Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Mac OS X/macOS Administration Guide

One Identity Privileged Access Suite for Unix Installation The Authentication Services Mac OS X components Configuring the Authentication Services client Special Mac OS X features Authentication Services limitations on Mac OS X Authentication Services Group Policy for Mac OS X Certificate Autoenrollment

Unix-enable a user

You Unix-enable a user by entering the Unix attributes on the Unix Account tab in Active Directory Users and Computers (ADUC) MMC Snapin.

To Unix-enable a user

  1. Logon to a Windows Administrative workstation.
  2. Start ADUC.
  3. Locate the user object that you would like to Unix-enable.
  4. Right-click on the user and select Properties.
  5. Select the Unix Account tab.

  6. Select the Unix-enabled check box.

    Default values are generated for the user.

  7. Adjust values as necessary and click OK.

Troubleshooting connections to Windows SMB shares

There are some known issues connecting to Windows shares using Finder. If you log in as a domain user, Authentication Services obtains Kerberos credentials for your login session. Finder should use these credentials to automatically authenticate when connecting to Windows shares. Instead, Finder promptd you for your password. The two possible causes for these issues are explained in the following topics:

Connecting to SMB shares on domain controllers

When connecting to SMB shares on a domain controller, settings on the default domain controller policy can force a Mac OS X client to Digitally Sign all traffic. Since Mac OS X clients do not support digitally signing SMB traffic, this can lead to a failure when attempting to mount an SMB share.

This issue is related to two settings in the Default Domain Controllers Policy.

To disable the policies and allow Mac OS X machines to connect to SMB shares

  1. Open Active Directory Users and Computers, select the domain, right-click, and select Properties.
  2. Click the Group Policy tab.

    Note: If you are using MS Server 2008, there is an additional menu item, Policies, added between Computer Configuration and Windows Settings in the following sequence.

    1. If the default Domain Controllers Policy is linked to this domain, navigate to Edit | Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options, then double-click and disable the following two policies:
      • Microsoft network server: Digitally sign communications (always)
      • Microsoft network server: Digitally sign communications (if client agrees)
    2. If the Default Domain Policy is linked to this domain, navigate to Edit | Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options, then double-click and disable the following two policies:
      • Microsoft network server: Digitally sign communications (always)
      • Microsoft network server: Digitally sign communications (if client agrees)

      If these group policies are not currently defined, you can leave them unconfigured. If either policy is enabled and linked to the domain, however, the Mac OS X computer is not be able to use SMB connections to mount the Windows file shares.

  3. If you change these policies on the domain controller, run the gpupdate command to refresh the group policies before logging on to Mac OS X computers.

The DNS domain name differs from the Kerberos realm

Problem:

A network trace reveals if a Kerberos TGS request for the CIFS service ticket was sent to a domain controller. If a MAC never attempts to get a CIFS service ticket for SSO, it is usually a problem where the machine is not able to connect the host name you are contacting with a Kerberos realm. When this happens Finder, or any other mounting application, assumes that the host is not a part of any Kerberos domain for which you have credentials and prompts you for a user name and password.

This can easily happen if your DNS domain name is not the same as your Kerberos realm (often referred to as a disjoint DNS name space). It might also happen if you were trying to connect to the server using a short-name or some other alias.

Workaround:

Add a domain to realm mapping for your DNS domain, short-name, or alias under the "[domain_realm]" section of the /Library/Preferences/edu.mit.kerberos file.

Authentication Services automatically adds a mapping similar to the following at join time:

[domain_realm]
.example.com = EXAMPLE.COM

This maps any DNS names ending in .example.com to the KRB5 realm EXAMPLE.COM. You must always specify the destination domain realm in upper case. And, when attempting to connect to the share, you must specify the source exactly as the DNS name is specified.

If you are connecting to a share using an alias that does not have a domain suffix, you can explicitly map that name to a KRB5 realm using a domain realm:

[domain_realm]
shortname = EXAMPLE.COM
Related Documents