Integrate your Mac with CERN infrastructure

Purpose

This configuration allows you to use your CERN (NICE) credentials on a Macintosh.
You will then have the choice between two configurations to store your Mac profile.
 
Two steps are required:

  1. Changing the settings of your Active Directory (AD) account.
  2. Changing the configuration of your Mac.

Limitations

  • This configuration does not migrate nor synchronize your local data to your DFS homedirectory.
  • No local account on your Mac can have the same UID, GID or account-name as the AD account you want to use.
  • You can not change the CERN password from the Mac, you have to change it via the accounts web site.
  • When you change the CERN password on the accounts website you will be asked to change the keychain password on the Mac the next time you login.
  • When you change the CERN password on the accounts website the filevault password will not be updated.

Prerequisites

The described configuration is supported for Mac OS >= 10.8.3. It might work with Mac OS  10.7.5, but we will not debug any issues that are discovered with MacOS < 10.8.3

Preparations

Make sure there is no local account on the Mac with the same UID, GID or login-name as the AD account you want to use. Change the parameter in question if needed.

Make sure you are registered as 'Responsible' or 'Main User' in the network database for the Mac in question.

Go to "http://cern.ch/account (link is external) -> Services -> Mac Desktops" and select enable the "DFS Home folder for Mac OS"

Joining the Active Directory Domain

To bind the computer with Active Directory:

  • open "System Preferences/Users & Groups"
  • click on "Login Options"

  • unlock the "Users & Groups" pane by clicking on the lock icon

  • click on "Network Account Server:" button "Join..."

In the new popdown window, enter the domain controller name "cerndc.cern.ch":

 

This should expand the window:

This allows you to enter the following information:

  • Client Computer ID: here you should enter the name under which the Mac is registered in the network database. This might be different from the name you gave to your Mac in the "sharing" preference pane!
  • AD Admin User: this is your CERN (NICE) account name, which must be different from any local account used on your Mac.
  • AD Admin Password: this is your CERN (NICE) password, which might be different from the password of your local Mac account.

When done click the "OK" button and wait until the binding is finished.

The "Users & Groups" window should now look like this:

A new line has appeared "Allow network users to log in at login window" and the Network Account Server "CERN" with an "Edit..." button.

Clicking on "Edit..."brings up the following window:

Click on "Open Directory Utility...".

Click the lock icon to be able to make changes. From the list of services select "Active Directory". This brings up a new window:

 

 

----------------------------------------------------------------------------------------------------------------

Click on the triangle in front of  "Show Advanced Options".

 

Let the checkbox "Force Local home directory on startup disk" checked.
Make sure "User UNC path from Active Directory to derive network home location" is not checked.
For a portable it is essential to also check the box "Create mobile account at login", otherwise you will not be able to login  without network conection.

 

-------------------------------------------------------------------------------------------------------------

For some use cases it might be useful to use the uid and gid as registered in Active Directory instead of a randomly chosen one. To achieve this go to the 'Mappings' tab and apply the following setting:

Type in the strings shown, and not the numeric values these parameters have. Pay attention to the spelling, the case of the letters is important. Do NOT activate the item "Map group GID to attribute:".

To finish click the "OK" button at the bottom of the "Directory Utility" window and quit "Directory Utility".

Important: Selecting Accounts Allowed to Log in

Per default every CERN account can now login to your Mac. This is not desirable. Click on the 'Options' button in the 'Allow network users to log in at login window' line to select which accounts are allowed to login.

Click on the '+' icon to add users that can login to your Mac.

You can select individual accounts (Network Users) or mailing lists (egroups, Network Groups).

To add a user account, select "Network Users" in the left part of the window. You can put a filter string in the text field filter on the account name or the user name.

Actual issues:

  • Fetching all account info from AD takes quite long
  • The interface does not indicate that it is still fetching account information
  • Applying the filter string takes quite long
  • The interface does not indicate in any way that is still applying the filter string
  • There is no way to distinguish the different accounts a user has, since only the user name is displayed, but not the account name frown To select the correct account from people with multiple accounts you should specify the account name as filter string.

Once you have identified the user, select it from the list and click the 'Select' button.

 

To allow all people from a mailing list to login to your Mac select "Network Groups" from the left part of the window, and either use a filter string or scroll through the list to select the desired list:

 

Again select the list in question and click the 'Select' button.

Once you are done adding users to the access list click the 'Done' button.

Your "Users & Groups" preference pane should now look like this:

 

Notice the '-' in front of the "Allow network users to log in at login window". If you have a tick mark instead of the '-', you still allow all CERN account users to login to your Mac.

Log in Using your AD Account

Go to the 'Fast user switching" menu, select the "Login Window..." and wait for the message "Network accounts are unavailable" to disappear, enter your "CERN" credentials (under Mac OS 10.7 use firstname.lastname, under 10.8 use the account name). If you have selected "Display login window as: 'List of Users'" (which is not recommened!), you will have to wait that the "Other..." icon is displayed, select that "Other..." and type in your  CERN credentials.

If asked to create a mobile account click on « Create Now ».

Once logged in with your CERN account open Users & Groups pane in System Preferences.

Unlock the pane (with your local Mac account), select your CERN account in the list and check «  Allow user to administer this computer ».

 

Click on « Ok ». After restarting your CERN account will have administrator privileges on your Mac.

Warning, importantWarning if you unbind your Mac from AD

Unbinding your Mac from AD will destroy the entry of your Mac in AD, and until the next sync between the network database and AD (done once every 24 hours for computers that have no change in landb, and every 10 minutes for computers with changes in landb) you will not be able to bind again to AD. You can avoid this by using a local admin account for the unbinding instead of the AD authorised account. That way you do not have the permissions to destroy the host entry in AD, but the local unbinding still succeeds.

You are here