Solved

Mac OS X 10.7.5 and Active Directory

Posted on 2013-06-03
7
1,063 Views
Last Modified: 2013-06-23
We are a windows environment and trying to integrate macs into our network environment.  I have followed some instructions from this site, but nothing I do seems to work.  We keep getting Network accounts unavailable and are not able to log in with network credentials if there is no local account on the mac book.  I have tried to unbind and bind again, checked all the advanced network settings as recommended in some of the posts.   We do have a mac server and we have that listed in the Directory Utility as well as the windows network. I have added a preferred dns server and allow administration by domain admins, etc. under Directory Utility.

We do have a mac server - do I need to add something to this server in order to get this to work?  I have not set up a mac server at all and know nothing about it so any help would be greatly appreciated.
0
Comment
Question by:manch03
  • 4
  • 2
7 Comments
 
LVL 28

Expert Comment

by:jhyiesla
ID: 39218699
I don't have a Mac server in my environment so I'm not sure if that's causing an issue or not. However, mostly I do what you've done. I go into the directory utility from the Users and Groups system preferences window and in the Active Directory settings I put in my domain and forest -we have only one - and I choose to bind. The only setting that I change is the one to create the mobile login account. This is handy as it will allow your users to get into the Mac even if it's not on the network.

Do make sure that in the Administrative tab you have the Allow Authentication from any domain in the forest checked.

Also make sure that you do NOT have local Mac users with the same user ID as Domain ones as OS X will default to local users first if you don't specify your domain name in front of the user ID.

Something else you might try is in the Login options of the Users and groups preference screen check Display login window as : Name and Password. This shouldn't be necessary if the Mac is properly bound to AD, but still give it a shot and have your users try this as their username:  DomainName\UserName.  If they get on OK, this would confirm binding to AD successfully. If not, then either AD isn't doing something it should or the Mac server, if it's running OD, could be messing something up and I really don't have any working knowledge of that.

Check in ADUC to see that the Mac is there.  And if you unbind and then rebind, check in ADUC first to make sure that the Mac does get completely removed.  You can also use third party binders, but typically I haven't needed to use these since 10.7.x.
0
 
LVL 28

Expert Comment

by:jhyiesla
ID: 39218702
Forgot to also say, once domain user gets successfully logged into the Mac, check in Users and groups to see if they are showing successfully - they probably are, but it's a place to check.

Depending on the speed of your network, I've seen it take up to 30 seconds for the network to become available.
0
 
LVL 38

Accepted Solution

by:
Aaron Tomosky earned 300 total points
ID: 39219087
Don't join using the built in stuff. Dont gave any local users the same as AD users. Download and install the free centrify client, use that to join.

After you login once with a domain user it will cache the hash of their password allowing you to login offline
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:manch03
ID: 39229997
The mac's are not showing up in the AD even though it says they are bound to the AD.  It is only the Lion operating system that we are having this issue with.  The older mac's do not have a problem showing up in the AD.  We did download the centrify client and it seems to work well, but still not showing up in the AD.
0
 
LVL 28

Assisted Solution

by:jhyiesla
jhyiesla earned 200 total points
ID: 39230023
If OS X is saying that the binding is good - green light - then you should be able to see them in AD.  Is it possible that they are getting put into an OU or folder where you don't expect them to be placed?
0
 
LVL 28

Expert Comment

by:jhyiesla
ID: 39230032
Also, make sure you know the computer name of the Mac. I just checked mine and the computer name showing in the Sharing System Preferences is what I see in AD.
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 39230041
for centrify you first unbind in osx and clear out the computer from ad if it exists. install centrify, then use centrify to join. osx does not give a green light, it's all through centrify.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Apple's Mac OS X has become an official member of the malware club. The Flashback Trojan has affected over half million Macs, worldwide. It is behavior that ultimately gets malware onto a person’s computer. Obsolete or out-of-date software helps…
A lot of new and distinct gadgets are making their appearance every other day. The latest gadget that has wooed the attention of all gadget lovers and non gadget lovers alike is the Smartwatch. This tiny gadget is capable of offering live access to …
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now