Sonder: Unknown Woes Mac OS
  • Resolving the problems with building PCL 1.6 on OS X is on going. When building the desktop variant, PCL is included but not explicitly required. Therefore the easiest method to get around the PCL build problems is to remove it from the workspace: $ rm -rf src/pclmsgs $ rm -rf src/pcl $ rm -rf src/pclros; cameracalibrationparsers build problems.
  • Mac OS X - Problems With MIDI Devices After an Update This guide walks through deleting MIDI drivers on a Mac. This may be necessary if issues appear only after updating your operating system or may be useful to determine if a driver was installed correctly or not.
  1. Sonder: Unknown Woes Mac Os Download
  2. Sonder: Unknown Woes Mac Os X

The excitement of installing a new version of macOS, especially if its a High Sierra 10.13, is only tempered by the possibility of it not working properly or not being compatible with the apps you use most.

Troubleshooting Certificates in Safari for Mac OS X. This article helps you troubleshoot various certificate related problems in Safari on Mac OS X. Whenever troubleshooting a certificate related problem, the first step is to check that your certificates are. While most new versions of macOS are relatively problem-free, it’s not unknown for users to have issues – particularly with a beta or.0 release. Thankfully most are easy to resolve. Here’s how to fix the most common High Sierra issues. High Sierra installer won’t download.

Before you begin upgrade to macOS make a bootable backup

If you haven’t started the process of upgrading yet, check if the Mac is compatible with macOS High Sierra and make a bootable backup.

Do it now, before you do anything else. If things go disastrously wrong at least you’ll be able to boot from macOS’ Recovery partition and migrate all your data back to your Mac. You can use any backup tool you like – Apple obviously favours Time Machine, but you don’t have to use it. You can use, for example, Get Backup Pro, which comes with your Setapp subscription. Don’t have a Setapp subscription? Click here to sign up.

Common macOS High Sierra problems

While most new versions of macOS are relatively problem-free, it’s not unknown for users to have issues – particularly with a beta or .0 release. Thankfully most are easy to resolve. Here’s how to fix the most common High Sierra issues.

High Sierra installer won’t download

If you’re trying to download the macOS High Sierra installer, you’ll need to have signed up to App Store. If you’ve done that, and managed to start the downloading process only for it to fail, force quit the App Store app.

  1. Press Cmd-Alt-Esc or go to the Apple menu and choose Force Quit.
  2. Select the App Store app and confirm you want to force quit.
  3. Re-launch the App Store and try downloading again.

macOS High Sierra won’t install

If the download completes successfully but the installation doesn’t finish, force quit the installer using the same procedure as above.

  1. Restart your Mac
  2. Launch the App Store app and go to the Purchases tab.
  3. Find macOS High Sierra and click Install.

If that doesn’t work, try deleting the downloaded installer (it’s in your Applications folder) using CleanMyMac and download it again.

If you have a copy of macOS Server in your applications folder, that may be the root of the problem. Delete it and try again.

Getting the rainbow wheel every few seconds after upgrade

Check console.app and if you’re getting errors from sandboxd and hidd (IOKit), your problem is a third party software. It’s probably because it wasn’t supported by the new APFS file system. It tries to repeatedly update causing your Mac laptop to be stuck in an endless loop. To fix this issue, just find and remove this app and everything will be fine.

What if macOS High Sierra stops responding?

If your Mac hangs and you can’t do anything at all, wait up to half an hour to see if that helps. If not, force your Mac to restart by holding down the power button and waiting for it to shutdown and then start again.

Fix macOS problems

A top-notch selection of tools for fixing High Sierra issues. Try what works for you the best, free of charge.

macOS 10.13 High Sierra keeps logging out

In case you’re getting tired of you new OS kicking you out of your account on random occasions, there’s a chance it’s pretty easy to turn it off. For instance, there is a setting in your Security & Privacy menu that is responsible for that.

  • Go to Security & Privacy > Advanced and find the box saying “Log out after… minutes of inactivity.”
  • Uncheck it.

You can go even further and turn off the need to enter your password every time you open your Mac or turn it on. In the same Security menu find General settings and uncheck another box, the one saying “Require password after sleep or screen saver begins.” As you can tell, though, that it not the most secure option, especially if it’s your work computer or if you can expect other people getting a hold of it.

If the problem occurs when you’re using Chrome browser, disable the hardware acceleration feature: look for Advanced menu in its settings and turn off hardware acceleration.

How to fix USB devices not recognized on High Sierra

It’s not a nice thing to find out after getting a brand new system, but some Macs have been struggling with USB devices after the upgrade. If your Mac is one of them and refuses to see or read USB drives, external drives, and so on, try resetting SMC.

We’ve explained earlier in the article how to do it, but here’s brief instruction. For all laptop Macs like MacBook, MacBook Pro, and Air, simply turn it off and then on again, while holding Shift + Control + Option and the Power button for 10 seconds.

For iMac, Mac mini, Mac Pro, and Xserve, You start my turning off your Mac and then unplug the power cord. Chill for about 15 seconds. Look out of the window or something. Plug the cord back in, wait a couple of seconds and turn your Mac on.

If the problem remains, you can try to reinstall High Sierra or consult with customer support at Apple. Sugar smash gratis.

Security issues in High Sierra: Password Stealing

The only known and relatively famous security issue with the latest macOS is the password stealing code created by security researcher Patrick Wardle. Long story short, he showed that if he wanted to (and you allowed him by installing his malicious code on your Mac), he could extract your passwords from Keychain without having your master password for the system.

If you look into it, it all boils down to “Don’t get into white vans with strangers and don’t install suspicious software from shady developers on your Mac.” Basic safety precautions. Make sure you visit the developer’s website, make sure you install signed apps from trusted sources. That’s about it.

To check your safety settings, go to System Preferences > Security & Privacy > General and see if ‘App Store and Identified’ developers is selected.

Meanwhile, Apple is reportedly working hard on patching up the breach.

How to fix Mac running slow on macOS High Sierra

In case you’ve just upgraded to the new macOS and your Mac runs slower than it used to, worry not. It’s common and it’s not exactly an issue. The thing is that your Mac is reindexing a bunch of files while running a new system and it slows down its productivity and performance.

For 12-24 hours your Mac could experience these trouble and they are still within the range of normal behavior. If your Mac is running slow a few days after the upgrade, try some Mac-optimizing utilities to fix it. For instance, there is an app called CleanMyMac that can remove system junk and speed up your Mac. It’s a Mac cleaner with a set of handy utilities, some of which might come in handy.

For instance, one of the reasons for your Mac slowing down could be that some apps hog too much RAM. To see if this is the problem, try opening Activity Monitor and see which apps take to much processing power. If some of them seem to be exceedingly greedy and you’re pretty sure that’s not how it’s supposed to be, you can reset them.

To fix RAM-consuming apps, use the special module in the CleanMyMac app that we mentioned earlier, Uninstaller. Simply open CleanMyMac, go to Uninstaller, find the app in question and click Reset. The app will then lose its preferences and stored info and roll back to default settings. It’s basically like reinstalling it but without the hassle.

If your Mac goes all the way and becomes completely unresponsive or even needs rebooting, follow the instruction in our guide on how to speed up a slow Mac after installing macOS.

Fix problems with apps compability

With every macOS upgrade there are older versions of apps that are no longer supported by their developers. One casualty of High Sierra is Microsoft Office 2011 for Mac. Microsoft has said that it will not offer support for it running on new macOS and it’s likely you’ll have problems with it. The only solution is to upgrade to Office 2016.

For other apps, upgrade them and check the developer’s website for details of High Sierra support. Even if an app doesn’t work with the new version of the new OS, it’s possible its developer is still working on support and it will work by the time macOS ships.

If you want to delete an app – perhaps because you’ve replaced it with a newer version – use CleanMyMac Uninstaller to make sure you delete all the files associated with the app.

Display issues on High Sierra

A few things can go wrong with your Mac’s display after the upgrade, so let’s see what can be done when they occur. You might experience troubles waking your Mac from sleep, when the display just never comes live or it does, but minutes after you’ve jammed every key on the keyboard.

Then you might also experience flickering of certain images while browsing the web. The last issue is a grey screen or a blue screen that signal something going pretty wrong with the whole Mac-to-display connection.

What you need to do to fix it is resetting your NVRAM. It’s that kind of memory that unlike regular RAM is non-volitile which means it keeps info when your Mac is turned off. That’s why simply turning it off and on again won’t help. Anyway, it’s a quick fix.

  1. Turn your Mac off and when you turn it back on, hold Command+Option+P+R while it’s booting. You will either see your screen blink twice or hear a two chimes.
  2. After that you need to have your System Management Controller reset also.
  3. Turn your Mac off again and press and hold Shift + Control + Option and the Power button for 10-15 seconds.

That should do it.

Fix Wi-Fi problems

One of the issues that has been reported the macOS High Sierra is with wifi signals. To analyse your wifi network after installation, use WiFi Explorer or NetSpot, both available in Setapp. Both these tools map the wifi networks within range of your Mac and identify areas where signals are either strong or weak. By using one of these apps, you should be able to tell if your Mac is having wifi problems.

If you can’t identify a problem and can’t connect to a network, try switching wifi off in the Finder menu bar, waiting 30 seconds and switching it back on again.

Bluetooth issues on macOS 10.13

Not much has been reported about Bluetooth issues on macOS High Sierra at the moment. However, there’s always one infallible piece of advice to give: re-pair your device. Find the Bluetooth icon in the upper right corner and open its preferences. If you can’t see it there, go to System Preferences and find Bluetooth menu.

Hover on the device in question and click the X-mark next to it. This not just disconnects the device, but removes it entirely from the list until you pair it back. To restore the device, set it into the painting mode and when it shows up in the list below, click “Pair.”

macOS High Sierra battery problems

Mac

Ramping up performance and adding new features while avoiding putting more strain on a battery is tough. So don’t be surprised if your Mac’s battery (if it’s a laptop) doesn’t last as long after upgrading. Use iStat Menus, available in Setapp, to monitor battery life – as well as CPU usage, fan speeds, temperatures and a host of other data. That way you’ll be able to tell if your battery really is performing less well after upgrading.

Your Mac use more power when it’s processor is under stress – partly because it generates heat which needs fans to cool it. So quit any apps that are hogging processor cycles if you’re not using them. You should also update apps to their most recent versions, and could turn down your screen’s brightness and move somewhere cooler if you’re sitting somewhere that’s particularly hot.

If your Mac’s battery hasn’t been its best self since the upgrade, try checking where the problem is. Open Activity Monitor > Energy and see which apps take up the most. Browsers and rendering software is expected to be energy-heavy, so that’s normal.

But if you’re seeing some minor applications you rarely use taking up a chunk, consider uninstalling them. You can use the specially-made CleanMyMac's Uninstaller for the job, because just dragging an app to the trash doesn’t uninstall it fully.

No Mail notifications in macOS High Sierra

In case you either see mail notification for less then a second or don’t see it at all, there might be a problem with settings. Try checking if you have the notifications turned on in System Preferences > Notifications. Does you alert style say “Banner”? If it does but the problem remains, change the alert style from 'Banner' to 'Alert' or 'None'. After that you can switch it to 'Banner' again and from now on it should work fine.

APFS compatibility issue with games and Unity engine

This part is for gamers only. If any of these names ring a bell for you, don’t rush to upgrade: 'Cities: Skylines', 'Civilization V', 'Team Fortress 2,' 'Half-Life 2,' and 'Counter-Strike: Global Offensive.'

Developers of these games and of the Unity engine, joined by threads on Reddit and Steam, have all voiced concerns about the APFS system and its compatibility with the main game engine and graphic controls. So, before you upgrade, hit Reddit or Google and find out if these troubles have been resolved.

If all else fails

If a force restart doesn’t work and you can’t get your Mac to run the new OS at all, the next step is to try repairing the disk on which it’s installed.

  1. Restart your Mac while holding downs cmd+R to boot in recovery mode.
  2. When it’s booted, choose Disk Utilities from the macOS Utilities menu.
  3. Click Repair Disk to to fix any problems on the disk.
  4. When it’s done, restart your Mac normally.

If that doesn’t work, you’ll need to reinstall macOS.

  1. Plug in the hard drive on which you made the bootable backup and select it as your Mac’s Startup Disk in System Preferences.
  2. Re-boot while holding down cmd+R.
  3. When the macOS Utilities menu appears, choose Disk Utilities and use it to erase you Mac’s main drive.

When it’s done, choose Reinstall macOS and select your Mac’s main drive as the destination. Wait for High Sierra to install and restart. When you see the Setup Assistant, choose the option to migrate data from another disk and choose the external disk as the source.

These might also interest you:

Setapp uses cookies to personalize your experience on our website. By continuing to use this site, you agree to our cookie policy.

Home > Articles > Apple > Operating Systems

  1. Configuring Mac OS X to Log In Using Active Directory
Page 1 of 5Next >
In this chapter, you will learn how to configure Mac OS X to log in using Active Directory, troubleshoot binding issues, and troubleshoot login issues.
This chapter is from the book
Apple Training Series: Mac OS X Directory Services v10.6: A Guide to Configuring Directory Services on Mac OS X and Mac OS X Server v10.6 Snow Leopard

This chapter is from the book

This chapter is from the book

Apple Training Series: Mac OS X Directory Services v10.6: A Guide to Configuring Directory Services on Mac OS X and Mac OS X Server v10.6 Snow Leopard

Active Directory is Microsoft’s directory services solution that provides LDAP and Kerberos services for identification and authentication. Many organizations with Windows computers use Active Directory because it provides these features:

  • Security and policy management for Windows computers
  • Tight integration with popular application servers such as Microsoft Exchange and Microsoft SQL Server
  • High availability, with the ability to place multiple replica servers across geographic locations in a multimaster configuration

It is easy to integrate Mac OS X into an Active Directory environment. Although Mac OS X computers can access directory information provided by Active Directory via the LDAPv3 connector, you should use the Active Directory connector, which provides the following capabilities:

  • Creating a computer account for secure communication with Active Directory services
  • Configuring mappings of Open Directory objects and attributes to Active Directory objects and attributes
  • Setting up the Kerberos environment for seamless integration with Active Directory
  • Enabling SMB packet signing and packet encryption
  • Support of Active Directory password policies
  • Support of Active Directory sites, which directs Windows and Mac OS X client computers to the most appropriate services based on their IP network
  • Caching information from Active Directory services so that Mac OS X computers can use the information even if they are not connected to the network

In this chapter you will learn how to use System Preferences, Directory Utility, and the command line to bind to Active Directory, and to modify the default settings for the Active Directory connector to enable login and access to a network home folder. You will learn how to overcome problems with your initial bind to Active Directory, and you will learn troubleshooting techniques for login problems with an Active Directory user account.

Mac OS X v10.6 brings numerous improvements to the Active Directory connector, from better caching to improved support for Windows Server 2008 domains.

Configuring Mac OS X to Log In Using Active Directory

You can use the Accounts pane of System Preferences, Directory Utility, or dsconfigad to bind a Mac OS X client computer to an Active Directory domain. dsconfigad allows you to configure some features that Directory Utility does not expose, but if you use dsconfigad you need to take some additional steps (such as enabling the Active Directory connector and adding the Active Directory node to your search paths). Before you bind, however, you need to know a few things about your Active Directory service.

Understanding Active Directory Terms

When you bind to Active Directory, you need to know the domain name and you must have the credentials of a user who has authorization to join computers to Active Directory.

A domain is the building block of Active Directory; it is a collection of directory objects such as users, groups, and computers. An Active Directory domain requires a domain controller, which can be a computer running any version of Windows Server 2000 through Windows Server 2008. A domain is identified by its DNS namespace; for example, the server windows-server.pretendco.com may be a domain controller for the domain pretendco.com. Active Directory relies on DNS records generated by a DNS service that is tightly integrated with Active Directory, so you should configure Mac OS X to use the DNS service associated with the Active Directory domain before attempting to bind.

A tree is one or more domains in a contiguous name space. A forest is a set of domain trees that have a common schema and global catalog, which is used to describe a best-effort collection of all the resources in a domain. The global catalog is commonly used for email address lookups.

Like standard Windows clients, Mac OS X binds to only one Active Directory domain at a time.

Understanding the Active Directory Computer Object

When you bind a Mac OS X client computer to Active Directory, you use or create a computer object for Mac OS X. Just like user objects, computer objects are used for identification, authentication, and authorization. The computer object has rights to do certain things, such as to bind and update its own DNS record.

When you bind a Mac OS X computer to Active Directory, Mac OS X uses the user credentials you supply to set up a computer object and password in Active Directory. This password is a shared secret between your Mac OS X computer and the Active Directory service. Your Mac OS X computer uses this password to authenticate to Active Directory and set up a secure channel to enable your Mac OS X computer to communicate with Active Directory. The password is randomly generated, and it is unrelated to the user account you use to perform the bind. For more information, see the section “Confirming Your Active Directory Connector and the Samba Service Are Using the Same Active Directory Computer Password” in Chapter 8.

If you delete the computer object or reset the computer object password in Active Directory, you need to rebind Mac OS X to Active Directory in order for Mac OS X to access Active Directory.

When you use System Preferences or Directory Utility to bind to Active Directory, you see a suggested computer ID to use for the name of the Active Directory computer object. This computer ID is based on your host name (if you use the Accounts preference) or your Bonjour name (if you use Directory Utility). Regardless of what you enter as a computer ID, Mac OS X will use only the lowercase characters a–z, 0–9, dash (-), and underscore (_), in order for Mac OS X file sharing to be compatible with legacy Windows computers. If your computer name is longer than 15 characters, you may experience errors when binding to Active Directory. Each computer should use the same Mac OS X computer name and Active Directory computer name to help keep track of computer names, unless you have a good reason not to do so.

Specifying a User to Create the Computer Object

When binding to Active Directory, you need to supply the credentials of an Active Directory administrator or user who is authorized to create computer objects. By default, you can use a regular Active Directory user to bind to Active Directory ten times, but after that you will encounter an error. “Troubleshooting Binding Issues,” later in this chapter, offers some solutions for this problem.

Binding to Active Directory with System Preferences

The simplest way to bind Mac OS X to Active Directory is to use the Accounts pane of System Preferences. The steps are as follows:

  1. Open System Preferences.
  2. Click Accounts.
  3. Click Login Options.
  4. Click Join next to Network Account Server.
  5. In the Server field, enter the name of the Active Directory domain—in other words, “pretendco.com” not “windows-server.pretendco.com.”

    This can be any domain in the forest, but remember that the domain name is the DNS namespace of the domain, not the DNS name of the domain controller.

  6. In the Computer ID field, enter the name of the Active Directory computer object to use for this Mac OS X computer. By default, this displays your host name, which may be determined from a DNS record that matches your IP address, or your Bonjour name, if there is no matching DNS record.
  7. In the AD Admin User field, enter the name of an Active Directory administrator or the name of an Active Directory user who can join a computer to the domain.
  8. In the AD Admin Password field, enter the password for the user you specified in step 7.
  9. Click OK, and then provide a local administrator’s credentials when prompted. Mac OS X attempts to bind to Active Directory with the default settings.

The Network Account Server field now displays a green status indicator along with the name of the Active Directory domain.

If you are bound to multiple directories, the Network Account Server field simply displays the dimmed text Multiple.

Binding to Active Directory with Directory Utility

Instead of the Accounts preference, you could use Directory Utility to bind to Active Directory, just like you would have with Mac OS X v10.5 and earlier. The process is very similar—you can click the Open Directory Utility button on the Login Options pane of the Accounts preference (shown in the figure below step 4 of the preceding exercise), or open Directory Utility directly from /System/Library/CoreServices/. You must specify the Active Directory domain as you did in the preceding exercise. Directory Utility offers more choices and advanced options, and it will be covered later in this chapter.

Logging In as an Active Directory User on Mac OS X

Once you bind your Mac OS X computer to Active Directory, you can log in with your Active Directory user account at your Mac OS X login window. By default, when you log in with an Active Directory user account, the following things are true:

  • If your password will expire soon, you have the opportunity to change it during the login process.
  • Your home folder is located on the startup volume.
  • Active Directory grants you a Kerberos Ticket Granting Ticket (TGT) as part of the login process. You can confirm this by opening the Ticket Viewer application (in /System/Library/CoreServices).

Also note that in Mac OS X v10.6, the default preference for the Finder is to not display hard disks and or connected servers, so no items will be displayed on the desktop.

Specifying a User Name at the Login Screen

By default, when you are bound to another directory node, the Mac OS X login window also displays the option of “Other.” This allows you to specify a user name from a different directory node, as shown in this figure:

When you select Other, the login window reveals a field for Name and Password.

At the Mac OS X login window, you can use many combinations of the user identifiers “Full name,” “User login name,” or “User login name (Pre-Windows 2000)” from Active Directory, along with other elements of the domain name. Consider the figure below, which shows a user created with Active Directory tools.

You can log in with any of the following names in the Name field in the Mac OS X login window:

  • schoun-regan
  • sregan
  • Schoun Regan
  • schoun-regan@pretendco.com
  • sregan@pretendco.com
  • Schoun Regan@pretendco.com
  • PRETENDCOschoun-regan
  • PRETENDCOsregan
  • PRETENDCOSchoun Regan

Understanding the Home Folder Default Behavior

When you log in with a user account for Active Directory, by default Mac OS X creates a home folder for the user on the startup volume in /Users/usershortname.

If a directory already exists with that name, Mac OS X will not create a new home folder. You may experience unexpected results because the Active Directory user does not have write permissions to the home folder.

See the section “Transitioning from a Local User to an Active Directory User” later in this chapter, if that is appropriate for your situation.

Understanding Home Folder Synchronization

The default settings do not configure Mac OS X to synchronize the local home folder with a network home folder. If you log in as the same Active Directory user on multiple Mac OS X computers that are configured with the default settings for the Active Directory connector, you will have a different home folder on each computer, and the contents will not be synchronized. To prevent this situation, you can do the following:

  • Configure mobile accounts and home folder synchronization. See the section “Understanding Mobile Accounts” for more on this.
  • Deselect the option to force the creation of a local home folder, and then use Active Directory tools to assign a network home folder for the Active Directory user account. See the “Specifying a Network Home Folder” section for details.

Changing the Active Directory Connector Default Settings

The Active Directory connector’s default settings might not meet your needs. For instance, you may want to not force local home folders on the startup volume, or you may want to specify Active Directory groups whose members will be considered local administrators when they authenticate locally on your Mac OS X computer. In this section you will learn how to use Directory Utility and the command line to configure some of the advanced options of the Active Directory connector.

Follow these steps to use Directory Utility to access Active Directory Advanced Options:

  1. Open Directory Utility (in /System/Library/CoreServices). If necessary, click the lock in the lower-left corner and provide credentials for a local administrator.
  2. In the toolbar, click Services.
  3. Make sure the Active Directory Service checkbox is selected.
  4. Select the Active Directory service.
  5. In the lower-left corner of the Directory Utility window, click the Edit button.
  6. Click the disclosure triangle next to Show Advanced Options.

Exploring the “User Experience” Advanced Options Pane

The default pane for Directory Utility’s Advanced Options is the User Experience pane.

The first option, “Create mobile account at login,” is disabled by default. A mobile account caches user credentials locally so they can be used when the computer is not connected to the directory node. See the “Understanding Mobile Accounts” section for more details about mobile accounts and synchronized home folders.

The “Force local home directory on startup disk” option is enabled by default. If you enable this option, Mac OS X creates a local home folder in /Users/username when an Active Directory user logs in (unless a local home folder already exists at that location).

Specifying a Network Home Folder

There are at least two possible ways to specify a network home folder for an Active Directory user account:

  • If your Active Directory schema has been extended to support Apple objects and attributes, map dsAttrTypeStandard:HomeDirectory to an extended attribute in your user record; then you can use Workgroup Manager to specify the home folder.
  • Select the “Use UNC path from Active Directory to derive network home location” checkbox and use Active Directory tools to populate the Home Folder field for an Active Directory user. The Active Directory connector maps dsAttrTypeStandard:SMBHomeDirectory to Active Directory’s dsAttrTypeNative:homeDirectory. You can also specify this option with the -uncpath option of dsconfigad.

You must specify which file-sharing protocol to use: SMB or AFP (Apple Filing Protocol). SMB is the default setting, so it is easy to use Windows file services to host home folders for Active Directory users who log in to a Mac OS X computer.

Mac OS X has had full support for SMB packet signing since Mac OS X v10.5, a security feature (designed to prevent man-in-the-middle attacks) enabled by default on Windows Server 2003 SP1 and later. Many Windows Server administrators require client computers to use this option, which makes it impossible for computers using earlier versions of Mac OS X to access their SMB share points without installing third-party SMB client software.

AFP offers some advantages over SMB as a file service protocol for Mac OS X client computers: It is faster, native to Mac OS X, supports Time Machine and network Spotlight searching, and handles a wider range of filenames in a mixed environment. Unfortunately, Windows servers do not offer AFP by default.

Although Windows Server 2003 and earlier can offer AFP via Services for Macintosh (SFM), the SFM version of AFP is not current. For example, SFM supports only 31 characters in a filename, which causes a problem when Mac OS X uses a long filename, such as ~/Library/Preferences/ByHost/com.apple.iCal.helper.0017f3e00523.plist. SFM is not recommended for Mac OS X network home folders. If you must use your Windows server for network home directories, consider running a third-party AFP file service, such as GroupLogic’s ExtremeZ-IP, on your Windows server.

You can use a Mac OS X Server to host network home folders for Active Directory users, whether they log in to Mac OS X computers or Windows computers. You can use Mac OS X Server’s AFP service for users who log in to Mac OS X computers, and Mac OS X Server’s SMB service for users who log in to Windows computers. Discourage users from simultaneously logging in as the same user on Mac OS X and Windows computers, because editing the same file over two different protocols simultaneously could corrupt the file.

For more information about offering file services from a Mac OS X Server, see Chapter 4, “Using File Services,” in Apple Training Series: Mac OS X Server Essentials v10.6.

Logging In with a Windows Home Folder

If you use Active Directory tools to define a network home folder (dsAttrTypeNative:SMBHome) for the user, Mac OS X mounts the network volume that contains that Active Directory home folder. Unless you specify otherwise, by default the Active Directory connector creates a local home folder on the startup volume, so Mac OS X mounts the Windows home folder but does not use it as the user’s home folder.

The network folder appears in the Dock, but the volume does not appear on the user’s desktop by default. The default preference for the Finder in Mac OS X v10.6 is to not display mounted network volumes on the desktop. To change this in the Finder, choose Finder > Preferences and select the checkbox for “Connected servers.”

When an Active Directory user with a valid Windows home folder (dsAttrTypeStandard:SMBHome) logs in to a Mac OS X computer that does not have the “Force local home directory on startup disk” option enabled in the User Experience pane of the Active Directory connector, that user’s home folder will be on a network server as expected. You may see question marks in the user’s Dock, which represent the user’s Documents and Downloads folders, which are not created automatically on Windows servers. If the network home folder is hosted on a Mac OS X Server file service, and you configured the Active Directory connector to use SMB rather than AFP, you should create the user’s home folder on the Mac OS X server that hosts the home folder before the user logs in for the first time, so that the user has a home folder with the set of standard folders. By default, Mac OS X Server will create a home folder automatically if a user makes an AFP connection, but not an SMB connection.

If you deselect both the “Force local home directory on startup disk” and “Use UNC path from Active Directory to derive network home location” checkboxes, and an Active Directory user with no valid home folder defined attempts to log in, that user will not be able to log in at the Mac OS X login window; the login window will shake after an unsuccessful authentication and return to the login window.

Sonder: Unknown Woes Mac Os Download

Changing User and Group Mappings

By default, the Active Directory connector generates a unique user ID, or UID—dsAttrTypeStandard:UniqueID—for an Active Directory user record based on that user’s GUID attribute. The calculated UniqueID is unique across the domain, yet consistent across every Mac OS X computer in the domain. Likewise, the Active Directory connector generates a unique integer for each Active Directory group record as well (dsAttrTypeStandard:PrimaryGroupID).

However, if you have extended your Active Directory schema, or if you have appropriate values populated in the RFC2307 attributes (which are already part of the Active Directory schema in domains hosted by Windows Server 2003R2 and later, but are not populated by default), then you can use the Mappings pane to access these attributes.

Be forewarned that if you change the mappings (after using Active Directory with the default mappings), users may lose access to files that they previously owned or could access.

The Mappings pane, shown in the following figure, allows you to change the mappings for the following standard attributes:

  • UID—dsAttrTypeStandard:UniqueID
  • User GID—dsAttrTypeStandard:PrimaryGroupID
  • Group GID—dsAttrTypeStandard:PrimaryGroupID

If the Active Directory schema is extended with Microsoft’s Services for UNIX (SFU), and the attributes contain valid values, you can:

  • Map UID to msSFU-30-Uid-Number
  • Map both user GID and group GID to msSFU-30-Gid-Number

If the Active Directory schema has RFC2307 attributes that are populated with valid values, you can:

  • Map UID to uidNumber
  • Map both user GID and group GID to gidNumber

If the Active Directory schema is extended with Apple object classes and attributes, and the attributes are populated, you can:

  • Map UID to UniqueID
  • Map user GID to PrimaryGroupID
  • Map group GID to gidNumber

Exploring the “Administrative” Advanced Options Pane

The “Prefer this domain server” option is one of the most misunderstood features of the Active Directory connector. If you select the “Prefer this domain server” checkbox and specify an Active Directory domain controller, the Active Directory connector will prefer that server if your Mac OS X computer is contained within the same Active Directory site as the specified domain controller.

Use the “Allow administration by” option to enable any user of the Active Directory groups that you specify to be in the group of local administrators for this Mac OS X computer. This is useful if you create an Active Directory group and populate it with users who should have the authority to administer the Mac OS X computers in your organization. Lashbrender demo mac os.

Restricting Authentication to Specific Domains

When you add Active Directory to your search path, Mac OS X automatically adds the node Active Directory/All Domains to your search path by default. If you want to restrict the authentication search path to use specific domains in your forest only, follow these steps:

  1. Deselect the option “Allow authentication from any domain in the forest,” and then click OK to dismiss the Active Directory services pane.
  2. In the toolbar of Directory Utility, click Search Policy, and then click the Authentication tab.
  3. Select Active Directory/All Domains, click the Remove (–) button in the lower-left corner of the Directory Utility window, and then click OK at the confirmation dialog.
  4. Click the Add (+) button in the lower-left corner of the Directory Utility window. Directory Utility displays a list of the domains in your forest. Select the domains you want to enable in your authentication search path, and then click Add.
  5. Click Apply to activate the change.

Creating the Computer Account in a Custom Location

Unless you specify otherwise, the Active Directory connector creates computer objects in the CN=Computers container with the domain that you join. Depending on the configuration of your domain controller, this may not be correct. For example, some administrators have a special container (CN) or organizational unit (OU) for all Mac OS X computers.

Use the following steps to configure the Active Directory connector to add the computer to the container OU=Macs,DC=pretendco,DC=com. Rather than binding from the Accounts pane of System Preferences, you will bind from Directory Utility’s Active Directory services pane, which offers different binding options.

  1. Open Directory Utility. If necessary, click the lock icon in the lower-left corner and provide credentials for a local administrator.
  2. In the toolbar, click Services.
  3. Make sure the Active Directory service checkbox is selected.
  4. Select the Active Directory service.
  5. In the lower-left corner of the Directory Utility window, click the Edit button.

    If you are not already bound to Active Directory, Directory Utility displays the dialog shown in the following figure. If you are already bound, you must first unbind in order to change the location of your computer account (in this case, simply click Unbind).

  6. In the Active Directory Domain field, enter the Active Directory domain.
  7. In the Computer ID field, enter the name of the Active Directory computer object to use for this Mac OS X computer.
  8. Click Bind.

    Directory Utility displays the authentication and Computer OU dialog.

  9. In the Username field, enter the name of an Active Directory administrator or the name of an Active Directory user who has authority to join a computer to the domain.
  10. In the Password field, enter the password for the user you specified in step 10.
  11. In the Computer OU field, replace the default text with the custom container in which to create the computer object for this Mac OS X computer to use. In the following example, the Active Directory administrator created a new OU specifically for Mac OS X computers and named it “Macs”.
  12. Click OK to start the bind process, and then click OK to dismiss the Active Directory services pane. Quit Directory Utility.

Binding to Active Directory with dsconfigad

The dsconfigad command is particularly useful for scripting the process of binding to Active Directory, and it offers a way to bind with custom settings in one step. This command has drawbacks, however: It does not enable the connector, nor does it add the Active Directory node to the search paths. You must also use the defaults and dscl commands to accomplish those tasks.

To bind a computer to Active Directory with dsconfigad, collect the following information for the following dsconfigad options:

  • -a—Name of Active Directory computer object to use
  • -domain—Fully qualified domain name (FQDN) of Active Directory domain to join
  • -u—Name of an Active Directory user who is authorized to add this computer to the domain
  • -p—The password for the Active Directory user
  • -lu—Name of a local administrator
  • -lp—The password for the local administrator

Sonder: Unknown Woes Mac Os X

The commands listed in the following exercise enable the Active Directory connector, bind to Active Directory, and add the Active Directory node to the authentication and contacts search paths:

  1. Use the defaults command to modify the settings of the file /Library/Preferences/DirectoryService/DirectoryService.plist:
  2. Use dsconfigad to bind to Active Directory:
  3. For the authentication search path, use dscl to add “Active Directory/All Domains” to the custom search path (CSPSearchPath), and set the authentication search path to use CSPSearchPath:
  4. For the contacts search path, use dscl to add “Active Directory/All Domains” to the custom search path (CSPSearchPath), and set the contacts search path to use CSPSearchPath:
  5. Stop DirectoryService, which automatically starts up again with these new settings:
  6. Use dscl to confirm that the Active Directory node is in the search paths:
  7. Use id to confirm that Open Directory knows about an Active Directory user.

    In this example, the user aduser1 is an Active Directory user object. The -p option makes the output human readable:

    If you issue the id command after binding and the result is no such user, wait a few seconds and then try again.

Using Configuration Options Available Only with dsconfigad

Sonder:

dsconfigad offers much of the same functionality that Directory Utility offers: You can bind, unbind, set configuration options, and show the status of a bind. In addition, dsconfigad offers some functionality that Directory Utility does not offer, such as the following:

  • -packetsign <disable allow require>—This supports packet signing options for both SMB and LDAP. SMB signing is required by default on Windows Server 2003 SP1 and later. This caused much frustration with earlier versions of Mac OS X. The default is to allow packet signing.
  • -packetencrypt <disable allow require>—This supports packet encryption options for both SMB and LDAP. The default is to allow packet encryption.
  • -namespace <forest domain>—The forest option enables a user to log in even if there is another user account with an identical user name in the forest. Be forewarned that if you specify forest, the Active Directory connector calculates each Active Directory user’s local home folder as /Users/DOMAINusername instead of /Users/username. Toggling the namespace setting after Active Directory users have already logged in can cause confusion, as Active Directory users perceive the contents of their home folder to be missing. The default is domain.
  • -passinterval <days>—This specifies how often Mac OS X changes the Active Directory computer object password, measured in days. It is common for Active Directory administrators to use Active Directory tools to look for computers that have not recently changed their passwords. The default is for Mac OS X to change its computer object password every 14 days.

Understanding Mobile Accounts

A mobile account is a local copy of a network user account, with attributes and credentials synchronized at login if the network node is available. A mobile account allows you to log in even when the network directory node is not available. The mobile account concept is not specific to Active Directory, but the Active Directory connector provides an option to enable Mac OS X to create a mobile account when users log in. This enhances the user experience because it caches other information, such as group membership, about Active Directory. Mobile accounts work well when you synchronize the contents of the local home folder with a network home folder, but this is not automatic.

See the section “Exploring the ‘User Experience’ Advanced Options Pane,” earlier in this chapter, for instructions on configuring the Active Directory connector to configure Mac OS X to create mobile accounts. For more information about home folder synchronization, see the section “Managing Mobile User Accounts,” of Apple Training Series: Mac OS X Server Essentials v10.6, or read Chapter 8, “Managing Portable Computers,” of Mac OS X Server User Management Version 10.6 Snow Leopard.

Binding to Active Directory and Open Directory

In any circumstance in which a user account is missing some attributes—for example, because you cannot extend the schema, or you do not have authority to edit the attributes you are interested in—you can always try using the Magic Triangle, in which you use an Open Directory node to supplement data available from the primary node. You learned about this configuration in Chapter 3, in the “Augmenting LDAP Data with Information from an Open Directory Server” section, and it is illustrated in the following figure:

The Magic Triangle configuration lets you apply managed preferences to Open Directory computers and workgroups, and then add Active Directory groups and users to Open Directory workgroups to manage them. See the instructions in Chapter 8, in the section “Preparing Mac OS X Server for the Magic Triangle Configuration.”

Because the Active Directory connector dynamically generates mount records for network home folders, you do not need to provide an additional directory node or mount object to automount an AFP home folder.

Providing Managed Preferences to Active Directory Users

Using Active Directory Group Policy Objects is the traditional method for managing Windows users, groups, and computers, but Mac OS X is not compatible with Group Policy Objects. If you want to apply managed preferences to Mac OS X users, you could do any of the following:

  • Augment Active Directory with an Open Directory server, and then make Active Directory users members of Open Directory groups to which you apply managed preferences. See “Using Workgroup Manager to Provide Managed Preferences in the Magic Triangle Configuration,” in Chapter 8, for instructions.
  • Use third-party software such as Thursby ADmitMac, Centrify DirectControl, Likewise Enterprise, or other similar products.
  • Extend your Active Directory schema to handle Apple-specific object classes and attributes, and then use Workgroup Manager to manage preferences for objects in the Active Directory domain. See the white papers listed in the References section and Appendix B, “Extending Your Active Directory Schema,” available online.

Configuring the Authentication Search Path

If you are connected to multiple directory nodes, and you store managed preferences settings for computers in one node, that is the node that you should configure to be listed before the other nodes in your authentication search path. See Apple knowledge base article TS2528, Mac OS X 10.5: Managed Preferences settings not applied to computer bound to multiple directory services for more information.