Jarrod Spiga06 May 2008, 5:57 AM
The alternative to using Windows or Linux workstations on your network is to use a Mac, but they too have their own quirks and quibbles in a small business environment.
Mac OS X is experiencing a surge in popularity in both consumer and business markets. Ease of use, security and reliability have been three of the main driving points behind the recent success of 10.5 — three of the core features that are most desirable for any system that may be used within a small business. However, as much as it’s promoted that Macs ‘just work’, there’s always a little more work involved in setting a Mac up to operate efficiently with the two networks that have been described in this series.
Network Settings
Without correct network settings, your Mac won’t be able to reach the rest of the network — so it’s imperative to verify that these settings are valid, regardless of if you’re connecting to an Active Directory or OpenLDAP infrastructure.
Network settings can be found under the Network panel in the System Preferences application in the dock or Apple menu. If the settings within this panel are greyed out, the values shown have been pulled down from a DHCP server on your network — in most cases, these values should be correct, but you should verify them and correct your settings if required.
Ensure that you have a valid IP address and that the DNS Server IP address is that which belongs to your server. Your search
domain should be the domain name that you provided to your server (for instance, internal.lan if you have been following the instructions in this series literally).
If you’re going to be communicating with a Microsoft SBS, click on the Advanced button followed by the WINS tab. From the Workgroup drop-down, you should be able to select the NetBIOS name that you configured within SBS.
After these settings have been verified or changed, you can close the System Preferences application. You can verify your settings by loading up a Terminal and pinging your server by its host name only (not its fully qualified domain name, as this will not verify that your search domain is set correctly).
Limitations
Pay special attention to the short and long names of all local user accounts on your Mac — if the short name or part of the long name matches a user login name within the Active Directory or OpenLDAP, that user will not be able to authenticate with the domain.
For example, say that an Active Directory account has been created with a username ‘jspiga’, but my Mac also has a local user account set up with a short name of ‘jspiga’ and long name of ‘Jarrod Spiga’. In this case, I will not be able to authenticate against the Active Directory because Mac OS X will always authenticate against the local user table before authenticating against external sources. Similarly, if an OpenLDAP account with user name ‘jarrod’ was set up, I also would not be able to authenticate because Mac OS X would associate an entered user name of ‘jarrod’ with the long name for the local account.
The workaround for this is to ensure that all local Mac OS X accounts are not similar to Active Directory or OpenLDAP user names. To do this, create a new local account on your Mac that does not have conflicting short- or long-names and assign administrative rights to this user. Log on to your system as this new user and remove or re-create any local accounts with conflicting names — just be aware that if someone has been using an account with a conflicting name for a lengthy period of time, then chances are that they have accumulated a lot of data within their profile and this should also be copied to the new account before the old account is removed.
Once an account with conflicting names has been removed from the local database, the user should then be able to authenticate against an external source — logging on as a different local user will not work around the issue.
SBS Preparation
One of the most frequently used functions on a small business network is the accessing of file shares located on the server in order to share data between systems on the network. By default, a Mac system will encounter two hurdles when communicating with file shares on Windows SBS Servers.
The first issue is related to SMB signing — a security mechanism that is used in the Server Message Block protocol that is used in communication to file and printer shares on Windows networks. As Mac OS X systems do not properly support the use of outbound SMB signing — which in most cases is OK. However, when Active Directory is installed on a Windows 2003 server (including SBS 2003), SMB signing is required for all inbound connections by default. As such, a Mac will not be able to read or write to file or print shares on the domain controller unless the requirement for SMB singing on incoming connections to the server is disabled. (Pre-Leopard systems also will not be able to authenticate with these shares.) On the other hand, a Mac OS X system is perfectly capable of communicating via SMB to a Windows 2003 system that is not a domain controller without additional configuration.
To disable the incoming SMB signing requirement on your SBS server, select Advanced Management > Group Policy Management from under the Server Management Console. From within this applet, expand the forest and domain branches, right-click on your local domain and click on the ‘Create and Link a GPO Here’ option from the context menu. Name the new policy ‘Disable SMB Signing’ or something similar, then right-click on the new policy and select Edit.
Under Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options, change the ‘Digitally sign communications (always)’ setting to disabled and ensure that the ‘Define this policy setting’ checkbox is ticked. After giving these settings the OK, you can then close the Group Policy Object Editor window.
Next, right-click on the policy object again and select ‘Enforced’ from the context menu and re-order the list in the right-pane so that your new policy is listed above the ‘Default Domain Policy’. Lastly, click Start > Run on the server and execute the following command:
gpupdate /force
This will force your server to apply the new group policy object immediately and should disable the inbound SMB Signing requirement. You’ll only encounter the second issue if Windows Server 2003 Service Pack 2 is installed on your SBS server, or if you’ve installed the optional Scalable Networking Pack. Both of these updates include features that are designed to improve networking performance by implementing:
TCP Chimney Offload — many modern server-class network adapters have small processors embedded that can process the entire TCP/IP stack itself, instead of passing the information to the CPU to process. TCP Chimney Offload enables this support within the Windows kernel.
Receive Side Scaling — essentially, this feature enables multi-threaded processing of the TCP/IP stack, allowing this processing to occur on more than one processor in a multi-CPU system.
Both of these features provide a substantial improvement in networking performance (especially when used with recent gigabit network adapters), but may introduce compatibility issues with other networking devices. Mac OS X clients intermittently experience extremely slow domain logons when these features are enabled.
In order to appease your Mac users and maximise compatibility, you may want to disable these scalable networking components. Before doing this though, ensure that you have installed the latest network adapter drivers available for your system and that you have applied all ISA Server updates to your server (if it is installed).
Load up the Registry Editor (Start > Run > regedit) and navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Paramters subkey. If you can see a value named ‘EnableTCPA’, edit this value; if not, create a new DWORD value named ‘EnableTCPA’. In both cases, the value should be set to 0 (zero) to disable TCP Chimney Offloading.
Receive Side Scaling can be disabled in the same subkey of the registry — create a new DWORD value named ‘EnableRSS’ if one does not exist already and also set this value to equal 0 (zero). Once both of these values have been set, you’ll need to restart your server for the changes to take effect.
Accessing Network Shares
Once the required work has been done on your SBS server, Mac OS X clients can connect to Windows or Samba shares on an ad-hoc basis by clicking on the Go menu and selecting ‘Connect to Server. . .’ (alternatively, Command-K will achieve the same result). You’ll then be asked to supply your server address — type in smb://<server>, where <server> is the name
of your server.
After you’ve supplied your domain login credentials (in the <DOMAIN>\<user name> format), a dialog box asking you to ‘Select the volumes you want to mount’ from the server will appear. Before Mac OS X 10.5, each share would be mounted on the system, but since the latest major release, the server name will appear under the Shared area of the navigation tree. Unmounting a share on a pre-10.5 system is a matter of dragging the mount to the Trash. On a Mac OS X 10.5 system, simply click on the small eject symbol next to the server name in the navigation tree.
Single Sign-on for Active Directory
Connecting to network shares on the ad-hoc basis shown above has one major drawback — you’ll have to enter your domain credentials every time that you communicate with a given server for the first time. To enable single sign-on within a Windows-based domain, you’ll need to join your Mac to the Active Directory.
Open the Directory Utility application located in the Utilties folder (which in turn, is located in the Applications folder). Once this applet has finished detecting the directory servers on your network, click on the ‘Show Advanced Settings’ button and then click on the Service icon toward the top of the window. Because you’re editing a system setting, you’ll need to supply administrative credentials to proceed.
Double-click on the Active Directory line in order to bring up the configuration settings for the Active Directory connector. Enter your internal domain name (eg. internal.lan) in the Active Directory Domain field and adjust the Computer ID so that it matches the naming convention of workstations on your network.
Next, click on the expand control to Show [the] Advanced Options and ensure that the ‘Create mobile account at login’ checkbox is selected under the User Experience tab. Under the Administrative tab, ensure that the ‘Prefer this domain server’ checkbox is ticked and enter the FQDN of your SBS server. Also ensure that the ‘Allow administration by’ checkbox is ticked and add ‘Domain Admins’ and ‘Enterprise Admins’ as groups that have administrator privileges on your computer.
Once you click on the Bind button, you’ll then be asked to supply the credentials of an account that has administrative rights to the Active Directory domain that you are joining. If the bind operation was successful, the Active Directory Forest, Active Directory Domain and Computer ID fields will now be greyed out and the NETBIOS name of your domain will prefix the Domain Admins and Enterprise Admins groups. You can now close the Directory utility.
And for the OpenLDAP users. . .
The process used to join an OpenLDAP domain is relatively similar. From within the Directory Utility, one would double-click on the LDAPv3 connector instead of Active Directory. Under this configuration screen, un-tick the ‘Use DHCP-supplied LDAP server’ checkbox, show the Advanced Configuration Options and click on the Add button.
Your configuration name can be anything, but use something descriptive. Your server name should be set to the FQDN of your LDAP server, LDAP Mappings should be set to ‘RFC 2307 (Unix)’ and the Search Base should be set to the location where your user accounts are stored in the directory (alternatively, the root of the directory should also work). Once these settings have been applied, bring up the Search Policy tab within the Directory Utility and add a custom search path. Select the LDAP URI for your domain and then close the Directory Utility.
Final Changes
Before logging in to your system with your domain credentials, you should ensure that Automatic login has been disabled on your Mac. You can do this by opening the Accounts applet in the System Preferences folder. The option to disable automatic login should appear after you click on the Login Options section of the navigation tree.
To test your configuration, log out from the system. At the login screen, click Other and then enter your domain user name (if you’re logging on to an Active Directory, you’ll need to supply a NetBIOS domain and username pair in the <DOMAIN>|<user name> format). When you click on OK, you’ll be asked if you want to create a mobile account — to which you should answer in the affirmative.
Once logged in, you may then want to work on migrating your existing user profile across to this new account.