Integrating OS X Server into an AD Environment

Server Setup

Install Leopard Server in Advanced Mode as a Standalone Server.

Server Admin: Add wanted services, configure, and start them (specifically SMB)

Directory Utility: Bind to Domain

  • Added AD Domain under the Directory Servers tab/icon and the binding to AD happened automatically under the Services icon/tab.
  • Advanced options: Use UNC path from AD using SMB
  • Default user shell: /bin/bash

Server Admin:

  • Enable Open Directory
  • Change settings of Open Directory: Promote the server to an OD Master.

Directory Utility: set the proper search order

  • Search Policy: Drag AD to be above the local ldap policy.  You can do the same for the Contacts Search order.

:: Adding management functions in OD to work with the AD groups ::

Open WGM (WorkGroup Manager) and login as the Directory Administrator (diradmin)

  • Greate a new Group and call it OD_Managed or similar (ie, school_staff, school_students)
  • Add new members: in the sidebar, switch the directory to AD and
    then click the groups icon.  Drag the appropriate AD container to the
    members window.
  • Set preferences for the group

Using MS ADUC, set the home directories for the users.. note that
you can setup and turn on SMB on the OS X Server, and point the users
home directories (via AD) to the leopard server’s smb share.

What you end up with is AD accounts mapped to their homedir with MCX policy enforcement.

Client setup

...coming soon…

Manual bind on client: Using Directory Util, bind to the new OD
Master server then bind to AD.  Place AD above OD in the search order.

login as test user…


Configure Leopard for a different Software Update Server


To configure a Mac running OS X 10.5 (Leopard) to connect to a local Apple Software Update server, simply use the following command, where servername is the name of your local server that runs Software Update.

defaults write /Library/Preferences/ CatalogURL http://servername:8088/

If you have any problems, verify that you can see the update server by accessing the following URL from the client’s web browser:

If you don’t see an XML-type page come up, you should verify that the Software Update service is running on the server, and that port 8088 is properly configured to allow traffic on your network.

Disable EFI password – Intel Mac

Boot normally and logon as an admin user.  Pop in the Leopard install dvd then open Terminal and type in

open /Volumes/Mac\ OS\ X\ Install\ DVD/Applications

In the window that opens, choose Utilities and then Firmware Password Utility. Uncheck the box to set the firmware password and click Change.  The EFI password is now blank.

Software Updates via terminal

If you want to do an automatic install of all the updates for a particular Mac, you can do it easily in the background using ARD.  Gather up the system you want to update then execute a unix command: softwareupdate -i -a and specify to run it as the root user even if you have not enabled the root user account on the workstation.  It takes a while but the results window pretty much updates after each title install — it’ll even tell you if the remote system needs restarting.

If you want to do it manaully (perhaps via a remote ssh login), log in as an administrative user, and type: sudo softwareupdate -i -a. You’ll be prompted to enter your admin level password.  If you wish, this can also be done locally via a terminal window.

To see all the command options, type man softwareupdate in a Terminal window.

Enabling VNC access via ssh

If you need to connect via a VNC client in Windows or such and don’t have ARD around, just login to the system via ssh and run the following (all one line):

/System/Library/CoreServices/RemoteManagement/ -configure -activate -access -on -clientopts -setvnclegacy -vnclegacy yes -setvncpw -vncpw [your password] -restart -agent

This will set the remote Leopard system (and probably Tiger too) to allow legacy VNC connections from non-Macs and allow you to use the password you chose with the -vncpw option to connect from any VNC client.

You may also have to kill the AppleVNCServer process before you can successfully connect. Type

killall AppleVNCServer

. You can also find the PID through the ‘top’ command, then type kill .

Importing Users into Tiger Server (OS X 10.4)

(…to be edited. screenshots and more to be added)

Populate a spreadsheet using the following fields: Full Lastname (field:A1), Firstname (B1), DOB (C1), Grade (D1). Add additional columns for Teacher Name (E1), LastName-clean (F1), Grad Year(currently unused, G1), Shortname (H1), School Year (I1), Sequential UID# (J1), Unique(final) UserID# (K1).

Be sure to clean it up by removing spaces, apostrophes, hyphens, etc if you don’t use a self cleaning formula.

Cell# – Description

  • F2 – (maybe create a self cleaning name from A2)
  • H2 – =F2&B2
  • J2 – after all student data is entered, sort by grade then simply sequentally number them using three digits (ie: 001, 002)
  • K2 – =$I2&”0″&$D2&$J2

Name the tab SeedData.
Create a new tab called Data to Export.

For Reference:
Column – DataField

  • A=unused but must exist.
  • B=shortname:ID
  • C=Realname(first.last)
  • D=password(aka DOB in this spreadsheet)
  • E=homedir
  • F= AFP homdir
  • G=PasswordType
  • H=TeacherName
  • I=password specs (force change password on 1st login and do not allow further password changes)


  • B1 =SeedData!H2&”:”&SeedData!K2
  • C1 =SeedData!B2&”.”&SeedData!A2
  • D1 =SeedData!C2
  • E1 =”/Network/Servers/”&SeedData!D2&”th/”&SeedData!H2
  • F1 =”<home_dir><url>afp\://</url><path>”&SeedData!D2&”th/”&SeedData!H2&”</path></home_dir>”
  • G1 – Standard text: dsAuthMethodStandard\:dsAuthClearText
  • H1 =SeedData!E2
  • I1 – standard text (forces user to create a new password on login and disallows changing password later on): newPasswordRequired=1:canModifyPasswordforSelf=0

Example data after formula:

  • C1: first.last
  • E1:for a 6th grade student named first last- /Network/Servers/
  • F1: <home_dir><url>afp\://</url><path>6th/smithshane</path></home_dir>

When you’re done save/export as a CSV (windows), not as a CSV (comma delimited). This is needed to format the file with unix line feeds as opposed to adding a carriage return also like windows prefers. To make sure you using LF only, you could always open up the file in a text editor such as Notepad++ and tell it to re-save in unix format.

Open Workgroup Manager and Connect to your server using the directory admin user.

  • Select “Import” from the “Server” menu.
  • Select the csv file that we saved above.
  • Select “Ignore new record” from the “Duplicate Handling:” dropdown menu. If you want to replace existing records, delete them before importing.
  • Leave the other drop downs at “None” unless you have a preset that you want to use for all of the new users.
  • Leave the ID boxes blank, and click “Import”.

A new window should pop up asking you to enter Record Type, Special Characters, and Field Mappings.

Users will be the record type.
Special Characters:

  • Record delimiter: 0x0A – Newline
  • Attribute delimiter: 0x2C – ,
  • Attribute value delimiter: 0x3A – :
  • Escape character: 0x5C – \

Field Mappings:
(screenshot later)

Everything but the AuthMethod is selectable from the drop down menu. To get to the AuthMethod, select “Other” from the drop down menu and then select
AuthMethod from the secondary menu.

Ramblings from a SysAdmin/Tech