You can access the same functionality that is available through the Authentication Services Directory Utility Plugin through the Authentication Services command line utilities.
There are two ways to join your Mac OS X system to an Active Directory domain:
Run the vasjoin.sh script.
$ sudo /opt/quest/libexec/vas/scripts/vasjoin.sh
This script prompts you for information needed to perform the join operation without requiring you to know the syntax of the vastool join command.
-OR-
Run the vastool join command.
$ sudo /opt/quest/bin/vastool -u Administrator join -f example.com
To leave an Active Directory Domain from a Terminal session, use the vastool unjoin command.
|
Note: See the vastool man page located in the docs directory of the installation media for more information about the vastool join or vastool unjoin commands. |
When joining an Active Directory Domain, Authentication Services automatically modifies the following system configurations:
Once you have successfully completed the Authentication Services join process, you are immediately able to log into the Mac OS X system through both the Mac OS X Login Window and remotely through SSH.
When leaving a domain, the Authentication Services unjoin process reverts the above changes that were made by the Authentication Services join process. Also, uninstalling Authentication Services automatically reverts the above changes as well.
|
Note: You can re-join on top of existing computer accounts created with the Mac OS X Active Directory Plugin by default using the Authentication Services Active Directory plugin, but we recommend disabling the Mac OS X Active Directory plugin so that the domain will not appear in the Directory Servers window as not responding. |
It is important to verify that your system is configured correctly to use the Active Directory account information provided by Authentication Services.
To verify the Authentication Services installation and configuration
Run the following shell commands.
To show a list of the available Unix-enabled Active Directory users, enter
dscl /VAS list /Users
To show a list of the available Unix-enabled Active Directory groups, enter
dscl /VAS list /Groups
To ensure that the system can read user information for Authentication Services users, enter
dscl /Search read /Users/<Username>
where <Username> is the username of a Authentication Services user.
To perform an authentication for a Authentication Services user, enter
dscl /Search auth <Username>
where <Username> is the username of a Authentication Services user.
If any of the previous commands do not work, capture debug information from the Authentication Services Directory Service plugin.
[vas_macos] dslog-mode = /Library/Logs/vasds.log dslog-components = plugin,auth
$ sudo /opt/quest/libexec/vas/macos/vasdsreload
Authentication Services for Mac OS X allows you to authenticate to your Mac OS X system, but before you can use any given account for authentication, you can prepare it for Mac OS X authentication from a Windows Administrative Console through a process called Unix-enabling. However, if you do not have access or permissions to modify user account information in Active Directory, you can join and specify that you want the Authentication Services client to locally generate Unix identity information.
To locally generate Unix identity information, select the Generate Unix Identity Attributes option when you join (or, if you are joining using the command line utility, specify the --autogen-posix-attrs flag). This allows you to use all the features of the Authentication Services client, without requiring any modification to user information in Active Directory. If you plan to manage identity data in Active Directory globablly, proceed to the Unix-enable a User section.
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy