Re: [ActiveDir] Mac clients passwords
Hi Mark, If all you want is to provide your mac users with adequate advance warning of password expiry (e.g., by e-mail or by launching a web browser to a suitable URL at an appropriate time, from an OSX login shell script), and help them to change passwords on AD and elsewhere from a web browser, then you might look at our P-Synch product (http://psynch.com/). Cheers, -- Idan On Thu, 6 May 2004, Creamer, Mark wrote: I have zero experience with Macs, but we now have a few in our design dept. Our domain is Windows 2000, and the Macs are using only TCP/IP to participate on the network, no Appletalk. The users say they don't get notified when their AD password expires, and then when it does expire, they have to go find a Windows PC to change it. Is there software I can install on the AD and/or client side to alleviate this problem? Also, is it accurate that passwords are transmitted in clear text from a Mac client to a Windows resource? Thanks! Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Mac clients passwords
Ian is correct about the AD Plugin, it isn't flaw free, but if you are simply trying to provide Single Sign On access to file servers with a windows UID and password you have the alternative of using OS X's kerberos support which is quite good. AdmitMac is a comparatively expensive solution that I found to be just as buggy as the Apple implementation. So first we'll try the AD Plugin. If it doesn't work, there are some other things that we may be able to do. So, the first thing that you will want to do is upgrade the machine to 10.3.3. This can be done via software update in the System Preferences (by default you can access system preferences from the Dock). Next, provide time synchronization services to the Mac OS Client from the DC. This is so your kerberos bind to add a machine account to the network won't fail due to timestamp problems. Click the clock in the upper left corner of the toolbar and click Open Date Time ... On the Date Time screen put a check in the box for Set Date Time automatically: , Then enter the fully qualified name of a DC in the box for a time server. Close the Date Time box. Open the finder and browse to /Applications/Utilities and open Directory Access. If the lock in the lower left corner is in the locked position, click on it and enter the appropriate credentials. Click Active Directory and click Configure you should then be able to enter your forest name in the Active Directory Forest box, enter your AD domain in the Active Directory Domain box, and finally the name of the computer account you want to use in the Computer ID box. Click the Hide Advanced Options box and unless you will absolutely need to authenticate users from multiple domains, then clear the checkbox. If the machine is a laptop, You can also choose to allow AD groups administrative rights to the mac. By default this is set to Domain Enterprise admins. When finished with all your options click the Bind button. You will be prompted for an account with permissions to add computers to the domain. The default ldap computer account location is in the CN=Computers area off the root default domain NC. You can change this by adding a fully distinguished path to the Container or OU of your choice. The machine will go through 5 steps and hopefully bind successfully. Next, Go back to the Directory Access application and click the Authentication tab at the top. Under search click Custom Path and click Add. A box will pop up and display the Active Directory connector you just added click Add, click Apply. If you have a successfully bound and added the AD connector to your authentication path, then you can log off and attempt to login using the sAMAccountname of the user. Troubleshooting If you have any issues, enable remote login in the Sharing section of System Preferences and use another machine to SSH into the Mac. If you are using a windows box to SSH there is a free application called putty that you can use, just google for it. After ssh'ing into the box with an admin user account, enter the command: sudo killall -USR1 DirectoryService this command puts the lookupd daemon in debug logging mode, then type: tail -f /Library/Logs/DirectoryService/DirectoryService.debug.log | grep ADPlug this tells your shell to read the tail end of the log file and print any new entries to STDOUT. Now attempt to login to the machine, and your SSH machine will capture what is going on with the AD Plugin. Paste the results of the tail command back here and we'll work from that point. Good Luck, Brent On May 7, 2004, at 1:42 PM, Creamer, Mark wrote: x-tad-biggerHi Brent, theyre all 10.3.2. Thanks for your help on this/x-tad-bigger x-tad-bigger/x-tad-bigger mc> x-tad-bigger-Original Message-/x-tad-bigger x-tad-biggerFrom:/x-tad-biggerx-tad-bigger Brent Westmoreland [mailto:[EMAIL PROTECTED]/x-tad-bigger x-tad-bigger /x-tad-biggerx-tad-biggerSent:/x-tad-biggerx-tad-bigger Friday, May 07, 2004 12:58 PM/x-tad-bigger x-tad-biggerTo:/x-tad-biggerx-tad-bigger [EMAIL PROTECTED]/x-tad-bigger x-tad-biggerSubject:/x-tad-biggerx-tad-bigger Re: [ActiveDir] Mac clients passwords/x-tad-bigger Which version of OS X? 10.3 or above has an Active Directory client built in that can typically be configured to work with AD, if not there are options for using Kerberos for single sign on. Post back the specific version, and I can help you get it going whether it be 10.3 or back. Brent. p.s. to get the specific version of os x, 1. log in 2. click the apple button in the upper left hand corner 3. click About this Mac On May 7, 2004, at 9:07 AM, Creamer, Mark wrote: They are OSX mc> -Original Message- From: Bruce Clingaman [mailto:[EMAIL PROTECTED] Sent: Thursday, May 06, 2004 5:39 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Mac clients passwords Are the Mac clients OSX or 9.earlier? From: [EMAIL PRO
RE: [ActiveDir] Mac clients passwords
They are OSX mc -Original Message- From: Bruce Clingaman [mailto:[EMAIL PROTECTED] Sent: Thursday, May 06, 2004 5:39 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Mac clients passwords Are the Mac clients OSX or 9.earlier? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Thursday, May 06, 2004 2:01 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Mac clients passwords I have zero experience with Macs, but we now have a few in our design dept. Our domain is Windows 2000, and the Macs are using only TCP/IP to participate on the network, no Appletalk. The users say they dont get notified when their AD password expires, and then when it does expire, they have to go find a Windows PC to change it. Is there software I can install on the AD and/or client side to alleviate this problem? Also, is it accurate that passwords are transmitted in clear text from a Mac client to a Windows resource? Thanks! Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
Re: [ActiveDir] Mac clients passwords
Which version of OS X? 10.3 or above has an Active Directory client built in that can typically be configured to work with AD, if not there are options for using Kerberos for single sign on. Post back the specific version, and I can help you get it going whether it be 10.3 or back. Brent. p.s. to get the specific version of os x, 1. log in 2. click the apple button in the upper left hand corner 3. click About this Mac On May 7, 2004, at 9:07 AM, Creamer, Mark wrote: x-tad-biggerThey are OSX/x-tad-biggerx-tad-bigger/x-tad-biggermc> x-tad-bigger-Original Message-/x-tad-biggerx-tad-biggerFrom:/x-tad-biggerx-tad-bigger Bruce Clingaman [mailto:[EMAIL PROTECTED]/x-tad-biggerx-tad-bigger /x-tad-biggerx-tad-biggerSent:/x-tad-biggerx-tad-bigger Thursday, May 06, 2004 5:39 PM/x-tad-biggerx-tad-biggerTo:/x-tad-biggerx-tad-bigger [EMAIL PROTECTED]/x-tad-biggerx-tad-biggerSubject:/x-tad-biggerx-tad-bigger RE: [ActiveDir] Mac clients passwords/x-tad-bigger x-tad-biggerAre the Mac clients OSX or 9.earlier?/x-tad-bigger x-tad-biggerFrom:/x-tad-biggerx-tad-bigger [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] /x-tad-biggerx-tad-biggerOn Behalf Of /x-tad-biggerx-tad-biggerCreamer, Mark/x-tad-biggerx-tad-biggerSent:/x-tad-biggerx-tad-bigger Thursday, May 06, 2004 2:01 PM/x-tad-biggerx-tad-biggerTo:/x-tad-biggerx-tad-bigger [EMAIL PROTECTED]/x-tad-biggerx-tad-biggerSubject:/x-tad-biggerx-tad-bigger [ActiveDir] Mac clients passwords/x-tad-biggerx-tad-biggerI have zero experience with Macs, but we now have a few in our design dept. Our domain is Windows 2000, and the Macs are using only TCP/IP to participate on the network, no Appletalk. The users say they dont get notified when their AD password expires, and then when it does expire, they have to go find a Windows PC to change it. Is there software I can install on the AD and/or client side to alleviate this problem? Also, is it accurate that passwords are transmitted in clear text from a Mac client to a Windows resource?/x-tad-bigger x-tad-biggerThanks!/x-tad-bigger Mark Creamer Systems Engineer Cintas Corporation x-tad-biggerHonesty and Integrity in Everything We Do/x-tad-bigger
RE: [ActiveDir] Mac clients passwords
Hi Brent, theyre all 10.3.2. Thanks for your help on this mc -Original Message- From: Brent Westmoreland [mailto:[EMAIL PROTECTED] Sent: Friday, May 07, 2004 12:58 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Mac clients passwords Which version of OS X? 10.3 or above has an Active Directory client built in that can typically be configured to work with AD, if not there are options for using Kerberos for single sign on. Post back the specific version, and I can help you get it going whether it be 10.3 or back. Brent. p.s. to get the specific version of os x, 1. log in 2. click the apple button in the upper left hand corner 3. click About this Mac On May 7, 2004, at 9:07 AM, Creamer, Mark wrote: They are OSX mc -Original Message- From: Bruce Clingaman [mailto:[EMAIL PROTECTED] Sent: Thursday, May 06, 2004 5:39 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Mac clients passwords Are the Mac clients OSX or 9.earlier? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Thursday, May 06, 2004 2:01 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Mac clients passwords I have zero experience with Macs, but we now have a few in our design dept. Our domain is Windows 2000, and the Macs are using only TCP/IP to participate on the network, no Appletalk. The users say they dont get notified when their AD password expires, and then when it does expire, they have to go find a Windows PC to change it. Is there software I can install on the AD and/or client side to alleviate this problem? Also, is it accurate that passwords are transmitted in clear text from a Mac client to a Windows resource? Thanks! Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
RE: [ActiveDir] Mac clients passwords
When you install services for Macintosh and create a Macintosh accessible volume, two files are automatically created. One is a Mac readable text file that tells you how to install the other file which is a Microsoft compatible logon module. This add-on supports LanMan style encrypted logons (14 char max). Otherwise, Macs do cleartext logons. The above is true for Macs OS versions prior to OS X Also see: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q328417 From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Thursday, May 06, 2004 12:01 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Mac clients passwords I have zero experience with Macs, but we now have a few in our design dept. Our domain is Windows 2000, and the Macs are using only TCP/IP to participate on the network, no Appletalk. The users say they dont get notified when their AD password expires, and then when it does expire, they have to go find a Windows PC to change it. Is there software I can install on the AD and/or client side to alleviate this problem? Also, is it accurate that passwords are transmitted in clear text from a Mac client to a Windows resource? Thanks! Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
RE: [ActiveDir] Mac clients passwords
I believe you need to logon to your W2K server from your Mac stations and access the Microsoft UAM share. Install the software from there onto your Mac, that will enable encrypted authentication. Using the standard Apple UAM the passwords are passed in the clear. Not sure about the notifications about expiring passwords. Kevin -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Creamer, MarkSent: Thursday, May 06, 2004 3:01 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Mac clients passwords I have zero experience with Macs, but we now have a few in our design dept. Our domain is Windows 2000, and the Macs are using only TCP/IP to participate on the network, no Appletalk. The users say they dont get notified when their AD password expires, and then when it does expire, they have to go find a Windows PC to change it. Is there software I can install on the AD and/or client side to alleviate this problem? Also, is it accurate that passwords are transmitted in clear text from a Mac client to a Windows resource? Thanks! Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
RE: [ActiveDir] Mac clients passwords
Are the Mac clients OSX or 9.earlier? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Thursday, May 06, 2004 2:01 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Mac clients passwords I have zero experience with Macs, but we now have a few in our design dept. Our domain is Windows 2000, and the Macs are using only TCP/IP to participate on the network, no Appletalk. The users say they dont get notified when their AD password expires, and then when it does expire, they have to go find a Windows PC to change it. Is there software I can install on the AD and/or client side to alleviate this problem? Also, is it accurate that passwords are transmitted in clear text from a Mac client to a Windows resource? Thanks! Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do