Hey, I am a college student currently employed as an infrastructure
consultant for a young small business, and I am looking for some advice
regarding Microsoft Active Directory and Single Sign On.
The problem is, over 60% of the workstations in the company are Macs
(PowerBooks running OS 10.2 or 10.3), and almost all of the
workstations are personally owned laptops or laptops that belong to
consultants that come in and out of the company periodically. And the
Backbone is all Windows Server 2003. One of the lead goals of our
infrastructure change is to achieve Single Sign On but as you can see
this is not going to be an easy task. For the Macs I was hoping to
achieve this through Open Directory, for the PC's we cannot use the
initial login as these are pre-configured laptops.
Right now I am looking at some sort of SSO client (key-ring,
authentication client, or simple password entering program) that will
work with both the PC's and Mac's. I have looked at many of the
commercial options out there, such as Novell's entry, CA's option
and the like, but most of them are either out of our budget, or meant
to be used with a larger environment.
Is there any Open Source/Freeware/Cheap option to help us bring SSO to
our AD setup?
Also, does anyone have experience with the NT Authentication of
Timbuktu Pro, as it currently seems to be flakey at best?
> Hey, I am a college student currently employed as an infrastructure
> consultant for a young small business, and I am looking for some advice
> regarding Microsoft Active Directory and Single Sign On.
>
> The problem is, over 60% of the workstations in the company are Macs
> (PowerBooks running OS 10.2 or 10.3), and almost all of the
> workstations are personally owned laptops or laptops that belong to
> consultants that come in and out of the company periodically. And the
> Backbone is all Windows Server 2003. One of the lead goals of our
> infrastructure change is to achieve Single Sign On but as you can see
> this is not going to be an easy task. For the Macs I was hoping to
> achieve this through Open Directory, for the PC's we cannot use the
> initial login as these are pre-configured laptops.
>
> Right now I am looking at some sort of SSO client (key-ring,
> authentication client, or simple password entering program) that will
> work with both the PC's and Mac's. I have looked at many of the
> commercial options out there, such as Novell's entry, CA's option
> and the like, but most of them are either out of our budget, or meant
> to be used with a larger environment.
>
> Is there any Open Source/Freeware/Cheap option to help us bring SSO to
> our AD setup?
>
> Also, does anyone have experience with the NT Authentication of
> Timbuktu Pro, as it currently seems to be flakey at best?
Have you looked at having the Macs bind to Active Directory? While I
personally haven't tried it, I have heard from others that it works
reasonably well and can even cache the domain credentials for logons
while they are away from the office (just like a Windows box). It is
also my understanding that one you do have the Macs bind to AD, they
can take advantage of the AD Kerberos Key Distribution Center (KDC) for
automatic access to file servers in the domain (with no additional
passwords).
>>>>> "Scott" == Scott Lowe <me@privacy.net> writes:
Scott> Have you looked at having the Macs bind to Active
Scott> Directory?
I've done this. I couldn't find a documented procedure, but this
process works for me:
1. Open '/Applications/Utilities/Directory Access.app.
2. Enable the Active Directory service.
3. Configure the Active Directory service as follows:
Active Directory forest -- 'example.com'
Active Directory domain -- 'example.com' or
'childdomain.example.com'
Computer ID -- Enter the host name of the computer.
Cache last user logon for offline operation -- Checked.
Authenticate in multiple domains -- Depends on whether you
want to allow cross-domain authentication.
Prefer this domain server -- Unfortunately, until the computer
account has time to replicate to all domain controllers in
the domain, configure the client to only communicate with one
of the domain controllers, e.g. 'dc1.example.com'.
Map UID to attribute -- NOT checked. I haven't figured out
how to make this work without extending the Active Directory
schema. If you already use Services for Unix, you can map
the UID to the 'uid' attribute (created by SFU's NIS
component).
Allow administration by -- For example, 'EXAMPLE\Domain Admins'.
4. Click the Bind button, enter the user name and password of
someone who has rights to create computer accounts in Active
Directory, and change the OU to where you want the account
created,
e.g. OU=SBSComputers,OU=Computers,OU=MyBusiness,DC=exam ple,DC=com
(for those of us running Windows Small Business Server 2003).
5. Change the authentication search path to 'Custom path' and add
'/Active Directory/example.com'.
6. Restart the computer.
Scott> heard from others that it works reasonably well and can
Scott> even cache the domain credentials for logons while they are
Scott> away from the office (just like a Windows box). It is also
Scott> my understanding that one you do have the Macs bind to AD,
Scott> they can take advantage of the AD Kerberos Key Distribution
Scott> Center (KDC) for automatic access to file servers in the
Scott> domain (with no additional passwords).
This is indeed the case, although I think it only caches 1 logon (nor
does it obey the corresponding Group Policy setting). I haven't quite
figured out how to automagically map user's home directories and such,
but I'm sure that it is possible.
There is one glitch, however. If you create SMB shares on the
Macintosh, e.g. the built in user file sharing mechanism
"\\mac\username", your domain users will be unable to authenticate.
For some reason, Samba and Directory Access aren't tied together, and
I haven't bothered to figure out which lines added to smb.conf will
fix this issue.
Best wishes,
Matthew
--
jsoffron: I'm generally pretty high on national defense...
Mr. Bad Example: Careful...it's a gateway policy. Before you know it,
you'll be mainlining the hard stuff like trade agreements.
jsoffron: Too late...I've been freebasing Nafta all day... Sweet,
sweet NAFTA.
- As seen on Slashdot
On 2005-08-16 12:32:12 -0400, "Matthew X. Economou"
<xenophon+usenet@irtnog.org> said:
>>>>>> "Scott" == Scott Lowe <me@privacy.net> writes:
>
> Scott> Have you looked at having the Macs bind to Active
> Scott> Directory?
>
> I've done this. I couldn't find a documented procedure, but this
> process works for me:
>
> <SNIP>
That's a good procedure to have. I'm pretty sure I've seen some
write-ups on this from MacEnterprise or MacWindows, but getting the
procedure from someone who's done it hands-on is always handy.
> Scott> heard from others that it works reasonably well and can
> Scott> even cache the domain credentials for logons while they are
> Scott> away from the office (just like a Windows box). It is also
> Scott> my understanding that one you do have the Macs bind to AD,
> Scott> they can take advantage of the AD Kerberos Key Distribution
> Scott> Center (KDC) for automatic access to file servers in the
> Scott> domain (with no additional passwords).
>
> This is indeed the case, although I think it only caches 1 logon (nor
> does it obey the corresponding Group Policy setting). I haven't quite
> figured out how to automagically map user's home directories and such,
> but I'm sure that it is possible.
>
> There is one glitch, however. If you create SMB shares on the
> Macintosh, e.g. the built in user file sharing mechanism
> "\\mac\username", your domain users will be unable to authenticate.
> For some reason, Samba and Directory Access aren't tied together, and
> I haven't bothered to figure out which lines added to smb.conf will
> fix this issue.
Great feedback, Matthew. Thanks for the update on your own
experience...I may just have to try this on my own PowerBook and AD
domain. I'm not too worried about the SMB glitch you mentioned, since
my Mac would be client-only.
This is great information, but from what I can tell the steps you list
are intended for OS 10.3 or newer, Right now my testbed is 10.2 and I
cannot seem to get it to work? I also took this opportunity to install
SFU3.5 on our active directory server.
On my current testbed (eMac, OS 10.2.8):
I have LDAPv3 enabled, and configured for the domain server for the
AD.
The search suffix is DC=domainname,DC=com.
I have Use Authentication when connecting enabled, and the
Distinguished name is cn=TestMacUser,cn=users,DC=domainname,DC=com.
Password is the AD password for TestMacUser
I have Tried both the Default Active Directory Mappings, and some
mappings for SFU3.0 I found online, but non of them seem to work.
The LDAP server is setup manually under the authentication options, but
not under contacts.
In both cases, when I try to connect to server I get a message that
"Can't connect to server, Directory services may not be install on the
remote server..."
If I try to map a share directly (finder, go, connect to server) and
try use SMB I get an error -5000 permission denied. I have tried out
TestMacUser, a domain administrator, and the default Administrator
Account.
Ok I just got the SMB mounting to work, It turns out it was a problem
with the Active Directory server.
By Default Server 2k3 requires Security Signing of all SMB packets, I
needed to go into the registry and edit
\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi ces\LanManServer\Parameters\EnableSecuritySignatur e
and
\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi ces\LanManServer\Parameters\RequireSecuritySignatu re
and set them both to 0. Apparently this does leave a hole for possible
attacks on the SMB information, but as all machines involved are inside
a firewalled VPN, I don't think this is too much of a risk (or is
it?).
SunWatch> This is great information, but from what I can tell the
SunWatch> steps you list are intended for OS 10.3 or newer, Right
SunWatch> now my testbed is 10.2 and I cannot seem to get it to
SunWatch> work?
[snip]
SunWatch> Any advice here?
Upgrade to Mac OS X 10.3 or newer. I realize this is a snarky answer,
but I wasn't able to get AD authentication working on 10.2. Once 10.3
came out, I was able to get everything set up with only minor problems
regarding computer account creation and replication among domain
controllers, as mentioned in my previous post.
I'm sorry I can't be more helpful.
Best wishes,
Matthew
--
jsoffron: I'm generally pretty high on national defense...
Mr. Bad Example: Careful...it's a gateway policy. Before you know it,
you'll be mainlining the hard stuff like trade agreements.
jsoffron: Too late...I've been freebasing Nafta all day... Sweet,
sweet NAFTA.
- As seen on Slashdot
SunWatch> By Default Server 2k3 requires Security Signing of all
SunWatch> SMB packets, I needed to go into the registry and edit
I don't think it's that risky for SOHO environments, but I thought
Samba supported digital signing. You might want to try adding "server
signing = Yes" to your smb.conf file. Make certain "use spnego = Yes"
is set, as well (it defaults to "Yes" on my Samba 3.0.14a
installation).
Best wishes,
Matthew
--
jsoffron: I'm generally pretty high on national defense...
Mr. Bad Example: Careful...it's a gateway policy. Before you know it,
you'll be mainlining the hard stuff like trade agreements.
jsoffron: Too late...I've been freebasing Nafta all day... Sweet,
sweet NAFTA.
- As seen on Slashdot
AD-2k3 & SSO in Mac Rich Environment 
Linear Mode
