[scip]

I've found fragments of information on Apple's site and around the web that Jaguar supports authentication/access (whatever you want to call it) into a Windows Active Directory server WITHOUT the need of a Mac OS X Server present on the network (as was required with OS X versions prior to 10.2). There's a pdf titled, "Integrating Mac OS X With Active Directory" that Apple provides but it was written pre-10.2, and thus does not have details on how to do this.

What I want to do is simple. I have:

A single Mac OS X computer on a Windows network with an Active Directory server (this is the domain controller that the Windows 2000 clients login to on our network).

I want to be able to print to our network printers that are shares on the AD server.

Can this be done?

I've opened the Directory Access utility on OS X and didn't see anything appear in terms of servers, etc.

[SMacTech]

Yes, it can be done. I am in the process of doing this now and am just getting started. See macwindows.com for some more information from users already doing it. There are some limitation and I expect it will only get better. Now that I have all of our PCs running XP, the next step is await native OS X quark and ditch OS 9 and integrate with AD.

You don't need AD to print to a network printer with OS X.

[scip]

Originally posted by SMacTech:
Yes, it can be done. I am in the process of doing this now and am just getting started. See macwindows.com for some more information from users already doing it. There are some limitation and I expect it will only get better. Now that I have all of our PCs running XP, the next step is await native OS X quark and ditch OS 9 and integrate with AD.

You don't need AD to print to a network printer with OS X.

The macwindows.com site was one of the first places I went in search for information on getting OS X to see an AD server. I know that I can print to a network printer without having to go through AD, but we are testing a Linksys wireless print server with Appletalk off. I can see the print server in Print Center, but can't get it to print.

Additionally, I wanted to be able to auth into the AD server so that I know how to do it and to see how well it works.

Anyone else have any references that explain how to make OS X see/connect to an AD server and utilize its services?

Steve

[besson3c]

I think you can setup an LDAP server to authenticate against ADS.

Does your ADS network allow VPN connections?

[scip]

Originally posted by besson3c:
I think you can setup an LDAP server to authenticate against ADS.

Does your ADS network allow VPN connections?

Yes, according to what I can glean from the outdated Apple PDF about Mac OS X and Active Directory, it appears that LDAP is not enabled by default on an AD server. If this is correct, then we will look into getting LDAP running on our AD server.

Once we have LDAP running, how exactly do you login to the AD server? Through the Connect To Server... command in the Finder? And once you successfully auth in, does that allow you to see the network devices made available by the AD Server? (i.e., printers, shares, etc.)

What does VPN have to do with getting it to work (is VPN required)? We don't have a VPN server, but I'm not remote; I'm connected to the same subnet on the LAN that the AD server resides.

[thunderous_funker]

As I understand it you can't have OS X workstations directly authenticate through AD. It must go through OS X Server (or perhaps some other *nix LDAP server).

OS X Server can use LDAP to authenticate against AD and then pass permissions on to the OS X workstation through NetInfo.

At least, that's how I understood when I investigated it.

[thunderous_funker]

Crossed posts with your last one.....

It goes back to NetInfo. NetInfo is the tool your Mac uses to determine permissions for everything. It's Apple's own little addition to the Unix underpinnings.

You must configure NetInfo to query an AD server using LDAP if you want to authenticate through AD.

As I understand it, OS X Server is necessary in the mix. Something to do with a limitation of the NetInfo implementation on workstation X.

NetInfo is the key to it all. I may be wrong about needing OS X Server in the middle of it, but I'm positive that NetInfo is where you'll need to configure the LDAP exchange.

[besson3c]

Thunderousfunker:

I don't see why you can't do this in client, in fact I'm pretty sure you can (hence the DIrectory Access application). Even if you couldn't, you could easily compile LDAP... openldap is open source.

scip:

I think the login panel would authenticate against ADS, and grant you access to your local account on your computer. I'm not sure what home directory would be used if a local account wasn't available on your machine and you didn't have a roaming profiles setup...

Individual applications can also query against the ADS/LDAP directories also.

As you may or may not know, you can easily mount PC shares on ADS networks, and mount Mac volumes from your PC as well.

[scip]

Originally posted by thunderous_funker:
As I understand it you can't have OS X workstations directly authenticate through AD. It must go through OS X Server (or perhaps some other *nix LDAP server).

OS X Server can use LDAP to authenticate against AD and then pass permissions on to the OS X workstation through NetInfo.

At least, that's how I understood when I investigated it.

Prior to Jaguar (10.2) you did need an OS X Server for AD to work.

This is a quote taken from http://macwindows.com/jaguar.html

[begin quote]

Each Mac OS X 10.2 user can access Microsoft's Active Directory without the need for Mac OS X Server on the network, as was previously required. Apple says that "Your network administrator can use the same password authentication system that Windows people use, and can store your home directory on a remote Windows server, if that's how your network is set up." Jaguar includes a new application called Director Access in the Utilities folder for configuration.

We asked Apple's Bill Evans to elaborate a bit, and he offered this:

Mac OS X v10.2 is based on a technology we call Open Directory that manages all directory related services. The primary industry standard for directory service protocols is LDAP and Open Directory provides full support for LDAP. Our Open Directory technology and the Directory Access application also gives Active Directory administrators the tools they need to integrate Macs into Windows networks. With these tools, a user can type their username and password in to the login window and have that be validated by an Active Directory server.

[end quote]

As it would appear from the first sentence in the first paragraph (in the above quote), a Mac OS X Server is no longer needed. Trouble is, all the documentation that I can find on Apple's site has not been updated to reflect this.

[[APi]TheMan]

Now that 10.3 is out, has anyone played further with authenticating OS X clients against Active Directory?

Directory Access now has an Active Directory entry so I'm wondering how OSX integration is fairing these days. Our network admins recently just upgraded to Active Directory for Windows Server 2003 and this supposedly includes the right fields so that Mac OS X boxes can authenticate without too much modification.

Any progress?

[besson3c]

Originally posted by [APi]TheMan:
Now that 10.3 is out, has anyone played further with authenticating OS X clients against Active Directory?

Directory Access now has an Active Directory entry so I'm wondering how OSX integration is fairing these days. Our network admins recently just upgraded to Active Directory for Windows Server 2003 and this supposedly includes the right fields so that Mac OS X boxes can authenticate without too much modification.

Any progress?

The way I understand things, in Jaguar clients can only use ADS to verify that the account exists, but it can't authenticate against ADS like Windows machines do.

In Panther, clients can actually authenticate against ADS, and have ad-hoc accounts created based on being accepted into ADS. This is great news, as a simple query is so much less overhead than patched together alternatives.

[[APi]TheMan]

Originally posted by besson3c:
In Panther, clients can actually authenticate against ADS, and have ad-hoc accounts created based on being accepted into ADS. This is great news, as a simple query is so much less overhead than patched together alternatives.

This IS great news. Maybe if I knew more about Active Directory.

[Jordan]

Also having problems getting this to work. I'm not a Windoze techie so I gave it to one of my guys who is. (Thing is he knows nothing about Macs).

We have got it working with a product called ADmitMac which is by Thursby (the same guys who wrote DAVE) www.thursby.com.

One thing though, it is sooooo slow. Hoping to see some more info here on how to do this properly.

[besson3c]

Originally posted by Jordan:
Also having problems getting this to work. I'm not a Windoze techie so I gave it to one of my guys who is. (Thing is he knows nothing about Macs).

We have got it working with a product called ADmitMac which is by Thursby (the same guys who wrote DAVE) www.thursby.com.

One thing though, it is sooooo slow. Hoping to see some more info here on how to do this properly.

Are you aware that the setup is done through the Directory Access app?

[Jordan]

Originally posted by besson3c:
Are you aware that the setup is done through the Directory Access app?

Yeah! But it is still very slow.

Also, there are a number of annoying messages that come up when I'm not connected to the network.

[[APi]TheMan]

Ah-hah. I just got authentication working from a 10.2 box to our campus' Active Directory server. What I ended up having to do was call a meeting with some of the PC administrators and put our heads together. They gave me the information I needed and within 5 minutes I had my box authenticating against the Active Directory server with a test account we set up.

One question I have, though, is how do we give users administrator privileges? My first thought was to add that user to the admin group. No go. I next thought to add that user to /etc/sudoers, and while this works for sudo in the command line, the Network user cannot authenticate in any GUI apps where administrator privileges are needed.

Anyone know where/how these privileges are handled?

[DeWa19]

Originally posted by [APi]TheMan:
Ah-hah. I just got authentication working from a 10.2 box to our campus' Active Directory server. What I ended up having to do was call a meeting with some of the PC administrators and put our heads together. They gave me the information I needed and within 5 minutes I had my box authenticating against the Active Directory server with a test account we set up...

Sorry, but could you please explain further on how you made that to work (Authentication a Mac OSX client to a Windows AD Server without the use of a Mac OSX server)? Because us here are trying to do the same thing as above. So if you could provide some sort of guide on how you setup your client and server it would be greatly appreciated.

Cheers.

[frido:mac]

Here is how I did it: (integrated 45 Macs into our AD)

- install Mac as desired
- enter the IP-Adress of the ADS Server into the DNS field in Network (had to do it, otherwise it would not work)
- Open up "Directory Access"
- Check "Active Directory" and doubleclick it
- enter your Domain and forest information at the top
- expand the window and check the first option if you are not permanently connected to the network, your last logon credentials are then cached
- click "Connect" (don´t know how it´s called in the English Mac OS and am too lazy to switch languages :-)
- enter a Windows admin account Name and password
- you should then be connected to AD
- verify by opening a Terminal Window and running "dsconfigad -show"
- enter the AD into the Tabs for "Contacts" and "Identification" (with the "add custom path" command)

With dsconfigad you can also set some advanced options, such as mapping your Mac OS X home directory to the AD-specified HomeDir.

I basically did what´s on the Macwindows site. If you have an OSX Server, you can also add that to the search path and the LDAP-Tab and can then manage your prefs and other nice things...

Hope this helps....

Bye, Frido.

[Diggory Laycock]

http://www.macosxlabs.org/presentati...iveDir_ref.mov

[dv64villa]

Hi all,
I'm bringing this thread back from the archives because I've got a problem setting up directory acces on my Tiger machine and I've followed all the steps Frido:Mac laid out, but 2 things happen that don't allow me to complete configuration. One is that when I go to configure Active Directory, the "forest" option box is grayed out with the word "Automatic" so there's no way to change that option. I then enter my domain name and computer name then i click on the Bind button. There I enter credentials with rights to join objects to AD and click OK but then I get the message: Invalid Domain, An invalid Domain and Forest combination was specified. You should enter a fully qualified DNS name for the domain and forest (e.g., ads.company.com).

I've created a computer account in AD, I set the preferred server to the DC where AD resides, I set the DNS on the mac to the ip of the DC where AD resides and still get this error.

Can somebody tell me if i am doing something wrong or if there is some step i am missing in either the windows server or on the mac client? Thanks in advance for helping.

DV

[frido:mac]

To make it work, I had to enter the ADS-Server as DNS in the Network Prefs Pane.... otherwise I go the same message you did.

Bye, Frido.

[ehchan]

Hey all, hope people can help me with this. I'm trying to set up my mini to access my active directory through Tiger to Windows Small Business Server 2003, and I'm able to log in and see all the active directory servers through open directory. Kerberos is authenticated and renewing, and I'm logged in as an active directory user. What I can't do is access my file shares on my server. When I go into Network, my domain is there, and inside the domain folder, I can see all my computers in the directory, as aliases. When I try to click "Connect" for the alias, i get "The alias "server" could not be opened, because the original item could not be found." When I "get info" for my server, I see it points to "nfs://automount%20-nsl%20%5B147]" Weird...

When I try to use Connect to Server, address "smb://server" I get the error "Could not connect to the server because the name or password is not correct".

So I know I'm authenticating with the active directory OK, since I can log on as an active directory user, but I can't access my shares. Any ideas? Thanks.

Ed