Archive for Leopard
There are a couple of connectivity issues related to using a Macintosh in a Windows network that are worth noting. These can impact connectivity of both Mac OS 10.4 and 10.5 in an SBS (or other Active Directory network).
First, if the Active Directory login name matches either the Full Name or shortname of a local Macintosh account, you will not be able to authenticate against active directory. What seems to be happening in this instance is that the Mac OS authentication mechanism looks first at the local user directory before looking at any remote user directories when attempting authentication. If the name entered at login matches an accoun in the local user directory, Mac OS will attempt to authenticate against that user instead of the account in the remote user directory. This means an AD account named “jane” will not authenticate against AD if there is a local account with the shortname “jane” or the long name “Jane Dough.” Even if the shortname for “Jane Dough” is “admin,” the authentication will fail.
To resolve this issue, first create another local Mac user account with a long name and short name that have no close matches to any account in Active Directory. Make that user an administrator over the local machine. Then log in with that new user and remove any local accounts with names similar to the AD login name. If the user has been using that local account for a while, you will need to take steps to move the local user profile information into another account, which is not a trivial task. Only after you delete the local account with a similar name to the AD account will you be able to authenticate against the AD account. This happens whether you join the Mac to Active Directory or not.
Second, I have seen two instances where joining a fresh Leopard (10.5) install to an SBS network have been problematic. Specifically, when you log in with AD credentials, the process can take 5 or more minutes to process the login. Unfortunately, I have not been able to troubleshoot these two instances the way I had wanted, and I have not been able to replicate the behavior on demand. I believe that there is an issue/delay with the Mac doing LDAP lookups in AD to get the account information for authentication, but I cannot be sure withouth further testing.
If anyone has seen this problem and is willing to work with me to do some more in-depth troubleshooting on the problem, please let me know. Given the number of systems that I’ve connected and that have been done following the instructions on this blog and the smallbizserver.net site, this specific behavior is very rare. But now that I’ve seen it twice, I’d like to know what’s going on and modify these instructions as needed to help prevent that problem in the future.
Now that Mac OS 10.5 has hit the streets, there are folks who are wanting to know how to connect a Mac running the new operating system to an SBS network. This document covers steps for connecting a Macintosh running Mac OS 10.5 to an SBS 2003 network. This document assumes a healthy SBS network set up according to best practices.
Note: Before you start, make sure the local user name on the Macintosh does not match the Active Directory login name that will be used to access resources on the SBS network. This includes both the long name and the short name for the local Macintosh account. If the local Mac account for Jane Dough has a long name of “Jane Dough” and a short name of “jane” and the Active Directory account for the user is “jane,” you will not be able to authenticate to active directory properly. See “ Outstanding Macintosh Connectivity Issues” for more details.
Phase 1 â€“ Network Configuration
If the SBS 2003 server is set up properly and the Macintosh is getting its network information from DHCP, the network settings should be ready to go out of the box, so to speak. These steps will confirm proper network settings on the Macintosh to work with the SBS network.
- Open the System Preferences application from the Dock or from the Apple Menu.
- Select the Network panel from the System Preferences application.
- Review the settings for the active network connection. You should see settings that match the values expected for the SBS network. You will also see the DNS server address listed (but grayed out) as well as the internal domain name in the Search Domains field. If these values to not match your SBS network, make the necessary adjustments. The DNS server should point to the internal IP address of your SBS server, and the Search Domains field should contain the internal domain name of the network (i.e., domainname.local).
- Click the Advanced button in the Network pane.
- Click the WINS tab.
- Select the correct NetBIOS domain name from the Workgroup drop down list. The WINS server address should already be populated and be the internal IP address of the Server.
- Click OK and then Apply in the main Network panel.
- Close System Preferences.
- Open the Macintosh HD icon and select the Application icon from the navigation tree.
- Open the Utilities folder and scroll down to the Terminal icon.
- Open the Terminal application. Ping the SBS server by its short name (i.e., if the fully-qualified domain name for the server is servername.domainname.local, ping servername).
- If the Mac is getting proper DNS resolution, the internal IP of the address will respond to a ping. Note that you will need to press Control-C to stop the ping command. If you do not get the proper IP address of the server from the ping command, go back and review the network setup steps.
- Close the Terminal application.
Phase 2 â€“ Accessing Server Resources
Mac OS 10.5 can access shares from the SBS server via the SMB (server message block) protocol like earlier versions of OS X. There are some key differences, however. You must still disable SMB Signing on the server in order for the Mac to be able to read and write files to the server share (seeÂ this postÂ for instructions on how to disable SMB signing on the server). If you have Windows 2003 Service Pack 2 on the server, you also need to make sure that all scalable networking components are disabled as well. See MS KB936954 and the step 4 in this post on the Official SBS Blog for instructions on disabling the scalable networking components.
The key difference between Leopard and previous versions of the Mac OS are that you will be able to authenticate against the server and open shares on the server even if SMB signing is not disabled. However, you will not be able to read or write files in the server shares. In previous versions of the OS, you would not be able to authenticate against the server at all if SMB signing were still enabled.
Once you have disabled SMB signing on the server, follow these steps to access the shares on the server from the Mac.
- From the Finder, select Connect to Server from the Go menu, or press Command K to open the Connect to Server window.
- Enter the server path as smb://servername in the Server Address field and click Connect.
- You will be prompted to enter your domain username and password to access the share. Enter the username in the domainname\username format.
- After you authenticate, you will be presented with a list of shares on the server that you may connect to. Select the share and click OK.
- Another key difference in Leopard from previous versions of the Mac OS is that the network share no longer appears as a mounted disk volume on the Mac. Instead a new window will open to the share, and the server will appear under the Shared area of the navigation tree with an Eject symbol next to it. If you close the window and need to get back to the share, you can click on the server name in the navigation tree and see a list of the shares available on the server.
- In the Connect to Server window, you can enter the full path to a share in the format smb://servername/sharename. You can save the path in the Favorite Servers list by clicking the plus sign next to the Server Address field. You can also open a folder on the share directly by using the format smb://servername/sharename/foldername.
- When you click Connect in the Connect to Server window, a new window will open to the path specified in the Server Address window. If you selected a folder under a share, that folder window will open directly.
Phase 3 â€“ Joining Active Directory
By default, you will have to enter your domain username and password every time you access a server resource when that resource is not connected to the Mac (i.e., right after bootup, after a share has been â€œejectedâ€, or if a network connection drops the connection to the server). By joining the Macintosh to Active Directory, you can log into the Mac with your Active Directory user credentials and not have to enter them every time you access a shared resource. To be able to log in to the Mac with Active Directory credentials, follow these steps.
- From the Utilities folder in the Applications folder, open the Directory Utility application.
- Once the application opens and finishes the process of detecting directory servers on the network, click the Show Advanced Settings button.
- When the Advanced Settings appear, click the Services icon.
- Click the lock to get access to the panel. You will be prompted for credentials. Enter your Macintosh username and password, then click OK.
- Double-click on the Active Directory line to open the Active Directory configuration.
- Click on the Show Advanced Options triangle.
- Enter the internal domain name in the Active Directory Domain field (i.e., domainname.local).
- Change the name of the Mac to a shorter name in the Computer ID field if desired.
- Turn on the Create mobile account at login checkbox.
- Select the Administrative tab.
- Turn on the Prefer this domain server checkbox and enter the fully-qualified domain name of the SBS server (i.e., servername.domainname.local).
- Turn on the Allow administration by checkbox.
- Click Bind to join the Macintosh to the domain.
- Enter the domain administrator username and password when prompted. The Macintosh will be placed in the Computers container by default. This can be changed in Active Directory later if needed.
- Once the join process is complete, you will see both the Active Directory Forest and Active Directory Domain fields populated.
- Confirm that the Active Directory checkbox is enabled in Directory Utility and close the application.
- Open System Preferences and click the Accounts icon.
- Click the lock to make changes and enter the password for the local Mac account.
- Click on the Login Options icon in the navigation tree.
- Set Automatic Login to Disabled.
- Close System Preferences.
- Log out of the Mac account by selecting Log Out from the Apple menu. You do not need to restart the Mac to be able to log in with your Active Directory credentials.
- When you get the login screen, click Other.
- Enter your Active Directory credentials as domainname\username.
- You will be prompted to create a mobile account. Click Create Now.
- Once login completes, open System Preferences and open the Accounts pane.
- Click the lock to make changes.
- When you are prompted to enter an administrator credentials, you will need to enter information for the local Macintosh account. You will need to enter the short name as the account name. If you are not sure what the short name is, log back in as the Mac user and look for the name of the home folder. The home folder is named with the short name of the account.
- After you enter the authentication information, turn on the Allow user to administer this computer checkbox.
- You will get a message that you need to log out and log back in for the settings to take effect. Click OK.
- Log out and log back in with the Active Directory credentials.
- Open a new Finder window and select the server name in the Shared section of the navigation tree. All of the shares on the server will appear and can be selected from here. You can also use the Connect to Server method described earlier in this document to connect. The difference is that you will not be prompted to enter a username and password when you enter the network resource you wish to use.
- A version of the document complete with screen shots will be available at
smallbizserver.net in the near future.Â
I plan to have several posts related to Leopard (Mac OS 10.5) connectivity with SBS networks over the next few days, and I have a methodology defined for how I’m going to approach the various scenarios that present themselves. Initially, however, I’ve taken an existing 10.4 install that was joined to Active Directory and logging in with AD credentials and upgraded that system in place to Leopard. There was one hiccup with creating the mobile user account, but I’m not sure that wasn’t a carryover from a similar issue I’d already had with that machine.
After the upgrade, I was able to log in with the user’s AD credentials just fine. I was presented with the Setup Assistant, which I closed without completing. I was presented with two updates for Leopard, neither of which look critical to most of the clients I work with. One was an update for the Apple Remote Desktop utility, and the other was a login and keychain update. That one I reviewed the Apple KB and found that it addresses an issue with long passwords on direct upgrades from 10.1, which for me is going to be a very rare case.
I still plan on recommending a clean install with user settings transfer for most Leopard “upgrades” and that’s the case I plan on testing next. But on a clean install of Tiger with very few 3rd party applications installed, the in-place upgrade worked nicely and kept my user settings as close as they can given the changes with Leopard.
More to come…