Authentication Services directory utility
You use the Directory Utility application to configure the Directory Service Plugins that provide identity information for authenticating to the machine. When installed, Authentication Services is one of the plugins.
The Authentication Services Directory Utility provides a GUI utility for joining and leaving Active Directory domains, and controlling the local Authentication Services configuration.
Use the QAS Join app, which is located at:
/Applications/QAS Join
Authentication Services security server plugin
The system Security Server controls all authorization on the Mac OS X system.
To correctly initialize Authentication Services user login sessions, a VASMechanism Security Server plugin is installed and configured in the /etc/authorization file by the Authentication Services join process. This plugin is installed under /System/Library/ CoreServices/SecurityAgentPlugins/VASMechanism.bundle. The Authentication Services mechanism initializes a Kerberos ticket cache for each Authentication Services user's login session with the Kerberos tickets obtained during DirectoryService authentication. Note that these ticket caches are fully compatible with the system Kerberos.app utility and the system MIT Kerberos command line utilities, so that the rest of the Mac OS X system components can reuse the Kerberos functionality.
Configuring the Authentication Services client
Launch the directory utility application
Configure the Authentication Services node
Adding, checking, and verifying Authentication Services licenses
Add, check, and verify licenses
Joining the Active Directory domain
Unjoin an Active Directory domain
Using Terminal.app to join and unjoin
System changes made by the join process
Verify the installation and configuration
Logging in with Active Directory accounts
Troubleshooting connections to Windows SMB shares
Connecting to SMB shares on domain controllers
The DNS domain name differs from the Kerberos realm
Automatically mount network home folders
Configure automatic home folder mounting at join time
Mount the Windows home folder or profile path
Mount an alternate share at login
Configure automatic home folder mounting using Group Policy
Before you can log in with Active Directory users and manage agent settings for users and computers, you must first join your Mac OS X/macOS machine to an Active Directory domain.
|
|
NOTE: For earlier versions of Mac OS X (prior to 10.10), use the Directory Utility application as explained in this chapter. For later versions of Mac OS X/macOS (10.10 and later), use the QAS Join application, which is located in the Applications folder. |
The following section guides you through the steps necessary to launch the Directory Utility application to configure your system for comprehensive Active Directory integration. When using the QAS Join application, you will notice that the screens are a bit different, but the procedure is similar to what is documented here.
Launch the directory utility application
To launch the Mac OS X Directory Utility Application
- Open System Preferences and select the Users & Groups preferences.
- Select Login Options on the bottom left side of the view.
- Select the Network Account Server Join... button on the bottom right side.
- Click the Open Directory Utility button.
|
|
Caution: Do not enter the name of your domain and click OK from this dialog. If you do, you will join using the native Apple Active Directory plugin which has no support for Active Directory group policies. You must open the Directory Utility application to join the domain using Authentication Services. |
