Guide: Using Mac OS X Server as a PDC

Posted in Apple, Guides, Technology on Feb 26th, 2010 | View Comments

Mac OS X Server can act as an NT-Style Primary Domain Controller through the use of Samba (SMB).  The Mac OS X Server can provide file and print services as well as host user profiles and home folders and provide authentication services for the domain.  Even complex user and group policies can be implemented through the use of a logon script.  Again, all of this is accomplished through OS X Server’s implementation of the open-source Samba package which is a free software re-implementation of the SMB networking protocol.  Please note this guide focuses on Mac OS X Server 10.6 and Windows XP Pro SP3 clients.  Vista clients (Edit: Windows 7 clients are not supported. See this article.) should work equally as well with a few tweaks (outlined later).

Step one – Enabling the SMB Service

If the SMB service isn’t already running on your server, you’ll need to enable it. (This step assumes that you already have Open Directory running as a Master on the server you’d like to make the PDC.) To do this, open Server Admin, click on your server’s address, click on Settings, then Services.  Place a check in the box next to SMB.  Click save.  You’ll now see the SMB service on the left list under your server’s address as shown here.

Step two – Configuring the SMB Service

Click on the SMB service in the left list.  Click on settings. On the general tab, set the role to “Primary Domain Controller (PDC)”.  Enter something for description, your hostname under computer name, and the finally specify the name of the domain you’d like this server to be the PDC for.  In this image, my domain is named OSXTEST.

Under Access, set the options to the needs of your organization.

Medium logging is usually sufficient.  Feel free to change as needed.

Under advanced, if you use a WINS server you can configure this here.

Keep the box “Enable virtual share points” checked if you’d like to be able to be able to access the Mac home directory (assuming you’re using this in a mixed platform environment) via a mounted drive in My Computer when the user logs in.  More on this later.

Press save.  You can now start the SMB service by clicking “Start SMB” in the bottom left of the Server Admin window.

Step 3 – Configuring users in Workgroup Manager

Before moving on, you need to ask yourself, “Will I be storing these profiles on the same server that’s acting as the PDC, or would I like to store them on a different OS X Server?”  A good example of when this would be needed is if your organization has users grouped and placed on different file servers based on alphabet, grade level, etc.  In cases like that, it would make sense to keep the Windows profiles on the same server as the network Mac home directories.  Or, if you plan on making a new network share on a file server other than the one acting as the PDC to store all of the profiles, this would also apply.  If any of these situations are the case for you, it’s a little more complicated.  Read step A below.  If you’re fine with your windows profiles being stored on the server that’s acting as the PDC, jump to step B.

Step A (The more complicated one)

Step one – Make a new network share on your secondary server.  Name it what you’d like. In my example below, I named it “NetUsersProfiles.” Set the permissions as root – read and write, staff – read and write, others – no access or read only is fine.  It’s also generally a good idea to uncheck “Enable Spotlight Searching” under the Share Point tab, too.  It should look like this when you’re done.  (This picture is on the same server, but just assume it’s a separate one named mini-xserve2.)

Step 2 – Make sure that this secondary server is bound to the Open Directory Master, Kerberized, and SMB is running and configured as a domain member, rather than a PDC.  Configuring SMB was described in step two. The only change would be selecting “Domain Member” instead of “Primary Domain Controller.”

Step 3 – Configure your users in Workgroup manager.  Open workgroup manager and select the user you’d like to configure.  Go to the Windows tab on the far right.  Where it says “User Environment Profile”, insert the path of the network share you made above.  Under “Windows Home Directory”, insert the path to the user’s network Mac home directory (if you’re in a mixed platform environment) and select the drive letter you’d like it to mount as in My Computer on the PC.  In this picture below, you’ll see the User Profile is stored on mini-xserve2 and the Mac home directory is stored on mini-xserve.  If you’d like to use a logon script to specify any sort of group or user policy enforcement, mount drives, etc., enter the name of the login script here.  It must be stored in the /etc/netlogon folder of the server acting as the PDC and the filename must be all lowercase.  When done, press Save.

Step 4 – On the client machine, login as the administrator and open the group policy editor by typing gpedit.msc into the Run window.  Go to Local Computer Policy > Computer Configuration > Administrative Templates > System > User Profiles and enable “Do not check for user ownership of Roaming Profile Folders”. (If you’re using Windows Vista, you may also have the make this change.) Reboot the machine. (Note: If you do not see “System” under Administrative Templates, right click on Administrative Templates, select Add/Remove Templates, select Add, choose system, choose open, then click close.)

Step 5 – After the reboot, finally join the client to the domain.  Login as the administrator again, go to the Start Menu, right click on My Computer, select Properties, choose the Computer Name tab, press the Change button.  Enter the name of the domain you specified in step one.  In my case it was OSXTEST.  Authenticate with a directory administrator account.  Reboot the machine.

Step 6 – After the reboot, log in with the user you configured above and verify everything is working correctly.  If so, congratulations.  Jump down to step 4 below for some additional information.

(Getting a “Not enough space on the disk?” error?  See the special section below.)

Step B – The less complicated one

Step 1 – Open workgroup manager and select the user you’d like to configure.  Go to the Windows tab on the far right.  Where it says “User Environment Profile”, leave the path blank to have the profile stored in the default /Users/Profiles directory, or specify a sharepoint on the PDC.  The permissions for the sharepoint on the PDC should be root – read and write, staff – read and write, others – no access or read only is fine. Under “Windows Home Directory”, insert the path to the user’s network Mac home directory (if you’re in a mixed platform environment) and select the drive letter you’d like it to mount as in My Computer on the PC.  In this picture below, you’ll see the User Profile is stored on a sharepoint of mini-xserve and the Mac home directory is also stored on mini-xserve.  If you’d like to use a logon script to specify any sort of group or user policy enforcement, mount drives, etc., enter the name of the login script here.  It must be stored in the /etc/netlogon folder of the server acting as the PDC and the filename must be all lowercase.  When done, press Save.

Step 2 – Join the client to the domain.  Login as the administrator on the PC, go to the Start Menu, right click on My Computer, select Properties, choose the Computer Name tab, press the Change button.  Enter the name of the domain you specified in step one.  In my case it was OSXTEST.  Authenticate with a directory administrator account.  Reboot the machine.

Step 3 – After the reboot, log in with the user you configured above and verify everything is working correctly.  If so, congratulations.  Jump down to step 4 below for some additional information.

Step 4 – Additional Information

If you’re experiencing any access denied error messages using the more complicated method, again, make sure to set the permissions correctly, and make sure the secondary server is bound to the Open Directory Master, Kerberized, and SMB is running and configured as a domain member, rather than a PDC. Also make sure to make the registry change that’s needed on the client as described above.  If you’re using Windows Vista this change may also need to be made.  All of this was described in detail under Step A of Step 3 above.

Tell your client(s) that if they’re away from the PDC, out of the network, etc, they’ll need to use their shortname to login.  Windows is caching the credentials for the shortname, not the full name.   After weeks of calls to Apple enterprise and tons of configuration changes, logging in away from the domain turned out to be something as simple as this.

To supply SMB Print services, enable the Print service on your server, add a queue, and enable the SMB option for the queue.

The benefits of using Mac OS X Server as a Primary Domain Controller for your domain are endless.  You can harness the power, ease of use, security, and flexibility of  Mac OS X  Server all while still supporting your Windows clients and allowing for future Mac growth.

Not Enough Space on the Disk? What?

If you’re storing your roaming profiles on a domain member as outlined in Step A, and you begin noticing “Windows cannot update your roaming profile.  Error: There is not enough space on the disk.” messages upon logout, you’ll need to disable Darwin Streams support on your PDC and on your Domain Members where the profiles are stored.

1.  Stop SMB

2.  In terminal make a backup of the smb.conf file:

sudo cp /etc/smb.conf ~/Desktop/smb.conf.old

2.  In terminal type the following:

sudo pico /etc/smb.conf

3.  Locate the following sections and edit to reflect the following:

;vfs objects = notify_kqueue,darwinacl,darwin_streams

vfs objects = notify_kqueue,darwinacl

; The darwin_streams module gives us named streams support.

stream support = no

4.  Ctrl + o to save the changes

5.  Start smb

Thanks

Please leave any comments below and I’ll try and answer them to the best of my ability. If there’s some extremely technical issue that’s preventing this from working in your environment, please understand that this is just a general guide.  I do not have time to try and create a test environment for other users’ configurations.  Contact Apple Enterprise Support or an experienced OS X Server administrator for more detailed assistance.

Last Updated 8/13/2010
  • jebc4

    Just a note, but Windows 7 clients *cannot* join the domain (the version of samba is 3.0.28b).

    Supposedly Vista clients can, but I spent a while with Win7 and there is no solution at the moment….

  • http://mikeboylan.com Mike Boylan

    Thanks for the information. I'll put in an edit. I'll try and test this for myself as well.

  • http://mikeboylan.com Mike Boylan

    Apple has published a knowledgebase article for this. Currently, and unfortunately, there is no workaround solution. What a bummer.

    http://support.apple.com/kb/TS3235?locale=en_US

  • http://www.rubberduckmedia.ca/ Chris Magaoay

    Great Tut

  • http://mikeboylan.com Mike Boylan

    Thanks a lot. Keep checking back. As soon as I get word back from Apple enterprise about the login credentials, I'll be updating the guide.

    Glad you found it useful!

  • http://mikeboylan.com/2010/05/is-this-thing-on-hellotesting-1-2-3/ Is this thing on? Hello? Testing 1,2,3 | MikeBoylan.com

    [...] Wrap up the SMB student profiles project for students (blog post already written. See here.) [...]

  • Me

    please does anybody know how to make a qnap become a member of the OS X PDC?

  • http://mikeboylan.com Mike Boylan

    I've never used a QNAP device specifically, but the process shouldn't be any different than binding it to any other NT style domain. Find it in the preferences, enter the domain information, and authenticate with a directory administrator's password.

  • christophertran

    I keep getting the following error on Windows: “The following error occurred attempting to join the domain “stratitmain”: Access is denied.”

    and this is in the smb log:
    “auth_odsam.c:opendirectory_smb_pwd_check_ntlmv1(387)
    opendirectory_user_auth_and_session_key gave -14091 [eDSAuthMethodNotSupported]“

    and NTLMv1/2 and LAN Manager auth has been enabled for each SMB and OD. ??

  • http://mikeboylan.com Mike Boylan

    Do you have authenticated directory binding enabled?

  • christophertran

    oh no. thats what I didnt do. Auth with diradmin, i authed with my admin acct instead. oops. Thanks for the help. Oh, and why doesnt this work with Windows 7?

  • http://mikeboylan.com Mike Boylan

    Yeah, you have to use a directory administrator account because, as you'll see, it will make a computer account with the convention [WINDOWSPCNAME]$ in Workgroup Manager.

    I think Windows 7 support dropped support for NT style domains and that's what Samba emulates.

  • John Skinner

    Now there is a workaround for Windows 7 and Mac OS X Server PDC!!!
    I found more info over here..
    http://www.macwindows.com/OSXServer.html#050310c

  • http://mikeboylan.com Mike Boylan

    Neat! Thanks for this. Not officially supported, but if it works, hell, it works.

  • Matt

    Thanks a lot !!

  • ludo

    i want to connect with a mac to a linux samba PDC
    can you please provide your /etc/samba/smb.conf (or whereever the smb.conf is) ? it would be great to see, what the MAC Sever writes in there for making MAC clients able to login.
    I think i then can transform this to my Linux Server.

  • http://mikeboylan.com Mike Boylan

    So you want to connect your Mac to a directory service being hosted on a Linux samba PDC? That wouldn’t involve OS X server… that would simply be a process of binding the client through Directory Utility.app

    If you’re going to be using linux anyway, I’m curious as to why you wouldn’t use something like OpenLDAP rather than emulating an old Windows-NT style domain controller through Samba?

    This guide is for people who are using Open Directory as their primary directory infrastructure and need to integrate Windows clients into it. Let me know if I can be of any more assistance. I should also say that Apple ships very highly customized versions of samba on OS X Server that behave in nonstandard ways to integrate with OD.

  • Jp

     Hi Mike, great tutorial. Thx. 
    I am currently deploying AD/OD/OSX clients. Known as Magic/Golden Traingle.
    We are thinking of doing an OpenDirectory-only version, where 1 W2K8 R2 TerminalServer is binding to OpenDirectory. 
    Form reading your tut, I get the feeling that SAMBA ( for the profiles of the TS users) is not gonna work cause of the Samba version. Would you happen to know so?

    For the Windows logon scripts ( Gpolicy), do you know of any documentation on that icm 10.6 Server->W2K8?

    I am a self learning noob ( sorry no education yet) relying on your ( and many others) fantastic documentation.

  • http://mikeboylan.com Mike Boylan

    JP,

    Thanks.

    Personally I’d recommend taking the route of the magic triangle unless you have an absolute particular use case where it would prove ineffective. Where I work now, RMU, is a good example. We wanted to go magic triangle but require the Mac home directories to be separate from the Windows ones. Without augmenting records (which is nasty), this just isn’t possible.

    Moving forward, using AD for authentication and OD for management on Mac client machines is looking to be the recommended practice. It’s what Apple is pushing in heterogeneous environments, and it’s what is being well documented by others both casually on blogs like mine, and professionally by technical authors like Greg Neagle and Ed Marczak.

    It’s very important to note as well that in Mac OS X Lion, due to be released this summer, Samba is gone. Apple wrote their own proprietary windows networking stack because of new licensing restrictions with the GNU 3. GNU 3 is what all new versions of Samba are licensed under.

    You’re also correct in assuming that Apple’s Samba version in Snow Leopard is outdated. Apple customizes it, so the version numbers are never the same as official samba releases, but it’s lagging pretty far behind now.

    My recommendation: Move towards the magic triangle. Get the Mac OS X Directory Services book for 10.6 from Peachpit Press. It’s also available on the iBook store. Also pick up a copy of Enterprise Mac Managed Preferences from Apress. Both are fantastic resources you’ll find yourself referring to often.

    Hope that helps — thanks for reaching out!

    - Mike

  • Jp

    This we tested a Microsoft terminal server setup with Windows Server 2008. 
    And it works great. 

    The MS server is running virtual under Fusion an a domain member.
    Remember: The Windows Server 2008 R2 version does NOT work. 
    You can do a license downgrade trough Microsoft.

    Just have to keep in mind the NTLMv2 settings change. Rest is easy.

  • Pwr68

    Hi Mike!  I’m a native ‘Burgher, so a shoutout to RMU!

    We implemented the PDC exactly as you described (very helpful, thank you).  When we attempt to connect an XP Pro machine to the domain, we receive an error that the domain can not be located.

    The details of the error are identical to the problem that this fellow posted:  https://discussions.apple.com/thread/1000368?start=0&tstart=0

    No one has responded yet, so I am curious if you can shed some light.  If Samba also launches a WINS service, does it automatically create an entry in WINS for the domain?  If not WINS, then does it add a SVR record to DNS?

    Thanks!
    -Peter

blog comments powered by Disqus