"Seamless" Integration of Mac OS X w/ Active Directory

eexlebots asks: "I work for a small college which has a few Mac OS X 10.2 machines and a fairly standard Active Directory setup. Actual deployment of these clients rides on getting them to authenticate at login to our Active Directory server. Apple has stated that this is possible (easy! seamless!) with Jaguar without the use of an additional Mac OS X server, but I have found the case to be quite different. It is possible, but not without a good deal of nightmarish configuration issues. Documentation? HA! No sign of it anywhere on Apple's site. I'm not alone: at macwindows.com I found a good many people who think that Apple's claims of seamless Windows Network integration to be a bad joke and nothing more. I was wondering who else out there is having this problem, and what they have done to solve it."

Title != message

Active desktop and Active directory are *slightly* different...

Well it's not that hard to fix.

[miffo.swe]

Get rid of that stupid AD and install a real catalogue system like LDAP or NDS. Active Directory is made for Windows and nothing but windows. Making anything else to work with it is very hard and not worth it. What on earth do you need from AD that cannot be solved otherwise? If its just a matter of a few machines there shoudnt be any significant gain in ease of admin in AD. If there are plenty then you should install a MAC server. Microsoft does not and will never play nice with anything else but Microsoft.

Re:Well it's not that hard to fix.

[Telastyn]

because if you use LDAP or NDS you end up with the same nightmarish configuration issues, except now the issues are with the windows machines, which are probably 90% of his clientelle.

(this of course assumes it's impossible to just get rid of the windows machines and they actually need cetralized authentication in the first place...)

Using AD for authentication

[gruntvald]

Step 1: plug into the network

Step 2: login using AD credentials

Step 3: There's no step 3! There's no step 3!

Re:Using AD for authentication

[Bob+McCown]

Step 3: There's no step 3! There's no step 3!

er, profit????

Re:Using AD for authentication

[Kunta+Kinte]

It's easy if you do it the other way around.

that is, create the NT user whenever you add a new LDAP user.

Have a OpenLDAP replica running on your Win2k box. Include a Perl trigger, that parses ldapadds and creates a local Win2k user whenever a new LDAP user gets added.

Perl can be used to synchronize the passwords as well, so you don't need Winbind.

checkout http://acctsync.sf.net/ For more info.

Why not Samba?

[bdowne01]

I'm stating this at a very high-level perspective, but I know Samba is an actual component of OS X Server, and it is known to compile and install on OS X perfectly.

So why not use Samba for integration to Active Directory? I'm not perfectly clear on the details of doing so, but I'm pretty sure you can use Kerberos to hook up to an AD domain, and go from there.

Any reason not to try? After all, Unix folk are generally pretty adamant about not reinventing the wheel :)

Re:Why not Samba?

[Twirlip+of+the+Mists]

Any reason not to try?

Yes. It's unnecessary. Active Directory can expose an LDAP interface, and Mac OS X is an LDAP client. The only tricky part is synchronizing the schemas, and Apple's documentation describes how to do that. On paper, it looks really simple. Since I don't have any Windows servers, I can't say whether it's simple in practice or not. The submitter evidently thinks it isn't.

From O'Reilly Press

[wayn3]

Have you tried this?

It relies on LDAP

[fordgj]

10.2 uses a new architecture called Open Directory which is released as open source (yes, the apple license, of course). Open Directory is what allows 10.2 to work with Active Directory. How does it do this? LDAP.

Most likely, the configuration issues are with configuring the AD with the proper schema. When the AD is properly set up, then all you have to do is go into the Open Directory Assistant and create an LDAP service that is configured to use the Active Directory preset. Yes, it's a preset and so there is little or configuration on the OS X side. Once the LDAP service is created, then you select it as an authentication service (in the same utility) and you are done.

Re:Ummm...did you try Google?

[Magycian]

Ummm That link is for 10.1. VERY different animal.
I can't seem to find a similar doc on Jaguar. Maybe because Apple has not released it yet?

LDAP support != AD integration

[zerofoo]

Just because OS X supports LDAP for authentication does not mean there will be seamless integration with Active Directory.

Active Directory (at least the MS implementation) is like a network-level "registry". It holds everything from integrated DNS records, to DHCP server authorization, users, permissions, replication controls and information....you get the idea.

To participate in most of this, you need to have client side stuff that can take advantage of all of this. OK, you get samba authentication without needing LDAP support on OS X, but who cares...that isn't enough for "seemless" integration.

Can you add users to OS X and have them appear in Active directory?....I don't think so.

Can you get your DHCP server (on OS X) to authenticate itself in Active Directory?...probably not.

Can you get user lists and permissions to replicate into OS X's user list? Maybe...but i'm still not sure about that.

Lastly...can you get a user to log into OS X and have OS X process login scripts replicated to domain controllers? Doubtful...most of the windows login scripts don't apply to the Unix world.

I may be wrong on this stuff. My experience with OS X has been a handful of workstations connecting to a windows file server via samba. It seems that the platforms are too far apart to get this "seemless" integration.

It appears the best you can do is simple user authentication....it might be worth it if the OS X server can get it's user list from the Active Directory machines. Does anyone know if this is possible? I'd love it if a Linux distribution could do that so I don't have to maintain two sets of user lists.

-ted

Re:LDAP support != AD integration

[plsuh]

This list consists of items that are irrelevant or unnecessary:

Can you add users to OS X and have them appear in Active directory?

The point of a central directory service is that you create the user records in one place (using the native tools) and all systems can authenticate against them. Adding users to your Mac OS X machine doesn't make sense under centralized directory services. With the correct administrative user login, it is possible for Workgroup Manager to edit user records in an LDAP server using LDAP v3 mechanisms.

Can you get your DHCP server (on OS X) to authenticate itself in Active Directory?

DHCP does not by nature authenticate. DHCP servers can send out additional vendor-specific DCHP packets -- Apple's implementation does this to tell Mac OS X clients where to look for directory services -- but they do not authenticate directly to DHCP. These additional records are ignored by systems that don't understand them. Look into the Mac OS X Server documentation and the /Applications/Utilities/Directory Access application to see the options.

Can you get user lists and permissions to replicate into OS X's user list?

The point of central directory services is to NOT have everything replicate into client systems! :-O When a Mac OS X system that utilizes LDAP directory services for group information it asks the LDAP server, not its own local NetInfo database or BSD-style config files.

Lastly...can you get a user to log into OS X and have OS X process login scripts replicated to domain controllers? Doubtful...most of the windows login scripts don't apply to the Unix world.

You've answered your own question here -- the Windows-based login scripts do not make sense and would not run under Mac OS X. Mac OS X has its own ways of setting up scripts to be run on boot and on login, as well as automatically mounting share points.

Scripts can be run from the /etc/rc scripts or from the /Library/StartupItems folder. On login, there are a variety of options detailed in Apple's docs.

Re:Well it's not that hard to fix. NDS != Evil.

[Zeio]

I beg to differ about NDS on Windows ever being a problem.

I have no great love for Windows. Novell, I happen to like very much but it is cost prohibitive. But is NDS worth the money? Yes. Also, GroupWise is capable of driving Outlook properly, even better than my beloved OpenMail [RIP, now Samsung Contact - yeach, thanks Carly] was.

My experience since Novell 4.x (I've used it back in the bindery days as well) and NDS has been flawless. It supports DOS, WinALL, and anything else. It has native file sharing so it can appear as a Winderz box. The server is ugly as sin at the console, but it runs more reliably that one would ever imagine, I had several servers stay up for more than a year. The Novell client integration with Windows NT based operations systems is superior, supporting advanced network trashcans, robust undelete for idiots, and does interesting things like server side searches (as in, if you are looking for the word "cat" on a network file system, the server does the searching 'for you.'

Also, NDS is much more scaleable than ADS. It has the proper notion of root, it is possible to merge trunks together, if you've ever used ConsoleOne, you'll see more granularity on this directory and its objects than was ever dreamed possible, cleanly integrated and rather fast.

Is Novell run by intelligent business people? No. Are the products of incredible quality? Yes. Novell's image has been so heinously stained, with angry red color schemes, idiotic pictures of polyester clad fools running around on my console dancing or holding up red N's.

Novell needs to do only this: Change colors to blue or something, and rip out that licensing shit and start offering to replace ADS/Exchange with NDS/GroupWise for $100 bucks. All it costs them is a CD. It would cost Microsoft a lot of pain.

If you haven't given Novell a shot, please do,. You'll realize that the free stuff right now is primitive compared to NDS. Any other comments on good directory service implementations are welcome.

I just setup a Novell 6 server the other day to stay sharp with that stuff. Besides the fools in the marketing department over there, I was impressed with it. I would take a job working with Novell and Unix, but if someone wanted me to deal with Windows ADS or NT4 DS again, and not be open to Samba, I would probably not take the job or demand a premium.

Get a server.

[megaduck]

It sounds like your real problem is getting AD to play nice with LDAP clients. The reason that Microsoft clients integrate "seamlessly" with AD is that they use some funky proprietary directory protocol, whereas everything else (Linux, Mac, etc.) speaks straight LDAP. I've found that 10.2 has pretty darn good LDAP integration, but getting it to work with Microsoft takes some accomodation on the AD side.

Remember that Macs use open protocols and tools for their Windows integration. Samba is used for the SMB stuff and LDAP for directories. Any time you're using proprietary MS protocols, you're going to run into problems. You'll run into the same situation with Linux, Novell, or anything non-MS. If your mandate is to make the Macs behave exactly like Windows, then they're setting you up for failure

That being said, you can really help yourself out by getting a 10.2 server to act as a bridge. Apple's OpenLDAP is still fairly young, but it really simplifies AD integration. With your modest requirements, you probably use an old iMac. The server software for 10.2 server is pretty cheap with educational discounts ($250 for 10 clients, $500 for unlimited), and it doesn't require much of a box. I'm using an iMac server to get a 20 station lab on AD and it works pretty well. You get some really cool deployment and workstation management tools, too. ;)

I hear you about the documentation, though. I don't mind so much, because I like tinkering with things and Apple's stuff is fairly intuitive. However, when you're just starting out, Apple's "Why would you need a manual?" attitude gets pretty annoying.

Re:Well it's not that hard to fix. OS X/NDS here

[Havokmon]

because if you use LDAP or NDS you end up with the same nightmarish configuration issues, except now the issues are with the windows machines, which are probably 90% of his clientelle.

Ehrm. Not only do I have Windows machines, I have an OS X box, and my workstation is Linux.

Now, the windows boxes DO have random crashes regarding the TCP/IP stacks (Exception 0E), but that has nothing to do with Netware/NDS.

Stop spreading FUD, I've run NDS for 5 years, and logging into the server is not an issue. Sure, there can be other issues (client-side caching of shared documents - umm turn it off), but nothing that is specific to NDS.

Plus, with NDS, you don't even need Netware. (Oh, and it's also LDAP v3, so we've used it for web app auths also)

AD is a Rube Goldberg hack of LDAP

[itwerx]

If you ever look at the properties in a typical user's account in AD vs LDAP you will get the screaming heebeejeebies!!!
LDAP user = a paragraph or two of logically arranged and named fields.
AD user = a page and a half of garble!
There's a reason MS has an AD "connector for LDAP" product (for a small fee).
AD might technically have the same modes of communication as LDAP but that's like saying just because I can use the same phone to call my Aunt and that friendly guy in Nigeria that they can and should talk to each other. (Okay, bad analogy, but I thought iwas funny. :)
So, to summarise for anyone who hasn't had the pleasure of attempting to integrate AD and LDAP, they ain't even close to compatible Jack!!

It Doesn't Work, Yet. I've Tried.

[Spencerian]

Apple, in its attempts to get into more enterprise accounts, has not learned that system administrators require documentation ad nauseum. They wrote their documentation for AD in the old 10.1 Server AD/LDAP PDF and in their System Administrators guide for 10.2 Server much too simply.

Recently I worked with Apple to receive an Xserve for two tests--getting a Macintosh to authenticate by AD (which is an LDAP superset) from login, and to provide authentication on file shares from AD using the Connect to Server command, where the shares would be provided by the Xserve.

I had no success in getting anything to work with 10.1 Server. After getting 10.2 Server from Apple, we had luck in getting authentication for file shares working. Part of the problem involved how LDAPv3 (the main component in Apple's Open Directory) relates to the AD schema. I'm not an AD expert, but Apple has got a "not-invented-here" mindset here; the LDAP components don't match up with with sysadmins expect. I was unable to get the login authentication component working at all.

As a result, I couldn't recommend an Xserve for my customers, and stuck in Services For Macintosh, a component in Windows 2000 Server that provides the same authentications to file shares by AD without the Xserve acting as a middleman for file sharing. It's got its own issues, but at least it worked as advertised; it took us only 5 minutes to set this up on a working W2K server.

Apple MUST have the documentation and software working and tested before making claims. This is a completely unacceptable way to sell their wares, and is worsening an already bad reputation for many in IT.

Just so you know, Macintosh system integration is my business, so I feel quite justified in flaming Apple for such a bad implementation. It's not really their technology, but how they sold this currently-snake oil concept to Mac professionals.

A little more to the story

[lkaos]

Having worked on Active Directory interoperability in Linux along with giving a presentation at the recent CIFS conference on the topic, I can speak to this issue with a certain degree of confidence.

My understand of the OS X client is that it doesn't contain true Active Directory client support. Instead, it relies on the fact that most AD installations are in mixed-mode where they still accept old client logins. In fact, only the bleeding edge versions of Samba actually support true Active Directory client login as it erquires some pretty obscure protocols that only recently have been understood (LDAP over UDP and other various nonsense).

Chances are, your network is in native-mode. That would kill your chances of using the native OS X CIFS clients (although Samba should allow you to access network resources if you use a beta 3.0 version).

modified == *extended*

[netsrek]

Apple haven't broken LDAP by modifying it. They are using OpenLDAP, which is published under an open source licence.

All they have done is provide a bridge and NetInfo schema such that current NetInfo account information can be published via LDAP directly from the NetInfo database. They're not the bad guys here.

How to do it with OS X 10.2

You will need 10.2.

Browse to /Applications/Utilities, select Directory access. Select LDAPv3, click Configure, drop down the show options button, hit 'new', type a friendly name for your AD server, slap in its name or IP, Select Active Directory from the LDAP Mappings, use SSL if you want, fart around with the other options if you need to, OK everything, go back to Directory Access, Select Custom Path from the Search Drop Down, hit 'add', select '/LDAPv3/Your Friendly name'.

Slap back wallop, you should now be authenticating with an AD server, seamlessly it is. Works Good for me, I dont like AD, but I really dont care, it authenticates me thats all I need, keeps management happy too, they love spending that money!!!.

T

AD documentation for 10.2

[daveschroeder]

The Active Directory documentation for Jaguar Server is now integrated into the Mac OS X Server 10.2 Admin Guide; from http://www.apple.com/server/resources.html:

Active Directory for Mac OS X Server v10.1: Learn how to integrate Mac OS X Server v10.1 with Microsoft Active Directory. (v10.2 customer, refer to the Administrators Guide for Active Directory integration documentation.)

The Mac OS X Server 10.2 Admin Guide is available from:

http://docs.info.apple.com/article.html?artnum=122 015

Particularly, see:

Chapter 2: Directory Services (p.65)
Using an Active Directory server (p.104)