The following document outlines the steps to join a Mac OS X 10.7 or later to Campus Active Directory.
Authorized Users Only: Only authorized users are allowed to join a machine to the campus active directory domain. If you are interested in using the campus active directory for your department or organization, please fill out a request form.
Active Directory and Kerberos will only tolerate a plus or minus of 5 minutes time variation between the Domain Controller and a client.
If the time variation exceeds five minutes, the client will not be able to authenticate or bind.
The following commands will show you the date, time, and time zone of the client computer and set the time zone if it is incorrect.
- sudo systemsetup -settimezone "America/Chicago"
The following commands will change all three client names:
- scutil --set ComputerName <computerid>
- scutil --set HostName <computerid>
- scutil --set LocalHostName <computerid>
- scutil --get ComputerName
- scutil --get HostName
- scutil --get LocalHostName
Enter your local user password then your Active Directory user password after at the prompt
- dsconfigad -force -add <domain> -username <username> -computer <ComputerName> -packetencrypt ssl -packetsign require
- dsconfigad -mobile enable -mobileconfirm enable -localhome enable -useuncpath disable
- dsconfigad -groups "Domain Admins,Enterprise Admins" -alldomains enable
- dsconfigad -show (displays current AD plugin settings)
Once the bind process is complete you will have to verify that the proper search paths were configured.
Without these search paths the Mac client will not be able to locate objects in Active Directory.
In 10.7 and later the search paths should be automatically created as part of the bind process.
When the appropriate search paths have been created you can verify that the Mac client can locate Active Directory user objects using the “dscl” or “id” command.
- dscl /Search -read /Users/<AD Username>
- id <AD Username>
If the Mac client is able to successfully search the Active Directory the next step is to test authentication. Authentication can be tested using the "dscl" or "su" commands. Enter either of the following commands and the account’s password when prompted:
dscl /Search -authonly <AD Username>
Mac clients that are bound to active directory with login windows that are configured for “List of users” the "Other..." user option may not appear in the list of users for up to 30 seconds.
Because a user cannot log onto a Mac client with the login window configured for “List of Users” until the "Other..." user option appears, we recommend configuring the login window for “Name and password.”
Note: With the login window configured for “Name and password” the client will sometimes display a red “gumball” indicator with a message that says “Network accounts are unavailable” or a yellow “gumball” indicator with a message that says “Some network accounts are not available” for up to 30 seconds.
If the login window is configured to allow Automatic login a user may not have the opportunity to change to their AD user.
In addition, if the login window is configured to allow Automatic login the client stores the username and password which is in violation of Responsible use of University of Wisconsin - Madison Information Technology Resources.
For the reasons listed above we outline configuring the login window to disable "Automatic login" below.
- sudo defaults read /Library/Preferences/com.apple.loginwindow SHOWFULLNAME
- SHOWFULLNAME = 0 (FALSE) indicates "List of users"
- SHOWFULLNAME = 1 (TRUE) indicates "Name and password”
- sudo defaults read /Library/Preferences/com.apple.loginwindow
- autoLoginUser = " "; indicates Automatic login: Off
- if there is no entry for autoLoginUser; indicates Automatic login: Off
- autoLoginUser = username; indicates Automatic login: Enabled