Use your CERN account for Authentication (obsolete, unsupported)

Under Construction!

We just made major updates to the procedure and the documentation, so please be careful.


The configuration is not suitable for portable Macs.  When the CERN network is not reachable it is not possible to log in to any CERN account.


This configuration allows you to use your CERN account on a Macintosh.

This has the following advantages:

  • Automatically get a kerberos token at login.
  • You don't have to worry about manyually setting the UID and GID of your account.
  • You don't have to synchronize your password manually.

The needed configuration steps are outlined below.


  • This configuration is not suitable for portable Macs.
  • This configuration does not migrate your current local data into your DFS homedirectory.
  • No local account on your Mac can have the  same UID, GID or account-name as the AD account you want to use.
  • This configuration gives you a local homedirectory on each Mac it is applied to, it does NOT use your AFS or DFS directory as your homedirectory.
  • It is not possible (and should not be tried) to change the CERN account from the Mac.
  • After a change of the CERN account password the user needs to update the password of Mac keychain. A popup will remind him.
  • The password used to decrypt a Filevault encrypted boot partition is NOT updated when the CERN account password is changed. A manual intervention is required to update the Filevault password.


The described configuration is supported for OS X>= 10.11.3. We will not debug any issues that are discovered with older versions of OS X.


Make sure there is no local account on the Mac with the same UID, GID or login-name as the AD account you want to use. Change the parameter in question if needed.

Make sure you are registered as 'Responsible' or 'Main User' in the network database for the Mac in question.

Joining the Active Directory Domain

To bind the computer with Active Directory:

  • Clicking install will open a dialog asking for the credentials of a CERN account that is registered as 'Responsible' or 'Main User' for the device in CERNs network database:

  • You will get a second dialog box asking for the credentials of a local Mac account that has admin privileges:


The "Users & Groups / Login " window should now look like this:


To get a longer ticket lifetime and make the tickets renewable you should install the krb5.conf file from linux and put it into /etc. This also allows you to acquire afs tokens directly at login if an FAS client is installed and configured accordingly.

Important: Restrict the Accounts Allowed to Login

Per default every CERN account can now login to your Mac. This is extremely insecure. Click on the 'Options' button in the 'Allow network users to log in at login window' line to select which accounts are allowed to login.

Click on the '+' icon to add users that can login to your Mac.

You can select individual accounts (Network Users) or mailing lists (egroups, Network Groups). Using Network Groups does not work properly under OS X 10.9.

To add a user account, select "Network Users" in the left part of the window. You can put a filter string in the text field filter on the account name or the user name.

Actual issues:

  • Fetching all account info from AD takes quite long
  • The interface does not indicate that it is still fetching account information
  • Applying the filter string takes quite long
  • The interface does not indicate in any way that is still applying the filter string
  • There is no way to distinguish the different accounts a user has, since only the user name is displayed, but not the account name frown To select the correct account from people with multiple accounts you should specify the account name as filter string.

Once you have identified the user, select it from the list and click the 'Select' button.


To allow all people from a mailing list to login to your Mac select "Network Groups" from the left part of the window, and either use a filter string or scroll through the list to select the desired list:


Again select the list in question and click the 'Select' button.

Once you are done adding users to the access list click the 'Done' button.

Your "Users & Groups" preference pane should now look like this:


Notice the '-' in front of the "Allow network users to log in at login window". If you have a tick mark instaed of the '-', you still allow all CERN account users to login to your Mac.

Login Using your AD Account

Go to the 'Fast user switching" menu, select the "Login Window..." and wait for the message "Network accounts are unavailable" to disappear, enter your "CERN" credentials (under Mac OS 10.7 use firstname.lastname, under 10.8 use the account name). If you have selected "Display login window as: 'List of Users'" (which is not recommended!), you will have to wait that the "Other..." icon is displayed, select that "Other..." and type in your  CERN credentials.

Warning, importantWarning 1:

Unbinding your Mac from AD will destroy the entry of your Mac in AD, and until the next sync between the network database and AD (done once every 24 hours for computers that have no change in landb, and every 10 minutes for computers with changes in landb) you will not be able to bind again to AD. You can avoid this by using a local admin account for the unbinding instead of the AD authorised account. That way you do not have the permissions to destroy the host entry in AD, but the local unbinding still succeeds.

Warning, importantWarning 2:

If you have "Screen Sharing" or "Remote Access" enabled, you must make sure that you only allow this for selected users, with the default setting all CERN accounts (even the ones blocked for good reason) would have full access to your Mac.