So, the first thing that you will want to do is upgrade the machine to 10.3.3. This can be done via software update in the System Preferences (by default you can access system preferences from the Dock).
Next, provide time synchronization services to the Mac OS Client from the DC. This is so your kerberos bind to add a machine account to the network won't fail due to timestamp problems.
Click the clock in the upper left corner of the toolbar and click Open Date & Time ...
On the Date & Time screen put a check in the box for Set Date & Time automatically: ,
Then enter the fully qualified name of a DC in the box for a time server.
Close the Date & Time box.
Open the finder and browse to /Applications/Utilities and open Directory Access.
If the lock in the lower left corner is in the locked position, click on it and enter the appropriate credentials.
Click Active Directory and click Configure you should then be able to enter your forest name in the Active Directory Forest box, enter your AD domain in the Active Directory Domain box, and finally the name of the computer account you want to use in the Computer ID box.
Click the Hide Advanced Options box and unless you will absolutely need to authenticate users from multiple domains, then clear the checkbox.
If the machine is a laptop,
You can also choose to allow AD groups administrative rights to the mac. By default this is set to Domain & Enterprise admins.
When finished with all your options click the Bind button.
You will be prompted for an account with permissions to add computers to the domain. The default ldap computer account location is in the CN=Computers area off the root default domain NC. You can change this by adding a fully distinguished path to the Container or OU of your choice.
The machine will go through 5 steps and hopefully bind successfully.
Next, Go back to the Directory Access application and click the Authentication tab at the top. Under search click Custom Path and click Add.
A box will pop up and display the Active Directory connector you just added click Add, click Apply.
If you have a successfully bound and added the AD connector to your authentication path, then you can log off and attempt to login using the sAMAccountname of the user.
Troubleshooting
If you have any issues, enable remote login in the Sharing section of System Preferences and use another machine to SSH into the Mac. If you are using a windows box to SSH there is a free application called putty that you can use, just google for it.
After ssh'ing into the box with an admin user account, enter the command:
sudo killall -USR1 DirectoryService
this command puts the lookupd daemon in debug logging mode, then type:
tail -f /Library/Logs/DirectoryService/DirectoryService.debug.log | grep ADPlug
this tells your shell to read the tail end of the log file and print any new entries to STDOUT.
Now attempt to login to the machine, and your SSH machine will capture what is going on with the AD Plugin. Paste the results of the tail command back here and we'll work from that point.
Good Luck,
Brent
On May 7, 2004, at 1:42 PM, Creamer, Mark wrote:
<x-tad-bigger>Hi Brent, they’re all 10.3.2. Thanks for your help on this…</x-tad-bigger>
<x-tad-bigger> </x-tad-bigger>
<mc>
<x-tad-bigger>-----Original Message-----</x-tad-bigger>
<x-tad-bigger>From:</x-tad-bigger><x-tad-bigger> Brent Westmoreland [mailto:[EMAIL PROTECTED]</x-tad-bigger>
<x-tad-bigger> </x-tad-bigger><x-tad-bigger>Sent:</x-tad-bigger><x-tad-bigger> Friday, May 07, 2004 12:58 PM</x-tad-bigger>
<x-tad-bigger>To:</x-tad-bigger><x-tad-bigger> [EMAIL PROTECTED]</x-tad-bigger>
<x-tad-bigger>Subject:</x-tad-bigger><x-tad-bigger> Re: [ActiveDir] Mac clients & passwords</x-tad-bigger>
Which version of OS X?
10.3 or above has an Active Directory client built in that can typically be configured to work with AD, if not there are options for using Kerberos for single sign on. Post back the specific version, and I can help you get it going whether it be 10.3 or back.
Brent.
p.s. to get the specific version of os x,
1. log in
2. click the apple button in the upper left hand corner
3. click "About this Mac"
On May 7, 2004, at 9:07 AM, Creamer, Mark wrote:
They are OSX
<mc>
-----Original Message-----
From: Bruce Clingaman [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 06, 2004 5:39 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Mac clients & passwords
Are the Mac clients OSX or 9.earlier?
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Thursday, May 06, 2004 2:01 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Mac clients & passwords
I have zero experience with Macs, but we now have a few in our design dept. Our domain is Windows 2000, and the Macs are using only TCP/IP to participate on the network, no Appletalk. The users say they don’t get notified when their AD password expires, and then when it does expire, they have to go find a Windows PC to change it. Is there software I can install on the AD and/or client side to alleviate this problem? Also, is it accurate that passwords are transmitted in clear text from a Mac client to a Windows resource?
Thanks!
Mark Creamer
Systems Engineer
Cintas Corporation
Honesty and Integrity in Everything We Do
