Campus Active Directory - Joining Mac OS X 10.7 or later to Campus Active Directory
Authorized Users Only: Only authorized users are allowed to join a machine to the campus active directory domain. If you are interested in using the campus active directory for your department or organization, please fill out a request form.
Active Directory and Kerberos will only tolerate a plus or minus of 5 minutes time variation between the Domain Controller and a client.
If the time variation exceeds five minutes, the client will not be able to authenticate or bind.
The following commands will show you the date, time, and time zone of the client computer and set the time zone if it is incorrect.
- sudo systemsetup -settimezone "America/Chicago"
Setting & Verifying Client Names
Because the LDAP traffic will be signed the name of the Mac client has to match the name provided to AD by the Active Directory plugin. The Mac client’s name is configured in three separate places; ComputerName, HostName, and LocalHostName.
The following commands will change all three client names:
- scutil --set ComputerName <computerid>
- scutil --set HostName <computerid>
- scutil --set LocalHostName <computerid>
- scutil --get ComputerName
- scutil --get HostName
- scutil --get LocalHostName
Binding the client to AD and configuring the Active Directory plugin:
Commands to Bind Mac Client to AD
***Note: dsconfigad will fail unless you specify the -ou parameter***
dsconfigad -force -add <domain> -ou <OU> -username <username> -computer <ComputerName> -packetencrypt ssl -packetsign require
example: dsconfigad -force -add AD.WISC.EDU -ou "OU=computers,OU=orgUnits,DC=ad,DC=wisc,DC=edu" -username "bubadger-ou" -computer dept-wk-test -packetencrypt ssl -packetsign require
Enter your local user password then your Active Directory user password after at the prompt
- dsconfigad -mobile enable -mobileconfirm enable -localhome enable -useuncpath disable
- dsconfigad -groups "Domain Admins,Enterprise Admins" -alldomains enable
- dsconfigad -show (displays current AD plugin settings)
Once the bind process is complete you will have to verify that the proper search paths were configured.
Without these search paths the Mac client will not be able to locate objects in Active Directory.
Creating & Testing Search Paths
In 10.7 and later the search paths should be automatically created as part of the bind process.
Test Search Paths
When the appropriate search paths have been created you can verify that the Mac client can locate Active Directory user objects using the “dscl” or “id” command.
- dscl /Search -read /Users/<AD Username>
- id <AD Username>
If the Mac client is able to successfully search the Active Directory the next step is to test authentication. Authentication can be tested using the "dscl" or "su" commands. Enter either of the following commands and the account’s password when prompted:
dscl /Search -authonly <AD Username>
Configuring Login Window for AD
Mac clients that are bound to active directory with login windows that are configured for “List of users” the "Other..." user option may not appear in the list of users for up to 30 seconds.
Because a user cannot log onto a Mac client with the login window configured for “List of Users” until the "Other..." user option appears, we recommend configuring the login window for “Name and password.”
Note: With the login window configured for “Name and password” the client will sometimes display a red “gumball” indicator with a message that says “Network accounts are unavailable” or a yellow “gumball” indicator with a message that says “Some network accounts are not available” for up to 30 seconds.
If the login window is configured to allow Automatic login a user may not have the opportunity to change to their AD user.
In addition, if the login window is configured to allow Automatic login the client stores the username and password which is in violation of Responsible use of University of Wisconsin - Madison Information Technology Resources.
For the reasons listed above we outline configuring the login window to disable "Automatic login" below.
The following steps will configure a Mac client login window for Name and Password & disable Automatic login:
- Open System Preferences and choose: Users & Groups
- Click the lock icon in the lower left corner and enter your administrator account password.
- Click the Login Options button in the lower left.
- In the "Display login window as:" section, click the "Name and password" option.
- In the "Automatic login:" section, select "Off" from the drop-down menu.
- Close System Preferences.
- Log out to verify the login window is configured correctly.
- Make sure System Preferences is not open.
- Open Terminal (in /Applications/Utilities).
- Optionally, to see the current Display login window setting, execute this command:
- sudo defaults read /Library/Preferences/com.apple.loginwindow SHOWFULLNAME
- SHOWFULLNAME = 0 (FALSE) indicates "List of users"
- SHOWFULLNAME = 1 (TRUE) indicates "Name and password”
- To use the "Name and password" setting, execute this command:
- sudo defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool TRUE
- Optionally, to see the current Automatic login setting, execute this command:
- sudo defaults read /Library/Preferences/com.apple.loginwindow
- autoLoginUser = " "; indicates Automatic login: Off
- if there is no entry for autoLoginUser; indicates Automatic login: Off
- autoLoginUser = username; indicates Automatic login: Enabled
- To disable the "Automatic login" setting, execute this command:
- sudo defaults write /Library/Preferences/com.apple.loginwindow autoLoginUser " "