Sponsors
Sponsor Products
OSX Automount schema from Active Directory
posted by Michal Mocnak  on Nov. 30, 2017, 10:14 a.m. (17 days ago)
2 Responses     0 Plus One's     0 Comments  

Hi,
in our company, we are thinking about switching to Windows Server 2016
and Active Directory. Right now we run LDAP/Open Directory on an old
Mac mini with OS X Server Lion, which does not seem like a sustainable
scenario for the future. Client workstations are Windows, OS X and
Linux machines. The server acts as a directory service for domain
authentication, logins, as the local DNS server and most importantly
provides mountpoint information for workstations to automatically
connect to our company's storage (which is a Dell Isilon cluster).
And that is where we have run into problems integrating Active
Directory with OS X. Joining the domain, logging in etc. works out of
the box, but so far we haven't come with a way of providing OS X with
mount information through AD. In the current setup with LDAP, OS X
retrieves the mounts a and handles them with autofs, and we expect
there must be a way of providing this through AD in a similar fashion.
Documentation on this topic both by Apple and Microsoft is very
sparse. I have followed instructions on extending the AD schema (e.g.
"Modifying the Active Directory Schema to Support Mac Systems"
http://markmail.org/download.xqy?id=f63mqp53otkqmgwi&number=1) but
with no avail. All of these tutorials seem somewhat outdated as they
were written at times when extending the AD schema was apparently
necessary even for OS X clients to bind with AD – I have not found any
newer information on whether this approach is still supported in
today's OS X (currently we run OS X Sierra on our workstations).
So my question stands: how must I extend the AD schema in order to
provide OS X clients with mount information? Where does OS X's
directory service look for mounts in the AD tree?
Just to be clear, we are not worried about mounting home directories
(that should probably work but we don't need that at all).


Thread Tags:
  windows automount server osx 

Response from Andrew Casper @ Dec. 1, 2017, 10:48 a.m.

I tried doing this last year and could not get it to work on modern Mac OS versions.

Adding the AD schema was a little nerve wracking (and Microsoft purists will warn you not to do it), but it does work eventually. Setting up all the mounts in an OU wasn't that difficult, but the structure is slightly different than Open Directory's so you might want to enter them by hand (importing an LDIF is nice, but AD is very picky about syntax). If you're working with Linux automount clients, you just need to redirect the LDAP URL in the autofs config file and change the schema mapping. And you might have to configure the autofs_ldap_auth file (AD wants to only permit authenticated and SSL encrypted LDAP queries).

Things broke at the Mac OS client. First, Apple’s AD implementation doesn’t know about the automount schema you’ve added and you can't map those LDAP attributes on an AD bound Mac client any more. Remapping attributes was a helpful tweak when working with various Open LDAP implementations, but Apple disallowed them for AD when they made Mac OS more AD compliant. Second, Apple's automount daemon doesn't seem to let you point it manually at a LDAP server for lookups (Linux lets you point the autofs to a LDAP URL independent from machine authentication). 

Our solution was to return the Macs to local automount map files. It's annoying, but they work. You can probably cobble together a script that would update them from a central server. We've opted to move the Macs away from NFS going forward and eventually those files will become a thing of the past.


0 Plus One's     0 Comments  
   

Response from William Sandler @ Nov. 30, 2017, 10:35 a.m.
Are you already using any sort of OSX Server to manage your OSX clients currently? You could simply add Profile Manager to an OSX Server, bind the mac clients to said server, and then apply the network drives as login items to selected AD groups. It will then automatically use the user's AD credentials for said connections. You might need to run this command on your clients as well.sudo defaults write /Library/Preferences/com.apple.NetworkAuthorization AllowUnknownServers -bool YES

Good information on all things like this over at the Mac Admins Slack. https://macadmins.herokuapp.com



William Sandler
All Things Media, LLC
william.sandler@allthingsmedia.com
On Thu, Nov 30, 2017 at 10:14 AM, Michal Mocnak <content@studiosysadmins.com> wrote:

Hi,
in our company, we are thinking about switching to Windows Server 2016
and Active Directory. Right now we run LDAP/Open Directory on an old
Mac mini with OS X Server Lion, which does not seem like a sustainable
scenario for the future. Client workstations are Windows, OS X and
Linux machines. The server acts as a directory service for domain
authentication, logins, as the local DNS server and most importantly
provides mountpoint information for workstations to automatically
connect to our company's storage (which is a Dell Isilon cluster).
And that is where we have run into problems integrating Active
Directory with OS X. Joining the domain, logging in etc. works out of
the box, but so far we haven't come with a way of providing OS X with
mount information through AD. In the current setup with LDAP, OS X
retrieves the mounts a and handles them with autofs, and we expe ct
there must be a way of providing this through AD in a similar fashion.
Documentation on this topic both by Apple and Microsoft is very
sparse. I have followed instructions on extending the AD schema (e.g.
"Modifying the Active Directory Schema to Support Mac Systems"
http://markmail.org/download.xqy?id=f63mqp53otkqmgwi&number=1) but
with no avail. All of these tutorials seem somewhat outdated as they
were written at times when extending the AD schema was apparently
necessary even for OS X clients to bind with AD I have not found any
newer information on whether this approach is st ill supported in
today's OS X (currently we run OS X Sierra on our workstations).
So my question stands: how must I extend the AD schema in order to
provide OS X clients with mount information? Where does OS X's
directory service look for mounts in the AD tree?
Just to be clear, we are not worried about mounting home directories
(that should probably work but we don't need that at all).


To unsubscribe from the list send a blank e-mail to mailto:studiosysadmins-discuss-request@studiosysadmins.com?subject=unsubscribe


0 Plus One's     0 Comments