Safeguard Authentication Services for macOS allows you to authenticate to your macOS system, but before you can use any given account for authentication, you can prepare it for macOS authentication from a Windows Administrative Console through a process called Unix-enabling. However, if you do not have access or permissions to modify user account information in Active Directory, you can join and specify that you want the Safeguard Authentication Services client to locally generate Unix identity information.
To locally generate Unix identity information, select the Generate Unix Identity Attributes option when you join (or, if you are joining using the command line utility, specify the --autogen-posix-attrs flag). This allows you to use all the features of the Safeguard Authentication Services client, without requiring any modification to user information in Active Directory. If you plan to manage identity data in Active Directory globally, proceed to Unix-enable a user.
You Unix-enable a user by entering the Unix attributes on the Unix Account tab in Active Directory Users and Computers (ADUC) MMC Snapin.
To Unix-enable a user
Select the Unix-enabled check box.
Default values are generated for the user.
There are some known issues connecting to Windows shares using Finder. If you log in as a domain user, Safeguard Authentication Services obtains Kerberos credentials for your login session. Finder should use these credentials to automatically authenticate when connecting to Windows shares. Instead, Finder prompts you for your password. The two possible causes for these issues are explained in the following topics:
When connecting to SMB shares on a domain controller, settings on the default domain controller policy can force a macOS client to Digitally Sign all traffic. Since macOS clients do not support digitally signing SMB traffic, this can lead to a failure when attempting to mount an SMB share.
This issue is related to two settings in the Default Domain Controllers Policy.
Disable the Default Domain Controller policy settings to allow macOS machines to connect to SMB shares.
To disable policy settings
Note: If you are using MS Server 2008, there is an additional menu item, Policies, added between Computer Configuration and Windows Settings in the following sequence.
If these group policies are not currently defined, you can leave them unconfigured. If either policy is enabled and linked to the domain, however, the macOS computer is not be able to use SMB connections to mount the Windows file shares.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center