it any time soon. I guess I'll just hope that they get it worked out eventually, and maybe try it again later.
The Active Directory documentation for Jaguar Server is now integrated into the Mac OS X Server 10.2 Admin Guide; from http://www.apple.com/server/resources.html:
2 015
Active Directory for Mac OS X Server v10.1: Learn how to integrate Mac OS X Server v10.1 with Microsoft Active Directory. (v10.2 customer, refer to the Administrators Guide for Active Directory integration documentation.)
The Mac OS X Server 10.2 Admin Guide is available from:
http://docs.info.apple.com/article.html?artnum=12
Particularly, see:
Chapter 2: Directory Services (p.65)
Using an Active Directory server (p.104)
As a side note check out mod_auth_mysql - http://www.diegonet.com/support/mod_auth_mysql.sht ml
:)
to do user auth against mysql as an apache module, works like above.
There's also http://www.giuseppetanzilli.it/mod_auth_pgsql/
Novell is playing attention to the good stuff
Of those to whom much is given, much is required.
Our method involves authenticating to AD via LDAPv3, and automouting a volume over SMB. We've just put this doc together over the last few hours, but will try and work more on it in the next few days. It can be found here at the bottom.
OS X active directory how to
The first thing to show up is an Apple PDF on how to do it.
Stop wasting everyone's time and making yourself look really stupid.
I just recently setup our Mac OS 10.2 server utilizing our Active Directory server. Here are some tips that may help.
1) Do not test with OS X Server. I used the Java LDAP browser, available at http://www.iit.edu/~gawojar/ldap/ to check for a proper connection. Once I got this to work where I could see the LDAP user data, I plugged those same settings (User/Password, search base, IP, etc) into Directory Access for OS X Server. OS X Server does not give as much diagnostic feedback when testing as the LDAP browser does.
2) Do not add a cn=Users to the search base. Yes it may be necessary, but OS X Server will do this for you. By adding it, you will have 2 cn=Users which breaks it. The search base should look something like dc=mydept,dc=mycompany,dc=com.
3) In Directory Access use the Active Directory template (not From Server, or Custom). In most cases this will work without any mappings making it a simple Directory Access setup.
Hope this helps
Rik
Unless you have Enterprise Licensing that is. As soon as you install Office for Mac, you have to pay them for an OS license as well. Check the fine print.
The deal is that you're licensing a certian number of "workstations" so as soon as you install Office you've got another workstation added to your network and have a certain minimum configuration you have to buy. Usually it's a copy of Windows (XP now), a copy of Office (whatever flavor you standarize on), and maybe some other standard thing like Project.
So just to add Office to a Mac under MS's licensing scheme it'll cost you maybe $800. YMMV but not by a whole lot.
If you think that's fun, check out setting up a Citrix MetaFrame network. MS's weird-ass Terminal Services licensing scheme almost guarantees you'll be out of compliance unless you just write them an enormous check up-front. It's the most screwed up scheme I've ever seen.