Smoothly integrate your Mac OS X workstations to Active Directory

Even though Mac OS and Windows may seem like matter and antimatter, they needn't explode when you mix them on your network. Brien Posey shows you how to configure Macintoshes to participate and authenticate using Active Directory.

Cats and dogs. Fire and ice. Oil and water. Mac OS and Windows. Some things just aren’t meant to go together. But as a network administrator in a mixed environment, it’s your job to make your Macintosh and Windows desktops work well together.

Although Windows and Macintoshes are inherently different, you can integrate them in a roundabout manner. With a little bit of work, you can get your Macintosh workstations connected to Active Directory almost as smoothly as your Windows workstations.

Before you jump right in
You can’t make the connection between Mac OS X and Active Directory without first modifying Active Directory’s schema to accommodate Mac OS X. For more information about how to do this, see the Daily Drill Down “Connect your Macintosh workstations to Active Directory.” This Daily Drill Down references objects and classes discussed in my previous Daily Drill Down, so if you haven’t read it, you should do so before proceeding.

Referencing a share point
To make your Macintoshes connect to Active Directory, you must first modify the Mounts class. Enter the SCHMMGMT.MSC command at the Run prompt to open the Schema Management console. Expand the Classes container to reveal the various classes contained beneath it. Right-click on the Mounts class and select the Properties command from the resulting menu. When you see the Mounts class’ properties sheet, click the Change button on the General tab. You’ll then see a list of available classes. Select Mounts from the list and click OK twice to update the class.

Next, you'll need to create a Mounts object that references the home directory share point on your Macintosh. Open ADSI Edit and navigate through the tree structure to the Mounts container. Right-click on the container and select New | Object from the resulting menus. At this point, you’ll see the Create Object dialog box asking you to select a class. Select Mounts from the list and click Next. On the following screen, you must enter the DNS path to the Home directory on the Mac server. You can see an example of this in Figure A. It’s very important that you use a short DNS name rather than an IP address.

Figure A
Enter the short DNS path to the Mac user’s Home directories.

Upon clicking Next, you must choose to either finish the wizard or enter more attributes. Click the More Attributes button to set other attributes for the Mounts object. You’ll then see a screen similar to the one shown in Figure B. You can assign attributes through this screen by selecting a property from the Select A Property To View drop-down list, filling in the Edit Attribute field, and clicking the Set button. You must assign the /Network/Servers Edit Attribute to the vfsdir property.

Figure B
Assign the \Network\Servers attribute to the vfsdir property.

Next, you must assign some values to the vfsopts attribute. The vfsopts attribute is multivalued, so you’re going to be doing this one a little bit differently than you did vfsdir. To set the attributes for vfsopts, select vfsopts from the Select A Property To View drop-down list. When you do, you’ll notice that the Set button changes to an Add button. When you enter an attribute into the Edit Attribute field, just click the Add button and the attribute will be added to the list at the bottom of the window.

Begin the process by adding the Net value to the Edit Attribute field. Next, enter a URL into the Edit Attribute field. This URL must be the long DNS name of the share point that you entered earlier. The actual URL will differ from network to network but will usually look something like this:

For this URL format to work correctly, the URL must point to an AFP share point. You can see an example of the attributes I’ve assigned to the vfsopts attribute by looking at Figure C.

Figure C
You must assign the Net value and a URL to the vfsopts attribute.

For the final step in this part of the process, you must assign the URL attribute to the vfstype property. You can see an example of this in Figure D. Click OK to complete the process.

If at any time you need to define additional share points, repeat all the steps in this section, but substitute the information associated with the Homes directory for information associated with the new share point.

Figure D
Assign the URL attribute to the vfstype property.

Defining user records
Next, you will set up some Macintosh users in Active Directory, and link the user accounts to the various Active Directory attributes that I’ve already shown you how to create in the section above. To begin, create some user accounts for the Macintosh users. But rather than creating the user accounts on the Macintosh server, you’ll create them through Active Directory Users And Computers console. As you create the new accounts, you don’t initially have to do anything special. Instead, just create the accounts in the normal manner.

When you’ve created the necessary user accounts, open ADSI Edit and navigate to the CN-Users container. If you haven’t already created the ADSI Edit MMC, you can do so by clicking Start | Run, typing mmc in the Run dialog box, and pressing [Enter]. When the blank MMC window opens, select Add/Remove Snap-in from the Console menu. You’ll then see the Add/Remove Snap-in window appear. Click Add. Select ADSI Edit from the Add Standalone Snap-in window and click Add. Close the Standalone Snap-in and the Add/Remove Snap-in windows and you’re ready to go.

You’ll see a list of users appear in the column on the right. Locate one of the user accounts that you’ve just created in the list and then right-click on the user object and select the Properties command from the resulting menu. You’ll then see a properties sheet for the user. Use this properties sheet to assign values to the Macintosh-related attributes since they aren’t accessible through the Active Directory Users And Computers console.

Begin the configuration process by selecting the Home Directory attribute from the Select A Property To View drop-down list. Next, you must insert a URL into the Edit Attribute field. This URL must point to the user’s individual home directory and must address the location relative to the Homes share point. For example, if Beavis’ home directory were \Homes\Beavis, the URL would look something like this:

You can see a completed example of this shown in Figure E.

Figure E
Insert a URL that references the user’s individual home directory.

As you can see, the home directory attribute is loosely based on HTML code. A name between the Less Than or Greater Than signs (<>) designates the start of a value, and the same name with a slash (/) in front of it designates the end of the value. For example, the <path>Beavis</path> portion of the command indicates that Beavis is the value for the path. Although the above command appears to be capitalized strangely in places, the command that you use must be capitalized in the same manner to function properly.

Before closing the user’s properties sheet, you must map the useSharedFolderOther attribute to the user’s individual home directory. The biggest difference between this mapping and the mapping that I explained previously is that this mapping must be in a format that Windows 2000 can understand. To set this mapping, select the userSharedFolderOther attribute from the Select A Property To View drop-down list. Enter the path to the user’s home directory in the Edit Attribute field and click the Add button. The actual path will look something like this:

Setting up the Macintosh server
Once your Active Directory configuration is complete, it’s time to point the Macintosh server to Active Directory. After you've established a connection, you must actually create the home directories that Active Directory is already referencing.

To configure the Macintosh server to access Active Directory, open the Directory Setup application found in \Applications\Utilities. Click on the button with the lock symbol on it and log in as the Administrator. Select LDAPv2 | Configure | New.

Then, you’ll see a window divided into several tabs. By default, the Identity tab is selected. On the Identity tab, fill in the Name field with a descriptive name for the Active Directory server’s purpose. For example, you might set the name to Win2K/Mac LDAP Connection. Next, enter the Windows 2000 server’s DNS name or IP address into the Address field.

Select the Records tab, and then select Users from the Record Type list. You must use the Add Maps button to insert the mappings for Active Directory user information. The exact mapping data that you’ll use varies depending on your own individual network configuration. However, you can look up the correct mapping in ADSI Edit. The correct mapping will look something like this:

Next, you must provide the server with a mapping to Active Directory mounts record. Select the Mounts record from the record type list and edit the value to reflect the location of your Mounts object within Active Directory. The actual record will look something like this:

At this point, you must map user and home directory attributes. Select the Data tab and then work through the various entries in the data type list and map all appropriate entries to the corresponding Active Directory attribute. Below is a list of the required mappings:
  • Map the RecordName to sAMAccountName.
  • Map the RecordName to CN, name, or displayName.
  • Map the RealName to displayName.
  • Map the UniqueID to UniqueID.
  • Map the Password to a blank value.
  • Map the PrimaryGroupID to primaryGroupID.

Setting up the Macintosh workstations
Under normal circumstances, your Macintosh workstations look to a Macintosh server for authentication. So you need to configure the workstations to point to Active Directory instead of the Macintosh server. To do so, repeat all of the steps outlined in the above section, but perform the steps on the workstations rather than on the server.

During the last part of the process in which you’re mapping objects on the Data Type list to Active Directory attributes, there will be a few attributes that you must map in addition to those listed in the section above. These mappings are as follows:
  • Map the NFSHomeDirectory to userSharedFolderOther.
  • Map the HomeDirectory to homeDirectory.
  • Map the VFSType to vfstype.
  • Map the VFSLinkDir to vfslinkdir.
  • Map the VFSOpts to vfsopts.

Creating the home directories
The final step of the process involves creating the actual home directories for the users. Log in to the Macintosh server with Administrative privileges and create a Homes directory in the location of your choice. Next, open the Server Admin tool and use the Sharing component to make the Homes directory a share point. Select the General tab and click the Sharing button. Then, select the Set Sharing Attributes option, select the Homes directory, and click the Choose button.

You’ll then see a sharing window. In the General pane, click Share This Item And Its Contents. Doing so will create an AFP share point. Be sure that the Homes folder’s owner has full privileges to the directory and that everyone has Read privileges to the Homes directory.

At this point, use the Server Admin Apple component to enable AFP guest access. Select the File And Print tab and click Apple. Select the Configure Apple Service option, select the Access tab, click Allow Guest Access, and then click the Save button.

Once you’ve created the Homes directory, you must create an individual directory beneath Homes for each user that you’ve set up in the Active Directory database. To do so, select Server Admin’s General tab and click on Users And Groups. Select Home Directory Defaults, click Local, and then select Homes from the share point menu. Click Save to save your changes.

Next, you must determine which users that you need to create home directories for. You can do so by clicking on Users And Groups and then selecting the Find Users And Groups option. When the Find window appears, select the Selected Directories option from the pop-up menu. Select the LDAP Server option and click Done.

You should see a list of users with Active Directory accounts. You may double-click on a user to view the user’s individual properties. When you double-click on a user, the user’s properties sheet will appear. Select the properties sheet’s Advanced tab and verify that the user’s User ID, Primary Group ID, and home directory information are accurate.

Next, select all users for which you need to create home directories. Click the Export button, specify a path and filename in the space provided, and click Save. This will export the user information to a file. Click Users And Groups and then click the Import button. You must then import the file you just created. The import process will automatically create the necessary home directories for the individual users and set the appropriate permissions. This is why it's important to make sure that everyone has Read access to the Homes folder. If the users didn’t have Read access, this step wouldn’t work correctly.

A side effect to using the export/import method to create home directories is that the process also creates accounts for the users on the Macintosh server. So you’ll have to delete these accounts. All user accounts (other than built-in accounts) should reside in Active Directory. The proper way to delete the duplicate user accounts is to click Users And Groups, and select the Show Users And Groups List option. Select the local NetInfo domain, select Active Directory Users, and then click the Delete button.

Authenticating through Active Directory
At this point, all of the server-side configurations are complete. You'll then need to test the Macintosh/Active Directory authentication. Begin by clicking the Login Window tab in the Macintosh client’s Login pane of System Preferences. Verify that the Automatically Login option is not enabled. Next, select either the Name And Password Entry Field option or the List Of Users With Accounts On This Computer option.

If you decide to use the List Of Users With Accounts On This Computer option, make sure that the Show Other Users In List For Network Users check box is selected. Then, reboot your Macintosh client and attempt to log in to the network.

If after successfully logging in, you’d like to test the home directory mappings, you can do so by either choosing the Home option from the Go menu or by clicking Home in a Finder window. If you’d like to view the complete path to the home directory, simply hold down the Command key and click the title bar.

Editor's Picks