Integrate your Mac with CERN infrastructure

Purpose

This configuration allows you to use your NICE credentials on a Macintosh.
You will then have the choice between two configurations to store your Mac profile.
 
Two steps are required:

  1. Changing the settings of your Active Directory (AD) account.
  2. Changing the configuration of your Mac.

Limitations

  • This configuration does not migrate your current local data into your DFS homedirectory.
  • No local account on your Mac can have the same UID, GID or account-name as the AD account you want to use.
  • Using both Windows and Mac profile will result in some hidden Mac files visible on Windows and could also generate some synchronization warnings.

Prerequisites

The described configuration is supported for Mac OS >= 10.8.3. It might work with Mac OS  10.7.5, but we will not debug any issues that are discovered with MacOS < 10.8.3

Preparations

Make sure there is no local account on the Mac with the same UID, GID or login-name as the AD account you want to use. Change the parameter in question if needed.

Make sure you are registered as 'Responsible' or 'Main User' in the network database for the Mac in question.

Go to "http://cern.ch/account (link is external) -> Services -> Mac Desktops" and select enable the "DFS Home folder for Mac OS"

Joining the Active Directory Domain

To bind the computer with Active Directory:

  • open "System Preferences/Users & Groups"
  • click on "Login Options"

  • unlock the "Users & Groups" pane by clicking on the lock icon

  • click on "Network Account Server:" button "Join..."

In the new popdown window, enter the domain controller name "cerndc.cern.ch":

 

This should expand the window:

This allows you to enter the following information:

  • Client Computer ID: here you should enter the name under which the Mac is registered in the network database. This might be different from the name you gave to your Mac in the "sharing" preference pane!
  • AD Admin User: this is your CERN (NICE) account name, which must be different from any local account used on your Mac.
  • AD Admin Password: this is your CERN (NICE) password, which might be different from the password of your local Mac account.

When done click the "OK" button and wait until the binding is finished.

The "Users & Groups" window should now look like this:

A new line has appeared "Allow network users to log in at login window" and the Network Account Server "CERN" with an "Edit..." button.

Clicking on "Edit..."brings up the following window:

Click on "Open Directory Utility...".

Click the lock icon to be able to make changes. From the list of services select "Active Directory". This brings up a new window:

 

 

----------------------------------------------------------------------------------------------------------------

 

You now have two possibilities:

a.  Keep your home directory as a local folder on your Mac

  • + SSO

b. Have your Mac home directory stored directly on DFS (not appropriate for portable computers)

  • + SSO
  • + Backup of the files in your home directory
  • - With this configuraton you should not log in simultaneously to several Macs as there are several Apps that can not handle this.

We recommend the first option which brings the most advantages.

Click on the triangle in front of  "Show Advanced Options".

a.  Keep your home directory as a local folder on your Mac
 


 

Let the checkbox "Force Local home directory on startup disk" checked.
Make sure "User UNC path from Active Directory to derive network home location" is not checked.
For a portable it is essential to also check the box "Create mobile account at login", otherwise you will not be able to login  without network conection.

b. Have your Mac home directory stored directly on DFS (not appropriate for portable computers)
 


 

In the "User Experience" tab, make sure that the first two items "Create mobile account at login" and "Force local home directory on starup disk" are NOT selected!

Some apps store a lot of data in ~/Library, and can create lots of problems when you run out of quota:

  • Adobe (~/Library/Application Support/Adobe)
  • Browsers (~/Library/Caches)
  • Mail (~/Library/Mail, essentialy a copy of all your mailboxes)
  • Mobile device backups (~/Library/Application Support/MobileSync/Backup/)
  • Parallels (~/Library/Parallels/Downloads/ for downloading updates, never cleaned?)
  • Xcode (~/Library/Developer/Shared/Documentation/, strange place to share documentation)

-------------------------------------------------------------------------------------------------------------

If you also want to use afs (this configuration does not work under OS X 10.7, it requires at least 10.8): go to the "Mappings" tab, activate the first two items, fill in the text boxes as shown below:

Type in the strings shown, and not the numeric values these parameters have. Pay attention to the spelling, the case of the letters is important. Do NOT activate the item "Map group GID to attribute:".

To finish click the "OK" button at the bottom of the "Directory Utility" window and quit "Directory Utility".

Important: Selecting Accounts Allowed to Log in

Per default every CERN account can now login to your Mac. This is not desirable. Click on the 'Options' button in the 'Allow network users to log in at login window' line to select which accounts are allowed to login.

Click on the '+' icon to add users that can login to your Mac.

You can select individual accounts (Network Users) or mailing lists (egroups, Network Groups).

To add a user account, select "Network Users" in th eleft part of the window. You can put a filter string in the text field filter on the account name or the user name.

Actual issues:

  • Fetching all account info from AD takes quite long
  • The interface does not indicate that it is still fetching account information
  • Applying the filter string takes quite long
  • The interface does not indicate in any way that is still applying the filter string
  • There is no way to distinguish the different accounts a user has, since only the user name is displayed, but not the account name frown To select the correct account from people with multiple accounts you should specify the account name as filter string.

Once you have identified the user, select it from the list and click the 'Select' button.

 

To allow all people from a mailing list to login to your Mac select "Network Groups" from the left part of the window, and either use a filter string or scroll through the list to select the desired list:

 

Again select the list in question and click the 'Select' button.

Once you are done adding users to the access list click the 'Done' button.

Your "Users & Groups" preference pane should now look like this:

 

Notice the '-' in front of the "Allow network users to log in at login window". If you have a tick mark instead of the '-', you still allow all CERN account users to login to your Mac.

Log in Using your AD Account

Go to the 'Fast user switching" menu, select the "Login Window..." and wait for the message "Network accounts are unavailable" to disappear, enter your "CERN" credentials (under Mac OS 10.7 use firstname.lastname, under 10.8 use the account name). If you have selected "Display login window as: 'List of Users'" (which is not recommened!), you will have to wait that the "Other..." icon is displayed, select that "Other..." and type in your  CERN credentials.

If asked to create a mobile account click on « Create Now ».

Once logged in with your NICE account open Users & Groups pane in System Preferences.

Unlock the pane (with your local Mac account), select your NICE account in the list and check «  Allow user to administer this computer ».

 

Click on « Ok ». After restarting your NICE account will have administrator privileges on your Mac.

Additional steps if you chose to have your home directory synchronised with your CERN home directory on DFS.

Open Users & Groups pane in System Preferences, unlock the pane, and select your NICE account in the list .

Click on the « Settings » button right to "Mobile account".

 

Set sync to Automatically, check "Show status in menu bar", select all folders except Library and click on "Ok".

If your Mac was already Filevault encrypted you need an additional step to allow your NICE account to unlock your drive.

Just open System Preferences, choose Security and Privacy and open the FileVault tab.

 

Unlock the tab and click on « Enable Users »  button.
Then click on the « Enable User » right to the concerned user, type in your NICE password and click on « Ok » and « Done ».

Warning, importantWarning if you unbind your Mac from AD

Unbinding your Mac from AD will destroy the entry of your Mac in AD, and until the next sync between the network database and AD (done once every 24 hours for computers that have no change in landb, and every 10 minutes for computers with changes in landb) you will not be able to bind again to AD. You can avoid this by using a local admin account for the unbinding instead of the AD authorised account. That way you do not have the permissions to destroy the host entry in AD, but the local unbinding still succeeds.

You are here