1 2 Previous Next 23 Replies Latest reply: Oct 8, 2012 3:40 AM by Mr.Do
Beandip408 Level 1 Level 1 (0 points)

so i have the following:

 

Lion server running 10.7.2

Windows Server 2008r2 (managing DNS, DHCP, AD...)

 

i want to be able to use my Active Directory username/passwords for authentication on client computers. i also want to be able to restrict some features like Users & Groups and be able to host printers on this server.

 

how do i go about doing that?


Mac Pro, Mac OS X (10.7.2), Server
  • 1. Re: how do i manage my mac clients with active directory on a lion osx server?
    Strontium90 Level 4 Level 4 (3,140 points)

    Bind your Mac systems to AD.  That simple act will likely give you 90% of what you are looking for.  You do this through System Preferences > Accounts > Login Options (or alternately throught Directory Utility or dsconfigad). 

     

    Now this will give you authentication and authorization from the AD domain plus group memberships and single sign on to Kerberos services (file services, Exchange, etc).  Binding to AD will not allow you to do group policy.  If you are looking to do managed client, then you have a number of options. 

     

    They include AD Schema Mod (only do this if you absolutely must), 3rd party tools like Centrify (as they give you Windows tools to manage Macs), or OS X Server and the use of the "magic triangle." 

     

    The triangle is the binding of Mac workstations to both AD and OS X Server.  All authentication and authorization comes from AD and then management comes from OD using native Apple tools.  This way you don't annoy anyone in the AD team by asking them to modify the environment. 

     

    This is a wise choice to bind the systems.  If makes Macs first class citizens (well, almost).

  • 2. Re: how do i manage my mac clients with active directory on a lion osx server?
    Beandip408 Level 1 Level 1 (0 points)

    okay i am wanting to do the magic triangle and have bound the server to AD and have this Server as an OD Master. but when i go into Workgroup Manager >> Authenticated to Active Directory/MYDOMAIN/All Domains >> Users >> (select a user) >> Preferences >> (make some change and click Apply Now)

    i get the following error:

    Error while saving record "testuser":

    An invailid attribute type was provided.

    (com.apple.OpenDirectory:4200)

     

    is this not because of my schema? and if not what is wrong in OD?

  • 3. Re: how do i manage my mac clients with active directory on a lion osx server?
    Beandip408 Level 1 Level 1 (0 points)

    nvm i got it. i used my AD users and put them in local groups and set permissions on those groups. thanks everyone for your help

  • 4. Re: how do i manage my mac clients with active directory on a lion osx server?
    Malik-O Level 1 Level 1 (0 points)

    Hi hello

     

    I am interessed by your solution for resolved this error

     

    An invailid attribute type was provided.

    (com.apple.OpenDirectory:4200)

     

    you write you have used your AD users and put them in local groups and set permission on those groups

     

    Please can you explain me step by step what you have do in your AD

     

    Thanks for reply

     

     


  • 5. Re: how do i manage my mac clients with active directory on a lion osx server?
    Beandip408 Level 1 Level 1 (0 points)

    what version of AD are you using? 2003? 2008?

  • 6. Re: how do i manage my mac clients with active directory on a lion osx server?
    Malik-O Level 1 Level 1 (0 points)

    2008 R2

     

    Thanks you for you fast reply

  • 7. Re: how do i manage my mac clients with active directory on a lion osx server?
    Beandip408 Level 1 Level 1 (0 points)

    have you enabled Unix attributes on your server?

  • 8. Re: how do i manage my mac clients with active directory on a lion osx server?
    Malik-O Level 1 Level 1 (0 points)

    oh no , what 's that, how i can do that ?

     

    And tell me i have make a magic triangle, and my lion server when i am in the applications Admin Serveur in the section Open Directory is very very very long

     

    I want know if i don't need disable DNS service in the Lion server, i have DNS in the 2008 server ?

     

     

    Hi please maybe you have email address ?

     

    Thanks

  • 9. Re: how do i manage my mac clients with active directory on a lion osx server?
    Beandip408 Level 1 Level 1 (0 points)

    In order to store UNIX attributes in Active Directory, the schema must be extended. To extend the schema, first install Active Directory (add the Active Directory Domain Services role to an installed server, then use the Active Directory Installation Wizard to setup Active Directory) and then add the “Identity Management for UNIX” role service (this can be done in Server Manager).

     

    if your Windows server is running the DNS, then disable it on your Lion Server.

  • 10. Re: how do i manage my mac clients with active directory on a lion osx server?
    Malik-O Level 1 Level 1 (0 points)

    Thanks for your reply,

     

    but me i don't want extended schema, it's for that i have do a magic triangle

     

    have you already create a magic triangle without extended schema ?

  • 11. Re: how do i manage my mac clients with active directory on a lion osx server?
    Beandip408 Level 1 Level 1 (0 points)

    does your domain end in .local?

  • 12. Re: how do i manage my mac clients with active directory on a lion osx server?
    Malik-O Level 1 Level 1 (0 points)

    no is in labo , i know is not good domain end in .local

  • 13. Re: how do i manage my mac clients with active directory on a lion osx server?
    Beandip408 Level 1 Level 1 (0 points)

    heres what you need to do to setup a lion server:

     

    Setting up a new Lion OS X Server

    1. Change the Shared name
      1. apple >> System Preferences >> Sharing
      2. enter a name like: server-mac
    2. Give a Static Address
      1. apple >> System Preferences >> Network
    3. Download Lion OS X Server app from the app store (not through itunes)
    4. Download Server Admin Tools for Lion (this can be found via google)
    5. install both and run apple >> Software Update

    Binding

    1. apple >> System Preferences >> Users & Groups
      1. Unlock the padlock
      2. Click Open Login Options
      3. Click Join
      4. Click Directory Utility
        1. Double click Active Directory
        2. for domain, enter: DOMAIN.LOCAL
        3. Click the triangle next to Show Advanced Options
          1. Click User Experience
            1. Check mark symbolCreate mobile account at login
              1. Remove: require confirmation box
            2. Remove: Use UNC path box
            3. Check mark symbol Default user shell: /bin/bash
          2. Click Administrative
            1. Check mark symbol Prefer this domain server: ADserver.domain.local
            2. Check mark symbol Allow administration by (leave defaults)
            3. Remove: Allow authentication from any domain in the forest
          3. Click ok

    Create Open Directory Masteropen Server Admin

    1. Connect to server-mac.local (or enter the static address)
      1. Highlight the local server and click Settings
      2. Click Services
        1. Check mark symbolOpen Directory
        2. Click Open Directory under server-mac.local (or static address)
        3. Click General
        4. Under Role, click Change
        5. Select Remain connected and setup as Open Directory Master
        6. Create user called: Diradmin

    Changing Login Options

    1. apple >> System Preferences >> Users & Groups
    2. Click Login Options
    3. Under: Display login window as, select Name and password radio button
    4. Check mark symbolAllow network users to log in at login window
      1. Select: Options
      2. Select: Only these network users radio button
      3. Click +
      4. Under Network Users:
        1. select those who you want to be able to log into this server

    Adjust the Date and Time

    1. Click the time in the upper right corner
      1. Click Open Date & Time Preferences...
      2. Click Date & Time tab
      3. Check mark symbol Set date and time automatically: ntpserver.domain.local

     

     

     

     

    Add a Mac Client to the  Open Directory

     

    1. Go to System Preferences >> Users & Groups
      1. Unlock the padlock
      2. Click Login Options
      3. Click Join
        1. Type in the ip address of the mac server
        2. Press ok
        3. It will tell you "This server provides SSL certificates.  Do you want to trust the certificates....  Choose Trust.
        4. Server does not provide a secure SSL connection.  Do you want to continue?   Choose Continue
      4. Should be done!!  Woot!!

    Decide who can get onto the box.

    2.  Go to System Preferences >> Users & Groups

    1. Unlock the padlock
    2. Click Login Options / Options / Choose "Only these network users:"  Then choose the individuals from the open directory that you want to allow access to.

     

     

     

    Binding a Client Mac to Active Directory and Open Directory

    1. apple >> System Preferences >> Users & Groups
      1. Unlock the padlock
      2. Click Login Options
      3. Click Join
        1. Enter in the Mac server name or ip address
        2. dont enter any credentials if asked (bind anonymously)
        3. Press ok
      4. Click Join
        1. Double click Active Directory
        2. for domain, enter: DOMAIN.LOCAL
        3. Click the triangle next to Show Advanced Options
          1. Click User Experience
            1. Check mark symbolCreate mobile account at login
              1. Remove: require confirmation box
            2. Remove: Use UNC path box
            3. Check mark symbol Default user shell: /bin/bash
          2. Click Administrative
            1. Check mark symbol Prefer this domain server: adserver.domain.local
            2. Check mark symbol Allow administration by (leave defaults)
            3. Remove: Allow authentication from any domain in the forest
          3. Click ok
  • 14. Re: how do i manage my mac clients with active directory on a lion osx server?
    Malik-O Level 1 Level 1 (0 points)

    Good thanks you for that, but now i blocked in the error

     

    An invailid attribute type was provided.

    (com.apple.OpenDirectory:4200)

     

    please step by step for for resolved this problem

     

     

    And please maybe you have write some documentation ?

1 2 Previous Next