The configuration is experimental, use it at your own risk.
The configuration should NOT be used on portable Macs.
This configuration allows you to use your DFS homedirectory as your homedirectory on a Macintosh.
This has the following advantages:
- Your data will be backed up automatically.
- You have your data directly available on your Mac and on Windows.
Two steps are required:
- Changing the settings of your Active Directory (AD) account.
- Changing the configuration of your Mac.
- This configuration is not suitable for portable Macs.
- This configuration does not migrate your current local data into your DFS homedirectory.
- No local account on your Mac can have the same UID, GID or account-name as the AD account you want to use.
- You should not log in simultaneously to several Macs using this configuration (there are several Apps that can not handle this).
- Some apps store a lot of data in ~/Library, and can create lots of problems when you run out of quota:
- Adobe (~/Library/Application Support/Adobe)
- Browsers (~/Library/Caches)
- Mail (~/Library/Mail, essentialy a copy of all your mailboxes)
- Mobile device backups (~/Library/Application Support/MobileSync/Backup/)
- Parallels (~/Library/Parallels/Downloads/ for downloading updates, never cleaned?)
- Xcode (~/Library/Developer/Shared/Documentation/, strange place to share documentation)
The described configuration is supported for Mac OS >= 10.8.3. It might work with Mac OS 10.7.5, but we will not debug any issues that are discovered with MacOS < 10.8.3
Make sure there is no local account on the Mac with the same UID, GID or login-name as the AD account you want to use. Change the parameter in question if needed.
Make sure you are registered as 'Responsible' or 'Main User' in the network database for the Mac in question.
Go to "http://cern.ch/account -> Services -> Mac Desktops" and select enable the "DFS Home folder for Mac OS"
Joining the Active Directory Domain
To bind the computer with Active Directory:
- open "System Preferences/Users & Groups"
- click on "Login Options"
- unlock the "Users & Groups" pane by clicking on the lock icon
- click on "Network Account Server:" button "Join..."
In the new popdown window, enter the domain controller name "cerndc.cern.ch":
This should expand the window:
This allows you to enter the following information:
- Client Computer ID: here you should enter the name under which the Mac is registered in the network database. This might be different from the name you gave to your Mac in the "sharing" preference pane!
- AD Admin User: this is your CERN (NICE) account name, which must be different from any local account used on your Mac.
- AD Admin Password: this is your CERN (NICE) password, which might be different from the password of your local Mac account.
When done click the "OK" button and wait until the binding is finished.
The "Users & Groups" window should now look like this:
A new line appears "Allow network users to log in at login window" and the Network Account Server "CERN" with an "Edit..." button.
Clicking on "Edit..."brings up the following window:
Click on "Open Directory Utility...".
Click the lock icon to be able to make changes. From the list of services select "Active Directory". This brings up a new window:
Click on the triangle in front of "Show Advanced Options".
In the "User Experience" tab, make sure that the first two items ("Create moble account at login" and "Force local home directory on starup disk" are NOT selected!
If you also want to use afs (this configuration does not work under OS X 10.7, it requires at least 10.8): go to the "Mappings" tab, activate the first two items, fill in the text boxes as shown below:
Type in the strings shown, and not the numeric values these parameters have. Pay attention to the spelling, the case of the letters is important. Do NOT activate the item "Map group GID to attribute:".
To finish click the "OK" button at the bottom of the "Directory Utility" window and quit "Directory Utility".
Important: Selecting Accounts Allowed to Login
Per default every CERN account can now login to your Mac. This is not desirable. Click on the 'Options' button in the 'Allow network users to log in at login window' line to select which accounts are allowed to login.
Click on the '+' icon to add users that can login to your Mac.
You can select individual accounts (Network Users) or mailing lists (egroups, Network Groups).
To add a user account, select "Network Users" in th eleft part of the window. You can put a filter string in the text field filter on the account name or the user name.
- Fetching all account info from AD takes quite long
- The interface does not indicate that it is still fetching account information
- Applying the filter string takes quite long
- The interface does not indicate in any way that is still applying the filter string
- There is no way to distinguish the different accounts a user has, since only the user name is displayed, but not the account name To select the correct account from people with multiple accounts you should specify the account name as filter string.
Once you have identified the user, select it from the list and click the 'Select' button.
To allow all people from a mailing list to login to your Mac select "Network Groups" from the left part of the window, and either use a filter string or scroll through the list to select the desired list:
Again select the list in question and click the 'Select' button.
Once you are done adding users to the access list click the 'Done' button.
Your "Users & Groups" preference pane should now look like this:
Notice the '-' in front of the "Allow network users to log in at login window". If you have a tick mark instaed of the '-', you still allow all CERN account users to login to your Mac.
Login Using your AD Account
Go to the 'Fast user switching" menu, select the "Login Window..." and wait for the message "Network accounts are unavailable" to disappear, enter your "CERN" credentials (under Mac OS 10.7 use firstname.lastname, under 10.8 use the account name). If you have selected "Display login window as: 'List of Users'" (which is not recommened!), you will have to wait that the "Other..." icon is displayed, select that "Other..." and type in your CERN credentials.
Unbinding your Mac from AD will destroy the entry of your Mac in AD, and until the next sync between the network database and AD (done once every 24 hours for computers that have no change in landb, and every 10 minutes for computers with changes in landb) you will not be able to bind again to AD. You can avoid this by using a local admin account for the unbinding instead of the AD authorised account. That way you do not have the permissions to destroy the host entry in AD, but the local unbinding still succeeds.