Samba

Integrating Tiger into an Active Directory

If your company is primarily Windows-based, it probably has or is moving to Microsoft's Active Directory. Active Directory (AD) is Microsoft's enterprise directory service. It provides centralized resource and user management for tens, hundreds, or thousands of users.

Tiger also supports directory services, such as NetInfo and LDAP, and can even integrate into an AD-based network without resorting to installing special software or compromising the way you use your computer. These features are part of the Apple Open Directory architecture. Open Directory allows Mac OS X computers to interact with directory servers, local files, and network resources to create distributed administration systems that can be used in a wide variety of settings.

A properly configured client is subject to the same login/password policies as a Windows client. Mac users can also have their home directory stored on a Windows server and accessed from anywhere on the AD network. Authenticated AD administrators will even have administrative access on Tiger.

New to Tiger are mobile AD users. When active, this feature caches the login credentials for users authenticating from the Active Directory and creates a local login for them. If the AD goes down or the machine is not communicating with the AD (such as the case of a laptop that moves around), users will still be able to log in to their accounts.

Configuring AD Support

To set up the connection, open the Directory Access utility (path: /Applications/Utilities/Directory Access). To use an AD server, you need the following information:

• The AD domain that you are joining

• The computer ID that has been assigned to your system

• A username and password with the proper permission to bind a machine to the AD

• The organizational unit (OU) that the computer you're binding will belong to

Collect this information from your Windows administrator before continuing.

Authenticate by clicking the lock button in the lower-left corner of the window. Highlight the Active Directory plug-in (make sure that it's checked) and then click Configure.

A dialog appears, and Directory Access prompts you for information about your AD server. Click the Show Advanced Options disclosure push button to display all the setting options, as shown in Figure 27.7.

The first two pieces of information your AD domain and computer ID are required. The forest is identified automatically. The additional settings are optional but greatly affect how your machine operates within the Active Directory. Use the button bar at the bottom of the window to fine-tune your setup within the areas of User Experience, Mappings, and Administrative.

User Experience Options

The first setting group, User Experience, controls how the system will integrate Active Directory accounts into the Macintosh experience. Choose between the following settings based on how you want your system to handle home directories and the command-line interface (CLI) shell.

• Create Mobile Account at Login When selected, Tiger will automatically create a local account for a user that authenticates via the AD. This allows the user to log in even if the AD cannot be reached such as in the case of a mobile laptop or a flaky server setup. Use the Require Confirmation check box to prompt for each account before creating it.

• Force Local Home Directory on Startup Disk Available if mobile accounts are not active. This feature will use a local folder in /Users for those logged in by way of the AD. The user will also have his network home directory automatically mounted, but it will not be used for system files (like ~/Library).

• Use UNC Path from Active Directory to Derive Network Home Location When selected, this option will use the standard AD universal naming convention path for the home directory. Choose the protocol the server will use to present the network home directory share. SMB is should be used unless the server has additional software installed to support Apple File Protocol (AFP).

• Default User Shell The shell that the system will default to when the user accesses the CLI via Terminal or through SSH login. A user can ultimately invoke any available shell, so this is really just a default setting.

Mapping Options

By default, Tiger automatically generates a UID/GID value for users that are logged in from the AD. Because these values don't necessarily correspond to what you might want, you can use the Mapping button to map user and group IDs to specific attributes within the active directory. Systems with Microsoft Services for Unix, for example, can use the SFU UID attribute to map directly to a Mac OS X UID.

This doesn't work out of the box, however. The AD schema must be updated to include the attributes that you will be mapping to. Assuming that your AD has these attributes in place, select the check box in front of the attribute you want to map and then enter the appropriate AD attribute.

Administrative Options

The final settings pane, Administrative, is used to control the default domain server and assign valid AD administrative groups.

• Prefer This Domain Server If a preferred domain server is listed, Tiger attempts to use it by default. Otherwise, the AD is consulted and a nearby domain controller located.

• Allow Administration By Choose the groups in the AD that are considered administrators by Tiger; Domain Admins and Enterprise Admins are the defaults.

• Allow Authentication from Any Domain in the Forest If selected, users throughout the AD forest can log in. If unchecked, you will authenticate against the domain you've specified in the main directory access settings.

Binding/Unbinding with the Domain

After your options have been set, click the Bind button. Tiger prompts for a username, password, and search path to identify your computer OU in the Active Directory, as shown in Figure 27.8. This is an AD username and password with the appropriate permissions to add a machine to a domain; it is not your local Tiger admin account.

Choose how you will be using the binding by selecting Use for Authentication and/or Use for Contacts. Using the AD for authentication will allow AD users to log in to the Tiger system and potentially administrate it (refer to the previous section, "Administrative Options"). The Use for Contacts setting allows applications such as Address Book to query the AD for contact information. Finally, click OK to begin the binding process.

Tiger takes a few moments to complete the steps in connecting to the Active Directory. If any errors occur along the way, you will be given specific information to help correct the problem.

After the binding has been completed (and assuming that it was set up for authentication), users should be able to log in via the AD by clicking the Other user icon at the Tiger login screen and supplying the standard AD domain credentials instead of local login information.

To unbind from a domain, click the Unbind button within the Active Directory plug-in setup screen. You will be prompted for a username and password. Again, this is AD authentication information not a local Tiger account. The supplied username and password must have permission to remove the computer from the AD. If you do not have permission or the unbind fails, click the Force Unbind button to forcibly disconnect from the AD.