Extending Active Directory for Mac OS X clients

After I wrote about building your own OpenDirectory server on Linux a while back, I decided to do the same thing on Windows Server 2008 R2. The process of extending the AD schema to include Apple classes and attributes is documented by Apple (this is the Leopard version of the document – if you don’t plan on having exclusively Snow Leopard clients, you can follow the newer version of the document that skips a couple of things that Snow Leopard no longer needs).

But since schema extensions are generally frowned upon in the Windows world because they’re irreversible (why the heck, Microsoft…?), I initially tried a dual-directory (golden triangle, magic triangle) type approach where I’d be augmenting my AD with Apple records coming from an AD LDS (Active Directory Lightweight Directory Services, previously called ADAM, Active Directory User Mode, which is basically a plain LDAP server from Microsoft). While this may sound like a great idea, I just couldn’t get it to work. After dozens of manual schema extensions to AD LDS (Microsoft doesn’t include many standard LDAP attributes, so I had to dig through the dependencies of apple.schema and even tried importing a complete OD schema), I gave up because I could not get Workgroup Manager to authenticate against it to allow me to make changes.

So the next thing to do was follow Apple’s AD schema extension guide (linked above) and do what everybody else did. This was rather straight-forward (managed preferences for users, groups and computers worked right away), but when I tried to create a computer list (which is not possible using Snow Leopard’s Server Admin Tools, but requires Tiger’s (which throw loads of errors on Snow Leopard but still get the job done) since Leopard introduced computer groups which however are not supported by the AD plugin), it just said I didn’t have permission to do that. After enabling DirectoryService debug logging (killall -USR1 DirectoryService && killall -USR2 DirectoryService), I traced it down to Active Directory: Add record CN=Untitled_1,CN=Mac OS X,DC=xxx,DC=zz with FAILED – LDAP Error 19 in /Library/Logs/DirectoryService/*. Apparently, that’s caused by some versions of ADSchemaAnalyzer setting objectClassCategory to 0 instead of 1 on all exported classes. Too bad AD schema extensions are irreversible and that’s one of the attributes you can’t change later on… 🙁 Well, with AD Schema Management MMC snap-in, I was able to rename the botched apple-computer-list class, defunct it and add a new one using ldifde. With some really wild hacking in the AD Schema using ADSI Editor, I was then able to  eventually get OS X to no longer look at the renamed attribute, but instead at the new one. To see whether you have been successful, killall DirectoryService, wait a few seconds and grep -H computer-list /Library/Preferences/DirectoryService/ActiveDirectory* will show a line indicating which class in the schema it’s using.

Once you’re there, everything should work as expected. If you don’t want to use Tiger’s Workgroup Manager to create old-style computer lists, you can do that in ADSI Editor and create apple-computer-list objects in the CN=Mac OS X branch by hand.

So, attached is the schema ldif that’s exactly the way it should be. I really wonder why Apple doesn’t provide it themselves – it’s going to turn out exactly like that every time you follow their guide on any Windows server… Apple Schema for Active Directory

I guess that the overall conclusion of this should be that AD schema extensions in general and specifically Mac OS X managed clients in AD environments are a nasty hack. I suppose the dual directory/magic triangle/golden triangle approach with a Microsoft AD and an Apple OD would work, but it requires maintaining two separate directories, which may not be that great in a larger environment either.

If Apple discontinues Mac OS X Server at some point in the near future (which the demise of the Xserve and the lack of announcements regarding Mac OS X 10.7 Server alongside Mac OS X Lion suggest), this is definitely something they need to improve. There are some third-party solutions that store MCX settings outside of AD (similar to Windows GPOs, which are stored on the SYSVOL share) such Thursby ADmitMac – however that’s a rather expensive solution (a dozen client licenses costs about as much as two Mac mini servers) and might break after OS updates (though from what I’ve heard, they’re rather quick at providing updates). If Apple does discontinue Mac OS X Server, they should definitely improve Lion’s AD integration to replicate ADmitMac’s features.

39 thoughts on “Extending Active Directory for Mac OS X clients

  1. Michael Kuron Post author

    Some interesting things I learned in one of Apple’s webcasts (http://www.seminars.apple.com/cgi-bin/WebObjects/ASPRegistration.woa/wa/sol?locs=us_en):

    To create a Tiger-style computer list, you can go to All Record Types tab (the circle to the right of the computer groups icon), select ComputerLists from the dropdown and click New Record. Despite the error message, a list named untitled_1 will get created and will show up on the computer groups tab after refreshing.

    To manage guest computers (i.e. computers that are not in any other computer list/group), click Create Guest Computer in the Server menu, then go to the computers tab and make sure its name is guest and its short name is guest$.

  2. Evan Whakahau

    Hi Michael,

    Great article, I work for a college in a mixed platform environment and I’ve so far avoided updating our mac’s (in the golden triangle config) to 10.6.7 or 10.7 as one classroom’s imacs failed to bind to AD after the update.
    Is your solution still valid? It seems a lot of configuration! We only require the mac’s to allow AD users to logon and pickup home directories from a windwos server.
    Any help/advise will be much appreciated.
    Regards,
    Evan

  3. Michael Kuron Post author

    Hi Evan,

    really it’s not that much work. If you follow Apple’s PDF on AD schema extensions and just skip the steps that explain how to create the LDIF file (and instead use the file I provided above) and basically just run that ldifde command, it can probably be done in a couple minutes.

    Personally, I don’t really like doing the AD schema extension to support Apple’s MCX policies. I guess it works reasonably well, but only as long as you don’t get involved with it too deeply (e.g. the computer groups vs. computer lists thing I wrote about). Also, you need to consider that Microsoft doesn’t support configurations that involve non-Microsoft schema extensions (and there’s no way to undo a modification later on!), so if your AD ever becomes corrupted or something, you’ll be out of luck.
    A magic/golden triangle configuration also has its shortcomings as far as I can tell (having to maintain two distinct directories). But if you already have such a solution set up, you might as well just keep it. Did you try to find out why 10.6.7 clients no longer bind to your AD? The stuff I wrote about sending a SIGUSR1 to DirectoryService to make it write more details to its logs might help.

    If you only need authentication and home directories, you don’t need a magic triangle or schema extension. But as you already have one set up, I assume you also require managed preferences (MCX).

    If I ever have a huge amount of time I don’t know what to do with, I might write a DirectoryService plugin that pulls MCX settings from an HTTPS server and leaves all the authentication stuff to AD, OpenLDAP or whatever LDAP service you have configured. Likewise Open is probably a good starting point (they already have the DS API figured out, and they’re open source), and Apple’s DirectoryService API documentation and sample code look somewhat helpful as well. I probably will never even start this project, but if somebody else does, I’d be more than happy to help…

    Regards,
    Michael

  4. Tony Shadwick

    Just as an FYI, that PDF on how to extend AD is no longer hosted at Apple.

    http://images.apple.com/business/solutions/it/docs/Modifying_the_Active_Directory_Schema.pdf

    Gives you a 404. 🙁 I used your file, which works okay, except that on 10.7, Workgroup Manager constantly complains:

    ‘Record type not mapped.

    The record with type “Config” is not mapped. You should report this error to the administrator of your server.’

    The result is that the UI does not display the configuration appropriately, but the mcx records *are* in fact being written to AD. I watched Apple’s video on how to do this, but without the whitepaper, I wouldn’t know what entries to include.

    Good news is that I’m testing this on a vm, so I can just roll back to before I made the schema changes to try again. I just wish Apple’s doc was still out there. Given their recent attitude towards the enterprise, ie “macs don’t belong in the enterprise”, I’m wondering if it will ever reappear.

  5. Frank

    Tony, you are right: I was installing SL Server binding it to a Windows 2008 R2 AD. Everything seems to work fine although I get the same warning “The record withtype ‘Config’ is not mapper…”. Also the view in Workgroup manager does not show the current value (applies for Lion as well as Lion Server). As a workaround, I use Apache Directory Studio to check the current “apple-mcxsettings” 😉

    Did someone already figure out if we need to reapply the schema modifiaction again for Lion to fully support Lion Server features as well as Lion client mcx settings…?

  6. Frank

    Sorry, forgot to mention that of course that is due to my update from SL Server Lion Server…!

  7. Nik

    Michael,

    Have you been trying to use Lion (client) in an AD 2008 environment? It looks like things are really broken, especially with mobile accounts. Thursby’s ADmitMac does a *much* better job (account creation actually happens) but I agree that it is simply far too expensive and not a solution for the long term. Apple certainly tried to fix this but didn’t really get it right. Hopefully 10.7.2 does better job.

    Wondering if you have any experiences to relay.

    Regards.

  8. Michael Kuron Post author

    I did not look at Lion’s directory capabilities yet at all. But considering how many other things they broke (even in combination with Snow Leopard Server), I didn’t really expect the AD schema extension to work correctly right away (or even at all).

    I’m guessing it’s time to start looking for alternative server solutions in Mac environments. As Mac OS X Lion Server lost a bunch of features, I guess it’s hard to recommend that for anything. Since AD with extended schema doesn’t work anymore either, that leaves two choices: Using Linux servers (I wrote an article about extending the OpenLDAP schema a few years ago, and I expect that to still work on Lion), or doing a magic triangle (either the classic one or AD + OSX Profile Manager, which might be the more elegant approach).

  9. Pingback: Domain Migration: Planning & Implementation « Angela Creason's Blog

  10. Dima

    what is the benifit of extending the active directory schema for mac over having dual directories ?

  11. Michael Kuron Post author

    Short answer: none.
    Long answer: saves you buying another server and maintaining separate directories that might get inconsistent etc. Also, I’m pretty sure extending the schema will be the much easier choice if you’re running a big directory replicated across dozens of servers.

  12. Pingback: RM CC4 & Apple Mac

  13. Fawad

    Has anyone been able to get Lion to work using this (or similar) method, or should I go ahead and get a Lion Server?

  14. Berry Williams

    Hi all, Just found this, and can say it’s still broken in 10.7.3 and 10.8. I manage several thousand Macs (mostly airs) in an educational environment. We extended our AD schema some time ago, and haven’t looked back, it’s worked quite well, and freed up our xServes to other tasks. 10.7 and 10.8 both bind to AD, but neither will recognize membership in a group, so MCX is in place as defined for Guest. Interestingly, if you fire off WGM on a 10.6.8 bound machine, and look at local, the local machine is listed. If you do the same on 10.7.x, Guest and localhost are there, and no amount of coaxing will put the local machine in the list. It would seem that, on binding to AD, the local machine becomes Guest. I’m still chipping paint off the walls with my forehead on this one, but will let you know if I make any headway. Any suggestions on angles of attack would be sincerely welcomed.

  15. Michael Kuron Post author

    Thanks for the update, Berry. If it’s still broken on 10.8 (you should file a bug report!), the message Apple is sending to us there is pretty clear: if you’re running more than half a dozen Macs, you’re running the wrong operating system.
    It’s sad, but probably a reality all of us Mac admins will need to get used to. The Mac hasn’t exactly been a top priority to Apple for the past two years.

  16. JK

    We’re looking at a schema extension as the cheap way to accomplish managing prefs on our macs. We’re also educational (k-12), and have roughly 4500 macs. Our alternative is a product like Centrify, but we’re not sure if it’s cost will prohibit us from going that route. Has anyone with a good working schema extention looked into other 3rd party products to get past some of these hurdles mentioned by Berry? It just seems to me like there’s some unknown reason why apple took all the schema extension documentation off their website, and these issues may be why. They’re going to have to do something for us with the discontinuation of xserve. One of our other primary concerns is the AFP ~ 200 user limit. After that, the AFP service crashes. Thus, AD with SMB is our solution. The triangle seems like so much additional managment…

  17. Michael Kuron Post author

    One thing you could consider is writing a custom DSPlugin that pulls its prefs from an HTTPS server instead of from LDAP attributes. This actually shouldn’t be overly difficult as Apple provides an API documentation. Not sure how usable this API is, but you could take a look at Likewise Open’s open source code and see how they did it. For 4500 Macs, even if it took you a few hundred hours to develop it, you’d still save your school district lots of money compared to Centrify/Admitmac (at least if managed prefs are all you need).

    It would be really cool if someone wrote such a plugin and open-sourced it.

  18. Berry Williams

    JK, I hate to be the bearer of bad news, but a recent conversation has me convinced MCX is dead, Apple has no intention of fixing it. They’re moving everything to Profile Manager, so WGM is pointless. Our options are stay with 10.6.x, or learn to live with Profile Manager, which means re-introducing Macs of some sort into the management.

    If you put yourself in Apple’s place, this makes beautiful sense. They’ve sold more iOS devices in three years than OS X devices in twenty eight, and built an App Store which has over 25 billion downloads, with a captive audience. In that position, I’d want to merge it together and force all the apps through my portal. It’s bending us over a rail, but we’re trivial compared to the consumer market they’ve developed. It also means we *have* to buy the management tools, limited as they may be, from them.

    We use Filewave, so it’s possible they will integrate enough controls into their system, but I’m not thrilled with the idea of being dependent on third party. In the mean time, I’m in the process of setting up a test environment to see how this works, and will post back here as I have results. I’m committed to 10.6 through next year (continuing to use the AD extensions), so Mountain Lion will be the next step, and what I’m testing with. Wish me luck…

  19. Berry Williams

    Michael, one of the things I’m considering is seeing if the 10.6 AD plugin works in 10.8. The impression I’ve been given is there are changes deeper in the OS though, and am beginning to feel certain any hint of MCX will be gone by 10.9, and it will be a unified OS after that. I’ll definitely be taking a look at the Likewise code though, thanks for that!

  20. Michael Kuron Post author

    Berry, thanks for the bad news and analysis on how it makes sense from Apple’s perspective. I’ve been thinking along similar lines and actually I don’t really see the Mac OS X platform living on beyond the next 3-5 years for that exact reason.

    If you think about it, the whole industry is moving in that direction: Microsoft is saying that Windows 8 for ARM cannot be joined to a domain (which is the Windows equivalent of OpenDirectory and MCX).
    Moving away from the universal computer and towards feature-limited devices appears to be what the industry is doing in the long run because consumers don’t care about most of the things a computer can be used for. Seems like we are not on the winning side in the computer vs. tablet war… Fearfully I’m waiting for the day I need to jailbreak my computer just to compile and run a simple program I wrote.

  21. Michael Kuron Post author

    Great find! Looks like Apple finally published five Lion whitepapers a few weeks ago at http://training.apple.com/lion . Could you post the LDIF you got by following the guide? My schema extension created by following the SL AD whitepaper is included in the blog post, so we could compare the two and see what’s changed.

  22. Berry Williams

    This is a great find, and somewhat contradictory to the info I was given, hmm. This may be promising, thanks! The objectClasses lists are different enough to be troubling – this isn’t an answer if Apple intends to change schema regularly, since AD does not like to undo. Still, if this works, we’re back to having a path forward, or at least enough info to understand what might be going on.

  23. JK

    No need for a schema extension with the profile Manager model. And i take it that removes the need for Open Directory??

    From one of the docs on http://training.apple.com/lion
    Use Profile Manager
    Profile Manager allows an administrator to configure policies outside of a
    directory service. In this scenario, a user would either opt in to service
    configuration and policy settings, or join the client to a Profile Manager
    server via a web interface. The user would then authenticate against Active
    Directory, and the policies and settings would already exist locally on the
    Mac client. If the Mac is bound to a profile server, any changes to policies
    trigger a push notification, after which the Mac contacts the Profile
    Manager service to update policies and settings.

  24. Berry Williams

    JK – which means you must have an Apple server for your clients to bind to – just like OD. We had problems with capacity using the AD/OD triangle, which pushed us to extend the AD schema in the first place (eliminating those problems). I’m extremely skeptical of Apple’s ability to manage large numbers of machines with Profile Manager any better than they did MCX/OD. If there’s a way to continue with MCX managed from AD, I will use it.

    I agree with Michael – in the long term, this is likely a dead end, everything seems to be moving in another direction. But in the short term, making AD continue to work buys the time to come up with a better solution.

  25. JK

    Could you elaborate on the triangle issues a bit more? We’re not sure a schema extension is best long term, but if you’ve had issues with the triangle (our short term plan), then we may need to rethink that.

    Thanks Berry –

    Josh

  26. Berry Williams

    Hi all, here’s what I’ve learned so far. Using a 2008 R2 Enterprise domain controller and a 10.7.3 Lion Server, I generated an ldif using the Best Practices for Integrating OS X Lion with Active Directory white paper. Comparing this to the ldif results from Timothy Perfitt’s 2009 white paper gives the following differences;

    all changetype: add become changetype: ntdsschemaadd

    systemOnly: FALSE in the Class definitions is missing
    Class definition for;

    apple-computer – adds a reference to the new hwuuid attribute
    # mayContain: apple-hwuuid
    mayContain: 1.3.6.1.4.1.63.1000.1.1.1.19.7

    while apple-user – does not include
    # macContain: apple-user-authenticationhint
    mayContain: 1.3.6..4.1.63.1000.1.1.1.1.15

    The new ldif,

    Does not include

    # Attribute: apple-computeralias
    # Attribute: apple-dns-domain
    # Attribute: apple-dnsname
    # Attribute: apple-dns-nameserver
    # Attribute: apple-neighborhoodalias
    # Attribute: apple-nodepathxml
    # Attribute: apple-service-location
    # Attribute: apple-service-port
    # Attribute: apple-service-type
    # Attribute: ttl

    # Class: apple-location
    # Class: apple-neighborhood
    # Class: apple-serverassistant-config
    # Class: apple-service

    Adds

    # Attribute: apple-hwuuid

    Now for the fun stuff. Line spacing and EOL characters in ldif files are critical, and will crash the import if incorrect. Copy the ldif file to the server you intend to run it on, and open it in a couple of different editors to confirm all is as should be. Once this is done, the file imports flawlessly, and adds the schema extensions as defined. Unfortunately, Workgroup Manager 10.7 will *not* add a new computer group, although it will accept new settings for a User, User Group, Machine, or existing Machine Group. Machine Group is the only option for which New was not greyed out. The test machine would *not* update to these settings. Workgroup Manager 10.6.2 *would* create a new computer group, set specific settings for the group, and allow bound computers to be added to the group. Neither machine (one 10.7.3, the other 10.6.8) would update to these settings.

    The addition of the hwuuid attribute has my attention, I can’t help but wonder if Apple has moved away from identifying machines by MAC address. This field is displayed on the Accounts/General screen in WGM (both versions), but the addition of this field should have fixed MCX if this was the case (one would think), so I’m still guessing. The presence of the field in WGM 10.6.2 tells me this existed earlier, but wasn’t necessarily being used – the production server (2003 domain, 10.6.8 clients) does not have this populated.

    This is round one, test one, so there’s more to come, but I wanted to get an update out there.

  27. Michael Kuron Post author

    Thanks Berry. Apple published a KB article a few days ago about the computer lists/groups issue: http://support.apple.com/kb/TS4243
    As far as I remember, this was actually an issue since Leopard where computer groups had been deprecated in favor of the new computer lists. The solution back then was to use 10.4.11 WGM to create a new computer group, or do the ADSI Editor stuff Apple mentions in the KB article.

  28. Robbie Foust

    Hi Berry, can you provide the full LDIF file somewhere? That would be much appreciated!

  29. Berry Williams

    Hi Robbie, sorry for the lag, you can find the ldif I used here;
    http://dl.dropbox.com/u/21822058/10.7.ldf.txt [EDIT: Mirrored here]

    For what it’s worth, I’ve found yet another third party source claiming Apple will not support MCX going forward. I can say 10.7 and 10.8 have less response to the new schema extensions than they do under the old. In our production environment, 10.7 will pick up the guest attributes, and both will allow you to cycle through info on the task bar. With the new extensions, neither will. Both do, however, work with User Group settings. Oh, and I made an incorrect observation earlier – 10.6.8 does work, I apparently did not wait long enough for the MCX records to update 😉

    More as I know it,

    Berry

  30. Pingback: Apple Schema Extensions for Active Directory | Trends in Technology

  31. Luis Rocha

    I would be interested in finding out if this works. I’ve been trying for a few years but could not get the ldif file back then. I’m going to try with the file posted *crossing fingers*

  32. Jack Derifaj

    I finally got my 10.7.4 working with Active Directory Schema extended. Here is what I had to do. I had to modify the /System/Library/OpenDirectory/Templates/Active Directory.plist

    Strip out all off the Search Base key and String that goes with it. There are 5 of them.

    Here is the patch file locations.

    94,95d93
    < Search Base
    < cn=Mac OS X, %!
    286,287d283
    < Search Base
    < cn=Mac OS X, %!
    661,662d656
    < Search Base
    < cn=Mac OS X, %!
    1043,1044d1036
    < Search Base
    < cn=Mac OS X, %!
    1196,1197d1187
    < Search Base
    < cn=Mac OS X, %!

    I also had to set the dsconfigad -alldomains disable when we were using the search path of /Active\ Directory/DCS/All\ Domains vs now using something like /Active\ Directory/DCS/dcs.somek12schools.com everything started to work.

    Reboot the client after making these changes is required to see it…

    Now 10.6.8 – 10.7.4 clients work with MCX Settings via Active Directory & WGM.

    So basically Lion does work with managing machines in Work Group Manager.. We have over 7400+ mac at our schools and this took time to finally get this working .. We also force mobile accounts to create via dsconfig and local home with unc home path enabled.

    Hope this helps…
    Thanks
    Jack

  33. Francisco Nu#ez

    Jack Derifaj.

    Can you post your /System/Library/OpenDirectory/Templates/Active Directory.plist

    And can you also put a detail step by step of how did you do it.

    thanks

  34. SIG

    Hi,

    thanks for this great post, it led me almost all the way thru the pain of augmenting my schema. We just jumped on the bandwagon from OpenLDAP, and we decided to start the best of breed (Windows 2012+10.8); I followed the apple guide to the letter and it seems nothing changed in ML compared to Lion (27 attributes). What really bugged me was to get the auxiliary class addition at the end of the file; in the end copypasting from the pdf didn’t work and I end up typing myself in Notepad++ in windows (to get at line ends correctly). I’m sharing the file I used here: https://www.dropbox.com/s/kmvoq3lsvbdw96l/Working_appleADschema.txt [EDIT: Mirrored here]

    It imported correctly on my Windows 2012 (38 entries written). WGM from 10.8 works flawlessly to manage MCX on the 2012 AD afterwards.

  35. David

    Hi,

    Really useful post – and special thanks to SIG for putting up the working schema – I’ve just used this to connect my 10.8 client to Windows 2008 R2 and all worked fine.

    I’d previously put up questions about doing this on superuser.com, but hadn’t any luck. I’d like to post details of the working solution – would it be OK if I included a link to this site?

  36. Mogga

    To those of you that are having issues mapping uids and gids be aware of the following document…

    http://support.apple.com/kb/HT4687

    “Depending on the Active Directory installation, you may need to make some changes. The simplest configuration is to allow Domain Computer accounts from all domains to read the attributes listed below for “Computer Objects”, “User Objects”, and “Group Objects”. Computer accounts should not have “write” access to these attributes.” …

    Once I enabled read access to the the attributes in question, everything worked for me.

  37. Basam

    Having trouble with creating a computer list. Followed this link as advertised: http://support.apple.com/kb/HT200016?viewlocale=en_US

    I can’t work with either workaround. I don’t know what kind of object to create when using adsi edit as apple-computer-list is not an option.

    I can’t add via workgroup manager as it does says I’m not authorized even though I’m admin

Leave a Reply

Your email address will not be published. Required fields are marked *