Quest Authentication Services for Mac OS X. Installation, Configuration, and Administration Guide Version 3.5.2

Transcription

1 Quest Authentication Services for Mac OS X Installation, Configuration, and Administration Guide Version 3.5.2

2 2009 Quest Software, Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Quest Software, Inc. If you have any questions regarding your potential use of this material, contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA legal@quest.com telephone: Refer to our Web site for regional and international office information. Trademarks Quest, Quest Software, the Quest Software logo, Aelita, Akonix, AppAssure, Benchmark Factory, Big Brother, ChangeAuditor, DataFactory, DeployDirector, ERDisk, Foglight, Funnel Web, GPOAdmin, itoken, I/Watch, Imceda, InLook, IntelliProfile, InTrust, Invirtus, IT Dad, I/Watch, JClass, Jint, JProbe, LeccoTech, LiteSpeed, LiveReorg, MessageStats, NBSpool, NetBase, Npulse, NetPro, PassGo, PerformaSure, Quest Central, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL LiteSpeed, SQL Navigator, SQL Watch, SQLab, Stat, StealthCollect, Tag and Follow, Toad, T.O.A.D., Toad World, vamp, vanalyzer, vautomator, vcontrol, vconverter, vdupe, vessentials, vfoglight, vmigrator, voptimizer Pro, vpackager, vranger, vranger Pro, vreplicator, vspotlight, vtoad, Vintela, Virtual DBA, VizionCore, Vizioncore vautomation Suite, Vizioncore vessentials, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. Other trademarks and registered trademarks used in this guide are property of their respective owners. Quest Authentication Services for Mac OS X Installation, Configuration, and Administration Guide Updated - November 2009 Software Version

3 CONTENTS ABOUT THIS GUIDE INTRODUCTION CHAPTER 1: DEPLOYING QAS FOR MAC OS X INSTALLING QAS FOR MAC INSTALLING THROUGH THE MAC OS X GUI INSTALLING THROUGH THE UNIX COMMAND LINE UPGRADING QAS FROM PREVIOUS RELEASES UNINSTALLING QAS CHAPTER 2: PRODUCT COMPONENTS THE QAS MAC OS X COMPONENTS QAS STARTUP ITEMS QAS DIRECTORY SERVICE PLUGIN QAS DIRECTORY ACCESS PLUGIN QAS SECURITY SERVER PLUGIN CHAPTER 3: CONFIGURING THE QAS CLIENT CONFIGURING THE QAS CLIENT LAUNCHING DIRECTORY ACCESS OR DIRECTORY UTILITY ADDING, CHECKING, AND VERIFYING QAS LICENSES JOINING THE DOMAIN PERFORMING AN UNATTENDED QAS MAC CLIENT INSTALL...31 USING TERMINAL.APP TO JOIN AND UNJOIN SYSTEM CHANGES MADE BY THE QAS JOIN PROCESS VERIFYING THE INSTALLATION AND CONFIGURATION LOGGING IN WITH ACTIVE DIRECTORY ACCOUNTS CONNECTING TO SMB SHARES ON WINDOWS SERVERS AUTOMATICALLY MOUNTING NETWORK HOME FOLDERS CHAPTER 4: SPECIAL MAC OS X FEATURES QAS FEATURES DESIGNED SPECIFICALLY FOR MAC OS X LOCAL ADMINISTRATOR RIGHTS FOR QAS USERS ACTIVE DIRECTORY USER PASSWORD HINT iii

4 Quest Authentication Services for Mac OS X CHAPTER 5: PLATFORM LIMITATIONS QAS LIMITATIONS ON MAC OS X CHAPTER 6: QAS FOR MAC OS X DESKTOP POLICIES MAC OS X DESKTOP POLICY OVERVIEW MANAGING MAC DESKTOP POLICIES WITH THE GPOE USING THE MAC OS X, WORKGROUP MANAGER, AND PREFERENCE MANIFEST SETTINGS NODES INDEX iv

5 About this Guide Introduction

6 Quest Authentication Services for Mac OS X Introduction This document describes the port of the Quest Authentication Services for Mac OS X Product to the Mac OS X platform. Quest Authentication Services for Mac OS X brings the enterprise functionality QAS supplies on every other major Unix platform to Mac OS X. Both Mac OS X and Mac OS Server versions 10.4 and 10.5 are supported on both the PPC and Intel platforms using a Universal Binary. A separate binary is provided for Mac OS client and server version 10.6, which is only supported on the Intel platform. Quest recommends that you install all the latest Apple system updates before installing QAS. In this guide, you will find step-by-step instructions on installing, configuring, and uninstalling QAS along with a detailed explanation of the QAS components for Mac OS X. Added to this version of the guide is a chapter entitled "QAS for Mac OS X Desktop Policies," which documents each policy supported for this version of QAS for Mac OS X. This guide is not comprehensive and only describes those QAS features specific to Mac OS X. Refer to the QAS Solutions Guide for complete documentation on all other QAS features. 6

7 1 Deploying QAS for Mac OS X Installing QAS for Mac Upgrading QAS from Previous Releases Uninstalling QAS

8 Quest Authentication Services for Mac OS X Installing QAS for Mac The QAS Software is provided in a standard disk image which can be found in the Mac OS X subdirectory on your QAS installation disk. To install QAS 1. Insert your QAS installation disk and navigate to the Mac OS X folder. 2. Mount the disk image by double-clicking on the VAS-<version>.<build number>.dmg file, where <version> is the version and <build number> build number of your QAS release. There are two different disk images in the OSX client directory. OS 10.4 and 10.5 users should select the VAS-OS104u-<version>.<build number>.dmg file, while OS 10.6 users should select the VAS-OS106-<version>.<build number>.dmg The dmg contents will be mounted on your system. For versions 10.4 and 10.5, the dmg contents are located in /Volumes/VAS_OS104u-Installer and will appear as a mounted volume in the Finder window. For version 10.6, the dmg contents are located in /Volumes/VAS_OS106-Installer and will appear as a mounted volume in the Finder window. Under the mounted disk image you will find the QAS metapackage (VAS.mpkg) that contains the following QAS packages: QAS Client (vasclnt) QAS Group Policy (vasgp) Dynamic DNS (vasddns) QAS SDK (vasdev) Both packages are required. There are two supported installation methods. GUI installation Command line installation 8

9 Deploying QAS for Mac OS X Installing through the Mac OS X GUI To install QAS using the system installer 1. OS 10.6 users should see a package named VAS-OS106.mpkg, OS 10.4 and 10.5 users should see a package named VAS_OS104u.mpkg. Double click the QAS/VAS metapackage to continue with the installation. 9

10 Quest Authentication Services for Mac OS X An installation wizard will appear that will allow you to view supplementary installation information. 2. Click Continue. 3. If you agree to the terms, click Agree. You must agree to continue. 10

11 Deploying QAS for Mac OS X 4. Click Install. 5. Select which QAS packages you want to install. The QAS packages must be installed to the root volume and are not relocatable. To perform a custom install 6. Select Customize to select additional components (besides QAS Client and QAS Group Policy) of the product you want to install. New options include QAS Software Development Kit (SDK) Dynamic DNS Support which supports authenticated A-record and PTR-record updates to Microsoft's DNS servers 11

12 Quest Authentication Services for Mac OS X The system Installer prompts you for local administrator credentials when the software begins to install. 7. Enter administrator credentials and click OK. 12

13 Deploying QAS for Mac OS X The following screen confirms a successful QAS for Mac OS X installation. Installing through the Unix Command Line The QAS software may be installed via the command line using the system command line installer (/usr/sbin/installer). You can either install the QAS metapackage, which will install all of the QAS packages, or else the individual QAS packages. If you do not have administrator rights for your system, contact your system administrator for assistance. To install all of the QAS packages found in the QAS metapackage, open a Terminal.app window and execute the following commands: $ cd /Volumes/VAS_OS106-Installer $ sudo /usr/sbin/installer -pkg VAS_OS106.mpkg -target / This will install all of the QAS packages contained in the QAS metapackage. To install individual QAS components, you would run the following: $ cd /Volumes/VAS_OS106-Installer/VAS_OS106.mpkg/Contents $ sudo /usr/sbin/installer -pkg Packages/vasclnt.pkg \ -target / 13

14 Quest Authentication Services for Mac OS X OS 10.4 and 10.5 users should use the VAS_OS104u.mpkg package. Note that you must install all QAS components into the root file system, so the parameter to the -target command line option must be /. Also, you must have local administrator rights to run commands using the sudo utility. Mounting and Unmounting the DMG To mount the DMG 1. Enter hdiutil attach /<somelocation>/vas-<version>.<build number>.dmg To unmount the DMG 1. Enter hdiutil detach /Volumes/VAS_OS106-Installer Upgrading QAS from Previous Releases To upgrade an older version of QAS, simply follow the normal installation steps for both the GUI process and the command line process. The QAS installation scripts will detect when an upgrade is being performed and will automatically perform the proper steps to upgrade versions. Note that upgrades are only supported between released versions of QAS. Uninstalling QAS An uninstaller is provided with QAS for cases where the QAS packages need to be removed from the system. The uninstaller is found in the QAS disk image next to the QAS metapackage. To uninstall QAS, use the Finder and navigate to the mounted QAS-Installer directory, and double click on the Uninstall application. The uninstaller will display the packages that can be removed. 14

15 Deploying QAS for Mac OS X To remove individual packages, select each package you want to remove and click the Uninstall button. The Uninstaller will prompt for administrator credentials and then remove the files associated with the selected packages and execute each package's uninstall scripts. If you do not have administrative access to your system, contact your system administrator for assistance. Note that when removing QAS from your system, files owned by accounts supplied by the QAS components will now appear as not having a valid owner since those accounts are no longer available to the system. Also, the uninstaller can only uninstall the same version of QAS for which it was built. 15

16 Quest Authentication Services for Mac OS X 16

17 2 Product Components The QAS Mac OS X Components QAS Startup Items QAS Directory Service Plugin QAS Directory Access Plugin

18 Quest Authentication Services for Mac OS X The QAS Mac OS X Components The following QAS Unix components are included in the QAS Mac OS X port: The vastool command line utility The vgptool command line utility The uptool command line utility The pam_vas PAM module The Quest Ownership Alignment Tool (OAT) These components can all be used inside a Terminal session the same way they can be used on any other Unix platform. Man pages for each of these utilities are automatically installed and configured and can be viewed using the standard man page viewer. The QAS join process will automatically configure Unix applications to use the pam_vas module where appropriate. The following components are specific for the Mac OS X platform. QAS Startup Items A launchd config plist file is installed for each QAS daemon under /Library/LaunchDaemons. These.plist files are used to put the QAS daemons under the control of launchd. You can use the launchctl utility to add or remove any one of these daemons from launchd control. For example, to remove the QAS caching daemon (vasd) from launchd control, run the following command in a Terminal session: $ sudo /bin/launchctl unload /Library/LaunchDaemons/com.quest.vasd.plist You can also stop a daemon using launchctl, but the QAS daemon configuration is such that launchd will immediately restart the stopped daemon unless the unload command specified above is used. If it is necessary to restart any one of the QAS daemons, run a command similar to the following: $ sudo /bin/launchctl stop com.quest.vasd The QAS join process will automatically run the necessary load commands at join time to put the QAS daemons under launchd control. Most users should not need to ever directly interact with the QAS startup items. 18

19 Product Components QAS Directory Service Plugin QAS provides a plugin for the system DirectoryService daemon. The QAS DS Plugin uses the rest of the QAS components to provide Active Directory group and user information to the rest of the system, and is installed at /Library/DirectoryServices/Plugins/VAS.dsplug. The QAS DS Plugin also uses Kerberos authentication for Active Directory users. The plugin operates both when the system is connected to a network where Active Directory is available, and for disconnected scenarios where the Mac OS X system cannot contact Active Directory. The QAS DS Plugin provides secure authentication and performant identity lookups even in this disconnected mode. This disconnected mode is available without having to create local Mobile Accounts on each Mac OS X system. The QAS caching architecture also minimizes the impact that each Mac OS X system has on the Active Directory environment. QAS Directory Access Plugin The system Directory Access application is used to configure what Directory Service Plugins are used to provide identity information and authenticate users. The QAS Directory Access plugin provides a GUI utility for joining and leaving Active Directory domains, and controlling the local QAS configuration. The QAS DA Plugin is installed at /Applications/Utilities/Directory Access.app/ Contents/Plugins/VAS.daplug on Tiger (10.4), /Applications/ Utilities/Directory Utility.app/Contents/Plugins/VAS.daplug on Leopard (10.5), and /System/Library/CoreServices/Directory Utility.app/contents/PlugIns/VAS.daplug on Snow Leopard (10.6). QAS Security Server Plugin The system Security Server controls all authorization on the Mac OS X system. In order to correctly initialize QAS user login sessions, a VASMechanism Security Server plugin is installed and configured in the /etc/authorization file by the QAS join process. This plugin is installed under /System/Library/ CoreServices/SecurityAgentPlugins/VASMechanism.bundle. The VAS mechanism will initialize a Kerberos ticket cache for each QAS user's login session with the Kerberos tickets obtained during DirectoryService authentication. Note that these ticket caches are fully compatible with the system Kerberos.app utility and the system MIT Kerberos command line utilities, so that the rest of the Mac OS X system components can reuse the Kerberos functionality. 19

20 Quest Authentication Services for Mac OS X 20

21 3 Configuring the QAS Client Configuring the QAS Client Using Terminal.app to join and unjoin System Changes made by the QAS Join Process Verifying the Installation and Configuration Logging in with Active Directory Accounts Connecting to SMB shares on Windows Servers Automatically Mounting Network Home Folders

22 Quest Authentication Services for Mac OS X Configuring the QAS Client After the QAS packages are installed, you must configure the client to start using QAS. This consists of installing your license(s), joining an Active Directory Domain, and configuring the local system to use the QAS components. All of these tasks can be accomplished using the Directory Utility (Directory Access on 10.4) application. To configure the QAS Client, complete the following tasks using Directory Access or Directory Utility depending on your OS X release. Launch Directory Access or Directory Utility and access the QAS node Install licenses using the GUI (optional can be done through Group Policy) Join the domain Launching Directory Access or Directory Utility To launch the appropriate application on Mac OS 10.4 and Open Finder and select Applications in the left hand pane. 2. Select the Utilities sub folder in the right hand pane. 3. Mac OS 10.4 users: Select the Directory Access.app in the right hand pane. Mac OS 10.5 users: Select the Directory Utility.app. 22

23 Configuring the QAS Client To launch Directory Utility.app on Mac OS Open System Preferences and select the Accounts preferences. 2. Select Login Options on the bottom left side of the page. 23

24 Quest Authentication Services for Mac OS X 3. Select the Network Account Server Join button on the bottom right. 4. Now click the Open Directory Utility button. Do NOT enter the name of your domain and click OK from this dialog. If you do this, you will join using the native Apple AD plugin which has no support for AD group policies. You MUST open the Directory Utility app to join the domain using QAS. 24

25 Configuring the QAS Client 25

26 Quest Authentication Services for Mac OS X To Configure the QAS node 1. Click the Lock icon to be authorized as an administrator so that you can modify the system's Directory Access configuration. If you are working with OS 10.5, you will not be able to join the domain using a local admin account (on the Mac side) that has a blank password. This is because you have to join using sudo and the Apple version of sudo won't let you run any command without at least a single character password. 2. OS 10.5 users only: Click Services to display Configurable Services. 3. Select Active Directory + Group Policy (QAS), and click Configure. 4. NOTE: The Configure button looks like a pencil on OSX 10.5 and You will now see the QAS Directory Utility plugin interface. 26

27 Configuring the QAS Client Adding, Checking, and Verifying QAS Licenses To utilize the complete QAS functionality, you must have two licenses installed. The first license provides basic functionality such as Active Directory authentication. The second license enables management of OS X settings through Group Policy. Complete the following steps to install the licenses using QAS Directory Utility plugin. For scripted or command line configuration, copy the licenses to /etc/opt/quest/vas/.licenses. To add, check, and verify licenses 1. From the QAS Directory Utility plugin, click the Status Disclosure Triangle to check for valid licenses. If the license is missing or expired, click Add License. Most QAS deployments have QAS licenses available through an Active Directory Group Policy that will be automatically applied to the system when the QAS join process is performed. If you have a license policy configured in Active Directory, you can skip these manual install instructions. Instead return to this screen after joining to verify proper license installation. 27

28 Quest Authentication Services for Mac OS X 2. Once the license has been added, verify validity and click Close. Joining the Domain To join an Active Directory domain 1. Once you have validated the license, enter the name of the Active Directory Domain you want to join and click Join Domain. 2. In the Join Domain dialog that appears, you must supply Active Directory credentials in order to join the domain. 28

29 Configuring the QAS Client 3. You can click on the Options Disclosure Triangle to modify the QAS join options. These options allow you to specify an alternate name for the computer object that will be created. specify the location where the computer object will be created in the directory (default: Computers container) specify a specific domain controller to which to join (instead of using DNS to detect an appropriate domain controller). For a detailed explanation of all join options, see the vastool join command documentation in the QAS_Manpages documentation available on the QAS installation DVD, or in the vastool man page. These options include the option to specify an organizational unit (OU) to create the computer object in, or to specify a QAS Unix Personality Container to load Unix identities from. 4. Click OK to execute the join operation. Caution If you previously joined with the Apple plugin, your user s UID/GID will most likely be different after Unix enabling. Manually change the ownership (UID/GID) on the previously created home directory (chown) or you will have to remove it. If any errors occur, an error dialog will allow you to view the join process log which can be saved and sent to Quest support for troubleshooting. Caution If you are running OSX Server, version 10.5, you must unconfigure the local LDAPv3 node before joining to QAS via AD. Problems arise with application of machine policy if you do not do this. Complete the following steps to unconfigure LDAPv3. 29

30 Quest Authentication Services for Mac OS X To unconfigure local LDAPv3 1. From the Directory Utility screen, check the LDAPv3 box. 2. Click the pencil icon to edit the service. 30

31 Configuring the QAS Client 3. On the Search Policies screen, check Delete and then click OK. To unjoin an Active Directory Domain To leave the Active Directory Domain, complete the same steps, except click Leave Domain instead. You do not have to supply Active Directory credentials when unjoining if you do not delete the Active Directory computer object. This option is available in the Leave Domain dialog options. After modifying the QAS configuration, click Apply in the main Directory Access dialog to ensure that your changes take effect. Performing an Unattended QAS Mac Client Install To perform an unattended install of the QAS Mac client 1. Attach the QAS dmg file as a new volume: # hdiutil attach VAS-<version>.dmg This will display which volume it attached as. Normally this will be '/Volumes/VAS_OS106-Installer/'. 31

32 Quest Authentication Services for Mac OS X 2. Use the Mac installer for the product (vasclnt/vasgp/vasdev/ vasddns) you want to install. # /usr/sbin/installer -pkg /Volumes/VAS_OS106-Installer/VAS_OS106.mpkg/Contents/ Packages/vasclnt.pkg -target / 3. Detach the Volume # hdiutil detach /Volumes/VAS_OS106-Installer/ Using Terminal.app to join and unjoin The same functionality available through the QAS Directory Access Plugin can be accessed through the QAS command line utilities. An interactive command line wizard called vasjoin.sh can be used from a Terminal session as follows: $ sudo /opt/quest/libexec/vas/scripts/vasjoin.sh This script will prompt you for information needed to perform the join operation without requiring you to know the syntax of the vastool join command. You can also use the vastool join command directly as follows: $ sudo /opt/quest/bin/vastool -u Administrator join -f example.com See the vastool man page for more information on directly using the vastool join command. To leave an Active Directory Domain from a Terminal session, use the vastool unjoin command. See the vastool man page for more information on directly using the vastool unjoin command. System Changes made by the QAS Join Process When joining an Active Directory Domain, QAS will automatically modify the following system configurations: QAS will be added to the DirectoryService search path. The QAS startup items will be configured to startup automatically. The system MIT Kerberos configuration file will be configured to use the Active Directory servers that QAS detects. 32

33 Configuring the QAS Client The system authorization rules contained in /etc/authorization will be modified to use the VASMechanism for QAS logins. Group Policies configured for the Mac OS X system will be applied by the QAS Group Policy components if they are installed. Once you have successfully completed the QAS join process, you will immediately be able to login to the Mac OS X system through both the Mac OS X Login Window and remotely through SSH. When leaving a domain, the QAS unjoin process will revert the above changes that were made by the QAS join process. Also, uninstalling QAS will automatically revert the above changes as well. You can re-join on top of existing computer accounts created with the Mac AD Plugin by default using the QAS AD plugin, but we recommend disabling the Mac Active Directory plugin so that the domain will not appear in the Directory Servers window as not responding. Verifying the Installation and Configuration In order to verify that your system is configured correctly to use the Active Directory account information provided by QAS, you can try the following shell commands in a Terminal session: dscl /VAS list /Users This will show a list of the available Unix-enabled Active Directory users dscl /VAS list /Groups This will show a list of the available Unix-enabled Active Directory groups dscl /Search read /Users/<QAS Username> This will ensure that the system can read user information for QAS users. Make sure to replace <QAS Username> with the actual username of a QAS user. dscl /Search auth <QAS username> This performs an authentication for a QAS user. Make sure to replace <QAS username> with the actual username of a QAS user. If any of the above steps do not work, you can capture debug information from the QAS Directory Service plugin that can be used in troubleshooting. Add the following items to the vas.conf [vas_macos] section: [vas_macos] dslog-mode = /Library/Logs/vasds.log dslog-components = plugin,auth 33

34 Quest Authentication Services for Mac OS X After adding those items, run the following shell command in a Terminal session to trigger the QAS DS Plugin to reload it's logger configuration: $ sudo /opt/quest/libexec/vas/macos/vasdsreload Now execute the previous verification commands that failed and then send the contents of /Library/Logs/vasds.log to Quest Support who will assist in resolving the problems. Logging in with Active Directory Accounts QAS for Mac OS X allows you to authenticate using an Active Directory account. There are two methods available for authentication. The more complicated method involves verifying that your domain controller supports the RFC2307 Unix identity attributes (UIDNumber GIDNumber, gecos, loginshell, and unixhomedirectory) and making sure that these attributes are populated. This sometimes requires a small schema extension to be applied to the domain controller before you are able to proceed with the authentication process. If you either do not want or are not able to make changes to your domain controller, use the Mapped User feature of QAS to begin authenticating with Active Directory users immediately. QAS Mapped User mode essentially converts local accounts into Active Directory accounts. Mapped user mode does not require any changes to your domain controller (nothing needs to be installed on the domain controller and no schema extensions are necessary). You just need a local machine account and you must know the Active Directory user principal name (UPN) of the account to which you want to authenticate. Instructions for executing the user mapping process can be found in Deploying Mapped User in the QAS Solutions Guide. Home Directory Creation Workaround If you are using local home directories and you change the default configuration by setting the map-homedir-to-users option to false, your home directory will not be automatically created upon login. This problem is related to the auto mounter which has autohome mounted on /home. The work around requires you to open /etc/auto_home and remove the auto_home mount point. This issue only affects OS 10.5 and Once you have removed the mount point, restart autofs and you will be able to create home directories in /home again. 34

35 Configuring the QAS Client Connecting to SMB shares on Windows Servers There is a known issue associated with connecting to SMB/CIFS (i.e. Windows) shares using Finder. You should not be prompted for your password when connecting to one of these shares if you have logged in with a domain user. Your Kerberos credentials should be used instead. This issue doesn t affect all Windows shares; only those on a Domain Controller. This issue is related to two settings in the Default Domain Controllers Policy. To disable the policies and allow OSX machines to connect to SMB shares 1. Open Active Directory Users and Computers, select the domain, right-click, then select Properties. 2. Click the Group Policy tab. If you are using MS Server 2008, there is an additional menu item, Policies, added between Computer Configuration and Windows Settings in the following sequence. a) If the Default Domain Controllers Policy is linked to this domain, click Edit -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options, then double-click and disable the following two policies: Microsoft network server: Digitally sign communications (always) Microsoft network server: Digitally sign communications (if client agrees) b) If the Default Domain Policy is linked to this domain, click Edit -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options, then double-click and disable the following two policies: Microsoft network server: Digitally sign communications (always) Microsoft network server: Digitally sign communications (if client agrees) 35

36 Quest Authentication Services for Mac OS X If these group policies are not currently defined, you can leave them unconfigured. If either policy is enabled and linked to the domain, however, Mac OS X computers will not be able to use SMB connections to mount the Windows file shares. 3. If you change these policies on the domain controller, run the gpupdate command to refresh the group policies before logging on to Mac OS X computers. Automatically Mounting Network Home Folders When you Unix-enable an Active Directory user with QAS, the default configuration for that user is that he or she will use a local home directory. The home directory path is populated with a Unix path (/home/<username>). On OSX systems, /home is replaced with /Users, aligning with the OSX standard location for local home directories. QAS supports the automatic mounting of network shares (SMB or AFP) using AD credentials, but you must specify a server path. This server path can be stored in the directory on each user as a UNC path, or it can be stored as a per machine setting. You can configure your home folder strategy globally for the entire domain using Quest Group Policy extensions for Unix, or you can configure it on a per machine basis at the time you join your OSX machine to the domain. Configuring automatic home folder mounting at join time To setup automatic mounting during join 1. Click the disclosure triangle when you are prompted for your administrative username and password. The Join Options dialog is displayed. 36

37 Configuring the QAS Client 2. Select the User Home Config tab to expose all of the home folder mounting options, as shown below. 37

38 Quest Authentication Services for Mac OS X Mounting the Windows Home Folder or Profile Path You can configure QAS to mount a share that is specified as a UNC format path and stored on a user. The two most commonly used paths are found on the users Profile tab in ADUC as shown below. 1. Use QAS to mount either the Profile Path or Home Folder on a MAC client at login by selecting Use AD UNC path for network home from the User Home Config properties, as shown below. 38

39 Configuring the QAS Client Mounting an alternate share at login If you cannot use the shares specified in Profile Path or Home Folder for some reason (for example, if your Windows home shares are DFS shares), you can specify an alternate share at join time by specifying a network home path expression. To specify a network home path expression 1. Select Use the following path for network home from the User Home Config tab as shown below. Selecting this option will configure the network home for all users on the machine. Because of this you must specify how the path name will be resolved for each user. 2. Under User Path Expression, specify the appropriate user attributes in the path portion of server url. For example, if you selected Common Name and then clicked Insert Attribute, the expansion macro for Common Name (%c) will be inserted into your path expression. The path expression may have text and expansion macros, or it may just be a single expansion macro with no other text. Configuring automatic home folder mounting using group policy During deployment, installation and join usually happen in a scripted fashion from the command line. It is still possible to configure home folder mounting without using the Graphical join interface, either through modification of the vas.conf file or by setting the appropriate options in group polices that will apply to your OSX machines. 39

40 Quest Authentication Services for Mac OS X The two options that have bearing upon home directory mount behavior are nethome and nethome-mount-protocol. These options are set in the vas.conf policy as shown below. The nethome is either the name of the user attribute where the UNC path is stored ("homedirectory" or "profilepath"), or it is the server URL expression for all users (i.e. cifs://servername/sharename/%c). If the nethome is specified as an attribute name, you can specify whether the path is mounted via AFP or CIFS using the "nethome-mount-protocol" setting. Setting either of these options will have no effect on any QAS platform other than OSX, so it can be safely set on a domain wide unix settings policy. Creation or modification of group policies is accomplished using the Microsoft GPOE on any windows administrative workstation. 40

41 Configuring the QAS Client Group Permissions on Auto Mounted Home Directories For QAS to be able to resolve a Windows SID to a Unix UID or GID, the user or group to whom that SID belongs must have had a UID or GID manually assigned to them. Or, in other words, the user or group must have been "Unix Enabled" on the Unix Account tab in Active Directory Users and Computers. If a group or user has not been "Unix Enabled", the Mac machine will still assign a UID or GID to the user or group, but it won't be a UID or GID that can be resolved by the QAS client software. To login to an OSX machine all users must be "Unix Enabled" so this normally only causes problems when dealing with group permissions on SMB mounted home directories. It is not uncommon for the group owner of a network home location to be a group WITHOUT a Unix GID assigned. When a user's ability to access this directory relies on correct group membership, problems can arise. It is, therefore, best practice to "Unix Enable" all groups that are used for SMB File level permissions on network mounted home directories. Mounting AFP Shares To mount AFP shares you must have an AFP file server that knows about all your AD users and credentials. You can easily accomplish this using third party software that shares files from a Windows machine joined to your domain. Mounting CIFS/SMB Shares Mounting of DFS shares is not supported. To successfully mount CIFS/SMB shares at join time your login name must be the same as your Active Directory user "samaccountname". QAS caches the "userprincipalname" as the login name for Active Directory users. The userprincipalname and samaccountname default to the same value during user creation, so automounting will work in the default case. There is, however, no restraint that requires UPN's and samaccountnames to remain the same. Best practices suggest that you configure QAS to use the samaccountname as your user login name to avoid any difficulties. This should be done using Group policy, but it can also be set in the vas.conf file directly by running the following vastool command from a terminal: /opt/quest/bin/vastool configure vas vasd username-attr-name samaccountname If you change your username attribute as shown above, you will need to flush your identity cache using the vastool flush command. /opt/quest/bin/vastool flush 41

42 Quest Authentication Services for Mac OS X 42

43 4 Special Mac OS X Features Local Administrator Rights for QAS Users Active Directory User Password Hint

44 Quest Authentication Services for Mac OS X QAS Features Designed Specifically for Mac OS X The following sections describe features designed specifically for Mac OS X. Local Administrator Rights for QAS Users This feature allows administrators to give QAS accounts local administrator rights on individual Mac OS X systems. This can give users more ability to administer their own systems while still using Active Directory for authentication, or it can be used to allow each Mac OS X administrator admin access on Mac OS X systems without having to have shared local accounts. To specify which QAS accounts should have admin rights, you must modify the /Library/Preferences/Quest/VAS/vas.conf file and add the following section to the QAS configuration using a text editor: [vas_macos] admin-users = johnd@example.com You can do this by using the pico text editor which you would launch like this: $ sudo pico /Library/Preferences/Quest/VAS/vas.conf Note that if there is already a [vas_macos] section in the vas.conf file, just add or modify the admin-users key following the existing section. You can also manage this option through Group Policy. The value of the admin-users key should be a comma-separated list of Active Directory User Principal Names (UPN) for QAS users that should have admin rights. The Domain Users option also supports groups of users. Specify the group in the form Domain\groupname. The domain name must be specified as a DNS domain name NOT as a netbios domain. For example, you should specify the group name as "EXAMPLE.COM\Administrators" NOT "EXAMPLE\Administrators". Either step will ensure that the new configuration is processed by QAS. You can verify that the configured users have admin rights by checking their group memberships using the following command line (the example is for a user called jdoe): $ groups jdoe 44

45 Special Mac OS X Features If jdoe was correctly configured to have local admin rights, you will see the local admin, appserveradm, and appserverusr groups listed in the output. The jdoe user will then be able to use his user credentials for authorizing administrative tasks started from the System Preferences application. 45

46 Quest Authentication Services for Mac OS X Active Directory User Password Hint The password hint is displayed for all Active Directory Users when Mac OS X is configured to provide password hints. The password hint is used to notify a user of a website where they can reset their password, or to remind a user that the account they are using requires a domain password. The default value for the authentication-hint is Windows Domain Password. Before Mac OS X will display authentication hints, you must turn on "Show password hints" through the login options. 46

47 Special Mac OS X Features After enabling password hints, users will see a Forgot Password button on OS 10.5 during authentication. 47

48 Quest Authentication Services for Mac OS X If you press the Forgot Password button, the password hint will be displayed. 48

49 Special Mac OS X Features This hint can be managed centrally on the domain controller through QAS Group Policy, as shown in the following graphic. For security reasons, if a mapped user changes his/her password hint, it will be intentionally reset to the generic Windows domain password hint the next time he/she logs in. 49

50 Quest Authentication Services for Mac OS X 50

51 5 Platform Limitations QAS Limitations on Mac OS X

52 Quest Authentication Services for Mac OS X QAS Limitations on Mac OS X This list details QAS functionality that is limited by the Mac OS X system: When using the command line su utility to become a QAS user, the QAS PAM module will not create a ticket cache for new session due to QAS using the CCacheServer process for Kerberos ticket cache management. Creating this ticket cache would inadvertently destroy any existing Kerberos tickets. If QAS users who have custom home directory paths login to the system through the system login window and the parent directories for their home directory do not exist, the system home directory creation code incorrectly sets the ownership mode of all the home directory parent directories. This causes subsequent QAS user logins to fail if they share the same home directory path as their home directory will be created but will be inaccessible by the user. Administrators should ensure that if they are using custom home directory paths, the parent directories are pre-created with a valid ownership and mode that allows all QAS users to access those paths. The automatic ticket renewal utility doesn't currently work with nonfile based ccaches. Because OSX uses API based ccaches, the ticket renewal utility will not work. When using QAS Mapped User mode, if a local user is mapped to a QAS user and, at some point the user is unmapped (returned to a local account) you must reset the user s password. Once a network user s password has expired, they will not be able to reset their password from the System Preferences Accounts tab. 52

53 Platform Limitations To work around this issue, launch the Terminal app, and run the passwd command. Follow the prompts to change your password. 53

54 Quest Authentication Services for Mac OS X 54

55 6 QAS for Mac OS X Desktop Policies Mac OS X Desktop Policy Overview Managing Mac Desktop Policies with the Group Policy Object Editor Using the Mac OS X, Workgroup Manager, and Preference Manifest Settings Nodes

56 Quest Authentication Services for Mac OS X Mac OS X Desktop Policy Overview Quest Authentication Services for Mac OS X leverages and extends Active Directory to Unix, Linux and Mac systems. Not only does Quest Authentication Services for Mac OS X extend authentication, security, and access control, but it also extends the Active Directory Group Policy framework. As with standard QAS group policies, Mac OS X desktop policy settings customize and control the user s computer experience. Built into the QAS GPOE, the Mac OS X, Workgroup Manager, and Prefrence Manifest Settings node supports the following policies. POLICY Applications Classic Dock Energy Saver Finder Login Media Access Network Parental Controls Preference Manifests FUNCTION Allows you to manage Applications and Dashboard widgets available to users, and if Front Row is enabled. Allows you to set Classic startup options, assign a Classic System Folder, set sleep options for the Classic environment, and make specific Apple menu items available to users. Allows you to adjust the position of the Dock on the desktop and change the Dock s size. You can also control animated Dock behaviors. Allows you to set performance options for Mac OS X client and server computers, battery usage for portable computers, and sleep or wake options. Controls various aspects of Finder menus and windows, which can help improve or control workflow. Allows you to set options for user login, to provide password hints, and to control the user s ability to restart and shut down the computer from the login window. You can also mount a group volume or set applications to open when a user logs in. Allows you to control settings for and access to CDs, DVDs, the local hard disk, and external disks (for example, floppy disks and FireWire drives). Allows you to configure specific proxy servers and settings for hosts and domains to bypass and disabling Internet Sharing, AirPort, and Bluetooth. Allows you to filter content or limit client computer usage. Allows you to use Preference Manifests to set attributes on Applications. 56

57 QAS for Mac OS X Desktop Policies POLICY Software Update System Preferences Time Machine Universal Access FUNCTION Allows you to control updates that are applied to specific users or groups. Allows you to specify which preferences to show in System Preferences. Allows you to control backup of computer data to network servers, such as installed applications and their preferences, all local account data, and system files. Allows you to control mouse and keyboard behavior, enhance display settings, and adjust sound or speech for users with special needs. Managing Mac Desktop Policies with the Group Policy Object Editor QAS extends the Group Policy Object Editor (GPOE) by adding the Mac OS X, Workgroup Manager, and Preference Manifest Settings nodes to manage Mac-specific policies. To install the GPOE extensions, run the VAS-<version>.<build number>.msi installer, located in the admintools\win32 directory of the QAS distribution media. If you plan to install the GPOE extensions for 64-bit domain controllers, you must manually run admintools\win32\vasx64components-<x.x.x.x>.msi Start the Group Policy Object Editor in any of the following ways: Run mmc from the command line and add the Group Policy Object Editor Snap-in manually. Select the Group Policy tab from the Properties dialog of an OU in the Users and Computers Snap-in, select a GPO, and click Edit. Right click on a Group Policy Object in the Group Policy Management Console and select Edit. NOTE: This option is only available to Windows XP and Windows 2003 Server users. 57

58 Quest Authentication Services for Mac OS X To run mmc and add the GPOE manually 1. Click Start -> Run. 2. Enter mmc and click OK. The MMC console is displayed. 3. Open the console File menu and click Add/Remove Snap-in... 58

59 QAS for Mac OS X Desktop Policies The Add/Remove Snap-in dialog is displayed. 4. Click Add. 59

60 Quest Authentication Services for Mac OS X The Add Standalone Snap-in dialog is displayed. 5. Locate and select the Group Policy Object Editor from the list of available Snap-ins. 6. Click Add. 60

61 QAS for Mac OS X Desktop Policies The Select Group Policy Object Wizard starts. 7. Click Browse... to locate and select the Group Policy Object to edit. Select or create a Group Policy Object which affects one or more Unix computer objects in order for VGP to apply the policy on the client side. Refer to your Group Policy documentation for more information on how to link policies to computers. NOTE: VGP does not support the Local Computer Group Policy Object. 8. Click Finish. 9. Click Close to close the Add Standalone Snap-in dialog. 10. Click OK to close the Add/Remove Snap-in dialog. The selected Group Policy Object now displays in the left pane of the MMC console. The GPOE extensions installation process adds the Mac OS X, Workgroup Manager, and Preference Manifest Settings nodes (Computer Configuration and User Configuration) and stores all Mac Desktop policies there. 61

62 Quest Authentication Services for Mac OS X The following graphic shows the GPOE view of the new Mac OS X, Workgroup Manager, and Preference Manifest Settings nodes. 62

63 QAS for Mac OS X Desktop Policies Using the Mac OS X, Workgroup Manager, and Preference Manifest Settings Nodes The GPOE extensions installation process adds Mac OS X, Workgroup Manager, and Preference Manifest Settings nodes to both the Computer Configuration and User Configuration nodes and stores all QAS for Mac OS X Desktop policies there. See the GPOE graphic on the previous page. In the QAS for Mac desktop policy environment, a user whose account has defined properties is referred to as a managed user. An individual computer, or a computer that is a member of a computer group with defined properties, is called a managed computer. A group with defined properties is called a workgroup. When you define policy/settings, you can manage them Always or Once. The policies are set to Never by default. You can choose the management frequency to apply to each policy/setting, as noted in the table below. FREQUENCY DESCRIPTION Only limited availability. You can create default preferences, which users can then modify and keep the modifications. These preferences are effectively unmanaged. Once Never Always For example, you could set up a group of computers to display the Dock in a certain way the first time users log in. A user can change these preferences (you ve set to Once) and the selected changes always apply to that user. Preferences are not managed at this account level but may be managed at a different account level. For example, even if you set the Dock preference to Never for a user, the Dock preference could still be managed at the computer level. Causes the preferences to remain in effect until you change them on the server. When properly designed, a Mac OS X application that conforms to standard preference conventions does not allow a user to modify preferences set to Always. 63

64 Quest Authentication Services for Mac OS X The following policies/settings only have the Never and Always manage options. Time Machine System Preferences Software Update Network Settings Media Access Energy Saver Classic Applications Energy Saver, Time Machine, and most Login policies/settings can be defined only in the Computer Configuration node. Other policies/settings can be defined in both the Computer Configuration and User Configuration nodes. By managing Mac OS X properties in the Computer Configuration and User Configuration nodes, you can customize the user s experience and restrict user access to only the applications and network resources you choose. As with standard QAS, Computer Configuration policy settings affect the computers in Active Directory with which the GPO is associated regardless of which user logs in. And User Configuration policy settings affect the users in Active Directory to which the GPO is associated regardless of which computer they use. To manage properties, use the properties dialog for each policy listed in the Workgroup Manager Settings node. Applications Settings Applications settings allow you to control access by restricting the paths from which applications are allowed to run. Applications settings can be applied in both the Computer Configuration and User Configuration nodes. To configure Applications settings 1. Start Group Policy Object Editor. (See Managing Mac Desktop Policies with the Group Policy Object Editor.) 2. Navigate to and select Workgroup Manager Settings. 3. Double-click Applications. 64