University of Oregon

Magic Triangle Setup

Audience
Faculty/Staff
Researcher
Student
GTF

Overview
Many companies commonly use Active Directory (AD) to manage their users and Windows computers. Often, in this environment, Macintoshes are ignored. Adding an Open Directory Server to the environment creates what is known as the Magic Triangle, where users can log into their Macs using their AD credentials while the computer is managed through Open Directory. 

1098

Requirements:

  • OS X Server 10.6.x
  • Active Directory
  • Mac Workstation OS X

Open Directory set up:

To set up Open Directory, first log into your Mac OS X Server and perform the following:

Step 1: Turn on Open Directory service. Use Server Admin to turn the Open Directory service on. After the service is turned on you can configure Open Directory service settings. For more information about turning on Open Directory service, see Turning Open Directory On.

Step 2: Set up a standalone directory service. Next we will need to setup a standalone directory service. To turn this feature on, see Setting Up a Standalone Directory Service.

Step 3: Connect to Active Directory. Use Account preferences (or Directory Utility for advanced connections) to connect your standalone directory server to your Active Directory server, see Setting Up a Connection to a Directory Server.

Step 4: Set up an Open Directory master. Make your standalone directory server an Open Directory Master, see Setting Up an Open Directory Master.

Step 5: Disable Kerberos on Open Directory master. Disable Kerberos on your Open Directory Master server to avoid conflicts with your Active Directory Kerberos realm, see Disabling Kerberos After Setting Up an Open Directory Master.

Step 6: Kerberize services. Kerberize your Open Directory server services with the Kerberos realm of your Active Directory server, see About Kerberized Services and Kerberizing Services with an Active Directory Server.

sudo sso_util remove -k -a diradmin -p password -r KERBEROS.REALM

(where diradmin is the admin you created during the Open Directory configuration, KERBEROS.REALM can be found on the general page when Open Directory is highlighted in the Server Admin App)

Then Kerberize services using AD by going back to the terminal and typing:

dsconfigad --enablesso

That completes the connection between the Active Directory server and the Mac server. At this point you can begin setting up your clients.

Adding a Mac Workstation/Laptop to AD/OD

Step 1: From the dock, open System Preferences or click Show All to get back to the System Preferences.

Step 2: Click on Users and Groups

Step 3: Select Login Options

Step 4: Click the Padlock to make changes

Step 5: Click the Join button

Step 6: Enter the IP address of the Mac Server and click OK, then click Trust. Step 7. Back in Users and Groups click Edit next to Network Account Server.

Step 8: Click Open Directory Utility

Step 9: Highlight Active Directory and click on the Pencil icon to edit. Step 10. Type in your domain (ex: ad.uoregon.edu) and click Bind.

Step 11: Use Active Directory admin credentials to change the Computer OU to whichever OU in which you’re containing your Macs.

For Example: OU=Mac,OU=SYS,OU=Computers,OU=IS,OU=Units,DC=ad,DC=uoregon,DC=edu

Step 12: Click on the arrow next to Advanced Options

Step 13: Put a checkmark next to create Mobile Account which gives it the ability to cache the user’s credentials/profile.

Step 14: Click the Administrative tab and put a checkmark next to Allow Administration so that domain and enterprise admins have local admin access.

Step 15: Restart and login using the user’s AD account and allow it to create the Mobile Account when prompted

Conclusion
Once the Magic Triangle has been set up, you will have the ability to allow users to login to their Mac workstations using AD credentials while also being able to manage their computers effectively.