Talk:Macintosh on a Windows Active Directory Domain

Return to "Macintosh on a Windows Active Directory Domain" page.

wtf

Occasionaly we will have a customer that uses a Mac based PC and needs to access the Active Directory (aka AD) to use shared drives, get company email, etc. In that case we need to tell the Mac that it is going to connect to an AD and give it the settings it will need. This document will walk you through the setup of that process.Because the AD plugin uses DNS to locate AD resources on the network, there is very little configuration necessary for the AD plugin. Use the settings provided by going to a Windows machine on the AD, clicking start, run, cmd.exe. When the command prompt comes up type in(without the quotes) "ipconfig /all", this will give you most of the information you need. Now on to the actual procedure.

  1. Launch the Directory Access application, enter the Administrator credentials (if you don't know or don't have an Administrator account, just try your/client's user account), and click on the Active Directory plugin checkbox. Now you can click on the “Configure...” button.

File:DirectoryAccessScreenshot.png

  1. Provide the directory domain and a computer ID, then click on the “Bind” button and provide your AD credentials (or bind credentials provided to you by your AD administrator). Consider the Computer OU carefully. The default Computer OU may not exist, may not be appropriate, or may not be accessible with your account privileges. The bind will fail if your account does not have write access to the Computer OU, so ask your AD administrator what the appropriate Computer OU is for your computer. Also, the computer ID should not be longer than 19 characters. In general, it is best practice to use the first part of the DNS hostname.
  2. Click on the “Show Advanced Options” button. Consider the options in the User Experience tab:
    1. “Create mobile account”: causes the client to cache the account credentials of the last user to use the machine. This can be handy if your users take their machines home.
    2. “Force local home”: This should be checked if your AD does not specify the location of user home directories, or if you do not want users to have network-based home directories.
    3. “Use UNC path from Active Directory to derive home location“: If your AD user accounts indicate the path to a home directory, this option allows the AD plugin to convert the value to a URL that can be used to mount the sharepoint upon login. If you do not specify the correct network protocol, an error will occur when users try to login.
  3. Consider the options in the Administrative tab:
    1. “Prefer this domain server”: If you have a preferred domain server, indicate it here. If the server becomes unavailable, the AD plug-in automatically falls back to another nearby server in the forest. By default, the AD plug-in automatically determines the closest AD domain in the forest.
    2. “Allow administration by”: This allows you to specify AD groups whose members should have administrative privileges on the machine.
    3. “Allow authentication from any domain within the forest“: If your forest has multiple domains, this essentially expands the search base that the AD plugin uses to find user records so users from other domains can log in to the machine.
  4. When the bind has completed, return to the LDapper application and find your computer’s record in the Computer container.
  5. Return to Directory Access and click on the “OK” button to close the AD plugin window.
  6. Click on the “Authentication” tab. If your machine is configured with an LDAP node from a previous exercise, remove that node from the list, click apply, then close Directory Access.

-Nate

SMB v1 Problems with Catalyna

NetBIOS is disabled in macOS 10.15 to speed up mounting, browsing, and connecting to SMB shares. Some older printers and file servers may require NetBIOS to connect. (51119111)

To enable NetBIOS, you can create or edit the /etc/nsmb.conf file. If your system doesn't already have an /etc/nsmb.conf file, use the following Terminal commands while logged in as an Administrator:

echo "[default]" | sudo tee -a /etc/nsmb.conf 
echo "port445=both" | sudo tee -a /etc/nsmb.conf

To disable NetBIOS, you can safely delete the /etc/nsmb.conf file.

While the cifs:// approach has been a common past suggestion there is a settings file you can edit in OS X to tell OS X to use a specific version of SMB.

I suggest you do the following in Terminal.app to find out more details about this.

man nsmb.conf

Note: The nsmb.conf file can be in one of two locations it can be at ~/Library/Preferences/nsmb.conf or it can be at /etc/nsmb.conf as standard neither will initially exist and therefore the default settings - in this case first trying SMB3 will apply. Only if you create a file in one of these locations will it take effect. The /etc/nsmb.conf if it exists overrides any individual users copy.

Note: nsmb.conf controls settings where your Mac is the SMB client and is connecting to another SMB server. A different file controls settings where the Mac is the SMB server, this is /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist

A second related issue that was introduced with El Capitan was the new requirement that packet signing be used, i.e. the default setting is that the client connecting to your Mac must now support packet signing. Some older multi-function printers in particular do not support this. Other than updating the firmware of such printers it is also possible to turn this setting off in OS X as below.

sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server SigningRequired false

This would not affect Macs connecting to other SMB servers only when a SMB client tries connecting to the Mac, therefore I do not believe it should be relevant to your issue.

Note: Windows has supported packet signing for a very long time.

Q. I'm having problems file sharing to a Windows computer/connecting to a Windows server. Is the new SMB2 protocol in Catalina causing issues? A. Probably. You can control which protocol is used to connect to file servers in the Finder > Go menu > Connect to Server… dialogue box by using:

cifs://server.name.or.ipaddress = SMB1
smb://server.name.or.ipaddress = SMB2
afp://server.name.or.ipaddress = AFP

console mount

Apple console

mount_smbfs

mount.smbfs //nicolep@192.168.1.1/share ~/net/share

mount -t smbfs

mount -t smbfs //nicolep@192.168.1.1/share ~/net/share

smbutil

smbutil view smb://nicolep@192.168.1.1/share

FreeBSD reports that mount_smbfs offers support for SMB/CIFS/SMB1 only

     smbutil(1), nsmb.conf(5)

     Other resources:
     -	 Chapter dedicated to Samba configuration in the FreeBSD Handbook: 
	 https://www.freebsd.org/doc/handbook/network-samba.html

 STANDARDS
     mount_smbfs offers	support	for SMB/CIFS/SMB1.  It does not	support	newer
     versions of the protocol like SMB2	and SMB3.  SMB2	and SMB3 are supported
     by	software available in the ports(7) collection.

     The list of supported SMB servers includes:
     -	 Samba
     -	 Windows 95/98/ME/2000/NT4.0 (SPs 4, 5,	6)
     -	 IBM LanManager
     -	 NetApp
Last modified on 24 November 2020, at 13:15