We just made major updates to the procedure and the documentation, so please be careful.
The configuration is not suitable for portable Macs. When the CERN network is not reachable it is not possible to log in to any CERN account.
This configuration allows you to use your CERN account on a Macintosh.
This has the following advantages:
- Automatically get a kerberos token at login.
- You don't have to worry about manyually setting the UID and GID of your account.
- You don't have to synchronize your password manually.
The needed configuration steps are outlined below.
- This configuration is not suitable for portable Macs.
- This configuration does not migrate your current local data into your DFS homedirectory.
- No local account on your Mac can have the same UID, GID or account-name as the AD account you want to use.
- This configuration gives you a local homedirectory on each Mac it is applied to, it does NOT use your AFS or DFS directory as your homedirectory.
The described configuration is supported for OS X>= 10.11.3. We will not debug any issues that are discovered with older versions of OS X.
Make sure there is no local account on the Mac with the same UID, GID or login-name as the AD account you want to use. Change the parameter in question if needed.
Make sure you are registered as 'Responsible' or 'Main User' in the network database for the Mac in question.
Joining the Active Directory Domain
To bind the computer with Active Directory:
- Download the configuration profile https://information-technology.web.cern.ch/sites/information-technology.web.cern.ch/files/settingsForADwithLocalHomeDir.cfg, rename it to "settingsForADwithLocalHomeDir.mobileconfig" and open it.
- This will open Profile manager, which gives you the options to show or display the profile.
- It is always a good idea to have a look at a profile before installing it, make sure the profile is properly signed and the contents is as expected!
- Clicking install will open a dialog asking for the credentials of a CERN account that is registered as 'Responsible' or 'Main User' for the device in CERNs network database:
- You will get a second dialog box asking for the credentials of a local Mac account that has admin privileges:
The "Users & Groups / Login " window should now look like this:
To get a longer ticket lifetime and make the tickets renewable you should install the krb5.conf file from linux and put it into /etc. This also allows you to acquire afs tokens directly at login if an FAS client is installed and configured accordingly.
Important: Restrict the Accounts Allowed to Login
Per default every CERN account can now login to your Mac. This is extremely insecure. Click on the 'Options' button in the 'Allow network users to log in at login window' line to select which accounts are allowed to login.
Click on the '+' icon to add users that can login to your Mac.
You can select individual accounts (Network Users) or mailing lists (egroups, Network Groups). Using Network Groups does not work properly under OS X 10.9.
To add a user account, select "Network Users" in the left part of the window. You can put a filter string in the text field filter on the account name or the user name.
- Fetching all account info from AD takes quite long
- The interface does not indicate that it is still fetching account information
- Applying the filter string takes quite long
- The interface does not indicate in any way that is still applying the filter string
- There is no way to distinguish the different accounts a user has, since only the user name is displayed, but not the account name To select the correct account from people with multiple accounts you should specify the account name as filter string.
Once you have identified the user, select it from the list and click the 'Select' button.
To allow all people from a mailing list to login to your Mac select "Network Groups" from the left part of the window, and either use a filter string or scroll through the list to select the desired list:
Again select the list in question and click the 'Select' button.
Once you are done adding users to the access list click the 'Done' button.
Your "Users & Groups" preference pane should now look like this:
Notice the '-' in front of the "Allow network users to log in at login window". If you have a tick mark instaed of the '-', you still allow all CERN account users to login to your Mac.
Login Using your AD Account
Go to the 'Fast user switching" menu, select the "Login Window..." and wait for the message "Network accounts are unavailable" to disappear, enter your "CERN" credentials (under Mac OS 10.7 use firstname.lastname, under 10.8 use the account name). If you have selected "Display login window as: 'List of Users'" (which is not recommended!), you will have to wait that the "Other..." icon is displayed, select that "Other..." and type in your CERN credentials.
Unbinding your Mac from AD will destroy the entry of your Mac in AD, and until the next sync between the network database and AD (done once every 24 hours for computers that have no change in landb, and every 10 minutes for computers with changes in landb) you will not be able to bind again to AD. You can avoid this by using a local admin account for the unbinding instead of the AD authorised account. That way you do not have the permissions to destroy the host entry in AD, but the local unbinding still succeeds.
If you have "Screen Sharing" or "Remote Access" enabled, you must make sure that you only allow this for selected users, with the default setting all CERN accounts (even the ones blocked for good reason) would have full access to your Mac.