Skip Ribbon Commands
Skip to main content
Sign In
Last modified at 5/12/2015 9:46 AM by Kevin Burney Windows System Admin

Verify Dependencies

Confirming Date, Time, and Time Zone
Active Directory and Kerberos will only tolerate a plus or minus of 5 minutes time variation between the Domain Controller and a client.
If the time variation exceeds five minutes, the client will not be able to authenticate or bind.
The following commands will show you the date, time, and time zone of the client computer and set the time zone if it is incorrect.
  • date
  • -settimezone America/Los_Angeles

Setting & Verifying Client Names

Because the LDAP traffic will be signed the name of the Mac client has to match the name provided to AD by the Active Directory plugin. The Mac client’s name is configured in three separate places; ComputerName, HostName, and LocalHostName.
The following commands will change all three client names:
  • scutil --set ComputerName <computerid>
  • scutil --set HostName <computerid>
  • scutil --set LocalHostName <computerid>

  • scutil --get ComputerName
  • scutil --get HostName
  • scutil --get LocalHostName

Binding the client to AD and configuring the Active Directory plugin:

Commands to Bind Mac Client to AD

Run the a command like the one below replacing the appropriate values
dsconfigad -force -add campus.berkeley.edu -ou "Full OU path to computer obect,DC=campus,DC=berkeley,DC=edu" -username "UserAccount with access to add to OU" -computer Computer to Add -packetencrypt ssl -packetsign required -password "Password to account that has rights to add computer" -localuser "Local Mac User Account" -localpassword "Mac Password"

Example

dsconfigad -force -add campus.berkeley.edu -ou "OU=Test,OU=SomeOU,DC=campus,DC=berkeley,DC=edu" -username pvt-AddMac -computer MyMac -packetencrypt ssl -packetsign required -password AddMac2Domain -localuser root -localpassword letmeIN!!!

Once the bind process is complete you will have to verify that the proper search paths were configured.
Without these search paths the Mac client will not be able to locate objects in Active Directory.

Creating & Testing Search Paths

In 10.7 and later the search paths should be automatically created as part of the bind process.

Test Search Paths

When the appropriate search paths have been created you can verify that the Mac client can locate Active Directory user objects using the “dscl” or “id” command.
  • dscl /Search -read /Users/<AD Username>
  • id <AD Username>

Test Authentication

If the Mac client is able to successfully search the Active Directory the next step is to test authentication. Authentication can be tested using the "dscl" or "su" commands. Enter either of the following commands and the account’s password when prompted:
  • dscl /Search -authonly <AD Username>
  • su <AD Username>
 

Configuring Login Window for AD

 
Mac clients that are bound to active directory with login windows that are configured for “List of users” the "Other..." user option may not appear in the list of users for up to 30 seconds.
Because a user cannot log onto a Mac client with the login window configured for “List of Users” until the "Other..." user option appears, we recommend configuring the login window for “Name and password.”
 
Note: With the login window configured for “Name and password” the client will sometimes display a red “gumball” indicator with a message that says “Network accounts are unavailable” or a yellow “gumball” indicator with a message that says “Some network accounts are not available” for up to 30 seconds.
 
If the login window is configured to allow Automatic login a user may not have the opportunity to change to their AD user.
We recomend that the login window is set to disable "Automatic login".

The following steps will configure a Mac client login window for Name and Password & disable Automatic login:

    GUI
  1. Open System Preferences and choose: Users & Groups
  2. Click the lock icon in the lower left corner and enter your administrator account password.
  3. Click the Login Options button in the lower left.
  4. In the "Display login window as:" section, click the "Name and password" option.
  5. In the "Automatic login:" section, select "Off" from the drop-down menu.
  6. Close System Preferences.
  7. Log out to verify the login window is configured correctly.
    CLI
  1. Make sure System Preferences is not open.
  2. Open Terminal (in /Applications/Utilities).
  3. Optionally, to see the current Display login window setting, execute this command:
    • sudo defaults read /Library/Preferences/com.apple.loginwindow SHOWFULLNAME
    Note:
    - SHOWFULLNAME = 0 (FALSE) indicates "List of users"
    - SHOWFULLNAME = 1 (TRUE) indicates "Name and password”
  4. To use the "Name and password" setting, execute this command:
    • sudo defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool TRUE
  5. Optionally, to see the current Automatic login setting, execute this command:
    • sudo defaults read /Library/Preferences/com.apple.loginwindow
    Note:
    - autoLoginUser = " "; indicates Automatic login: Off
    - if there is no entry for autoLoginUser; indicates Automatic login: Off
    - autoLoginUser = username; indicates Automatic login: Enabled
  6. To disable the "Automatic login" setting, execute this command:
    • sudo defaults write /Library/Preferences/com.apple.loginwindow autoLoginUser " "