PDA

View Full Version : Active Directory client bind via Terminal




Omena.com
Mar 11, 2010, 04:22 AM
Hi!

I have a problem concerning about binding a client computer to Active Directory via Terminal. The binding works perfectly when I do it with the GUI, but with Terminal its just fails.

Client OS: 10.6.2
AD server: Windows 2008 R2

It seems that the Active Directory plug-in won't activate.

Terminal commands:
sudo defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" Active

dscl localhost -list / displays
BSD
Local

Contact
Search

After I do it with the GUI dscl localhost -list / displays
Active Directory
BSD
Local

Contact
Search

I deleted all the AD plist files from the /Library/Preferences/DirectoryService/
before running the Terminal commands.

Any ideas?



calderone
Mar 11, 2010, 08:26 PM
Just to be sure, you are not just running this are you?

sudo defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" Active


If so, you cannot bind to AD that way. You need to use dsconfigad and then create and append the Search Policy with dscl.

Omena.com
Mar 12, 2010, 01:55 AM
Just to be sure, you are not just running this are you?

sudo defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" Active


If so, you cannot bind to AD that way. You need to use dsconfigad and then create and append the Search Policy with dscl.

Hi!

Yes, that is just the first step.

then
dsconfigad (binding)
dscl ... (add search paths)
...

calderone
Mar 12, 2010, 07:26 AM
To my knowledge you do not have to change the directory services plist to bind to AD. Most daemons, like DirectoryService load with the plist on initial startup, so any changes after DirectoryService is loaded would mean that you need to log out or possibly reboot (or restart the service in Terminal, but I wouldn't try that with DirectoryService. So this would be an ineffective method for activating the AD plugin and subsequently binding.

As far as I know, you simply need to bind and set the search paths. If successful, the AD plugin will activate automatically.


You may want to refer to Apple's document on the subject of Macs and AD:
Best Practices: Integrating Mac OS X with Active Directory (http://images.apple.com/business/solutions/it/docs/Best_Practices_Active_Directory.pdf)

AdamR01
Mar 15, 2010, 01:38 PM
This is what I do on my lab machines (sensitive info changed of course):


sudo defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" Active
sudo dsconfigad -a `hostname | cut -f 1 -d '.'` -u administrator -p adminpasswd -domain yourdomain.com -ou "OU=Macs,DC=yourdomain,DC=com"
sudo dscl /Search -create / SearchPolicy CSPSearchPath
sudo dscl /Search -append / CSPSearchPath "Active Directory/All Domains"
sudo dscl /Search/Contacts -create / SearchPolicy CSPSearchPath
sudo dscl /Search/Contacts -append / CSPSearchPath "Active Directory/All Domains"
sudo killall DirectoryService


This is with Leopard, not Snow Leopard but I do not think much has changed in this department. This should take effect without a reboot because launchd will restart DirectoryService if it sees that it died.

This is the 10.6 version of the article I got my information from: http://www.peachpit.com/articles/article.aspx?p=1431816