How to…Integrate Mac OS X With Active Directory
Apple computers occupy a relatively small but fairly secure place in the corporate and educational IT demographics. Network administrators—especially those working in educational or multimedia environments—are likely to find themselves supporting mixed Windows Active Directory/Mac OS X infrastructures. Often, for these network engineers, a question arises: How can I get Mac OS X and Microsoft Windows to play well together?
The best way to clarify this process is through a nuts-and-bolts approach: explaining, in simple terms, how to configure Mac OS X client computers to seamlessly interoperate in Windows 2000 or Windows Server 2003 Active Directory domains. And, no, I won’t use Microsoft add-on tools such as Services for Macintosh, which allows a Windows administrator to mount pseudo-Mac-native file volumes. Instead, I will explore the ability of Macintosh computers to have honest-to-goodness Active Directory computer accounts, and how Macintosh users can log on to Active Directory domains using the same Kerberos V5 authentication protocol that Windows users employ.
Before getting down to the business of configuring Active Directory binding on our Mac OS X client computers, make sure that one of the latest versions of Mac OS X is running—such as 10.3, aka Panther, for our examples here. It just so happens that the 10.3.8 OS update made some much-needed fixes to the Active Directory plug-in. Believe me, working in a mixed Mac-Windows environment myself, our team struggled mightily with AD binding prior to Apple’s release of the update. You will not regret taking the time to patch your software. At press time, the latest revision to the Panther operating system is version 10.3.9.
To perform a software update in Panther, open the Apple menu and select Software Update. Once your OS is fully patched, you can move on.
Active Directory binding in Panther is configured by using the Directory Access utility: This program can be found by choosing Go, then Utilities from the menu bar, and then clicking Directory Access in the Finder window. Figure 1 shows the Services panel of the Directory Access utility.
If the Directory Access utility is locked—which is indicated by a closed lock icon in the lower-left corner of the Directory Access dialog box—click the lock and authenticate with administrative credentials. Once you have authenticated, you will have read and write access to all of the listed plug-ins in the Directory Access utility.
Our first stop is the Active Directory plug-in. Ensure that the Enable box is checked, and double-click the Active Directory item to open it. When the Active Directory binding options panel appears, click Show Advanced Options. (See Figure 2.)
Enter the Domain Name System (DNS) names of your organization’s AD forest and AD domain in their respective fields, in the Directory Access dialog box. Next, type the host name of the Mac computer in the Computer ID text box. This hostname will correspond to the Active Directory computer account name of the Macintosh workstation.
If you want the Mac user to be able to use his or her Active Directory domain credentials to log on to the Macintosh computer even when the computer is not physically connected to the domain (for instance, if the user is issued a laptop and takes it home each evening), then you should select the “Cache Last User Logon for Offline Operation” option.
Select Authenticate in Multiple Domains if your network encompasses more than one AD domain and you want the user to take advantage of Active Directory transitive trust relationships. Select Prefer This Domain Server and type the hostname or fully qualified domain name (FQDN) of the most convenient domain controller (DC) for the user in question. This will be the first AD domain controller that Mac OS X client computer will contact during each domain logon.
Finally, select Allow Administration By and type the names of the groups that you want to grant administrative access on the local Macintosh workstation. Note that you can specify only Active Directory group accounts here, not individual user accounts. Furthermore, you must use the standard Windows domaingroup notation, and the groups must be separated by a comma with no spaces. If you have custom access needs, then you must use Active Directory Users and Computers on a Windows 2000 or Windows Server 2003 domain controller to create the universal, global or domain local administrative groups and assign them in the Directory Access plug-in on each Mac OS X workstation.
For instance, if I managed a Windows Server 2003 domain named CORP and I wanted my Domain Admins group, Enterprise Admins group and a custom global group named Accountants to have full local administrative rights on a Mac OS X workstation named PANTHER101, then I would type the following string in the Allow administration by text box in the Directory Access plug-in:
CORPDomain Admins,CORPEnterprise Admins,
To create the actual computer account binding in Active Directory, click Bind. What happens next is actually sort of random. In my experience with binding Panther clients to Active Directory, sometimes I am prompted to first authenticate as a local administrator. If this is the case, submit a username and a password of an administrative account on the local workstation. Regardless, at some point during the AD binding process you will be prompted to authenticate as an Active Directory domain administrator: To do this, simply submit the credentials of an AD account that belongs to the target domain’s Domain Admins group and after a few moments, the binding should complete successfully. (Proof of this will occur when the Bind button reads Unbind.) You can now close the Active Directory binding panel and return to the main Directory Access utility.
LDAP Search Paths
At this point, the Active Directory computer account has been created for the Mac workstation and Panther has been bound to the Active Directory. However, the Active Directory must be added to the Lightweight Directory Access Protocol (LDAP) search paths in the Directory Access utility in order to facilitate Panther’s ability to resolve AD resources. To accomplish this next task, navigate to the Authentication pane in Directory Access, open the Search pop-up menu, and select Custom. Next, click Add and then add the appropriate entry for your Active Directory domain. (See Figure 3.)
Note in Figure 3, the path /NetInfo/root is listed first, the path /ActiveDirectory/ensworth.lan (which is the name of the AD domain in my work environment) is listed second, and the path /LDAPv3/ehsmacserv is listed third. You should know that the order in which your LDAP entries are listed is as important as the order in which the local computer will execute LDAP search queries. Therefore, using Figure 3 as an example, the Mac will attempt to resolve LDAP queries by first consulting its own local NetInfo database, then querying an AD domain controller and, finally, by querying our Mac OS X Server computer named ehsmacserv.
To complete the LDAP search path configuration, navigate to the Contacts pane and perform the same steps you completed on the Authentication pane. Once you have completed your configuration, close the Directory Access dialog box and restart the computer. Congratulations: You have successfully configured Active Directory support under Mac OS X Panther.
At this point, you should be able to submit an Active Directory username and password at the Mac OS X login window and authenticate both to your organization’s domain, as well as to the local Macintosh workstation. Assuming