IT Connect

Information technology tools and resources at the UW

Adding Unix or Mac to a Delegated OU

There are several options for using MI Active Directory for authentication, authorization and management of Unix, Linux and Mac computers.

The first step is obtaining a delegated OU in MI. For more information, see MI Delegated OUs.

Once you have a delegated OU, you may use your OU administrative account to configure any of the following options.

There are also a variety of suggestions from the user community which may be valuable to you.

Options for Joining Linux Computers to MI

Prerequisites

  1. A delegated OU is required.
  2. A computer object must be pre-created in your delegated OU for each computer you wish to join to the domain before attempting to do the join/bind.
  3. The netid.washington.edu DNS suffix/zone cannot be used (unless it is a UW-IT server).

Option 1: PowerBroker Identity Services Open

  • This is a free and open source version of PBIS with limited functionality for Unix, Linux and Macs that includes:
    • AD authentication via Kerberos, authenticated access to AD LDAP, and SSO once a Kerb TGT has been obtained
    • Cached credentials to allow for offline log-in and access to local resources
    • DFS support – location-aware connectivity
    • Samba integration – SSO to Samba shares

Option 2: PowerBroker Identity Services Enterprise

  • Enhanced capabilities provided via a per-computer licensing fee with two options•Annual fee per computer
  • One-time fee per computer
  • Includes all of the PBIS Open capabilities plus the following:
    • Group Policy for Linux and Unix with custom Linux/Unix-specific settings
    • Group Policy for Mac that integrates with Apple Workgroup Manager
    • Management GUI as MMC snap-ins and as extensions to ADUC and GPMC
    • RFC 2307 compliant: a subset of RFC 2307 attributes can be applied to AD users and groups and used on Unix, Linux and Mac computers
    • Complete feature comparison in the attached document PBIS-Open-vs-Enterprise.pdf.
Using PBIS in MI
  1. We have created a default cell in MI. You cannot create or use named cells in MI.
  2. All users already have UIDs and GIDs (the actual AD attributes are uidNumber and gidNumber). The GIDs are unique and do not correspond to any groups.
    1. You must use the pre-assigned values, you cannot use PBIS customized UID and GID mapping.
    2. The PowerBroker Cell Settings user properties tab (added to ADUC by the PBISE managment tools) complains that the GID does not correspond to a group. This can be safely ignored.
  3. All groups already have GIDs. They are the same GIDs that the groups have in the UW Groups Service.
  4. You must set the loginShell and unixHomeDirectory attributes on any users who you intend to log into a PBISE-enabled computer. There are two ways this can be done.
    1. Via a UW NetID Computing Support Org. These attributes may be set for users who are members of your department’s Support Org. See UW NetID Support Tool for more information.
    2. Via a Group Policy Object attached to your delegated OU. The PBISE management tools add group policy extensions for Unix/Linux settings. These setting get applied at log-in time, they don’t actually modify MI user accounts.
      1. The GPO must be configured to have “User policy loopback processing mode” enabled in replace or merge mode.
      2. Because these settings are extensions, they are only viewable and modifiable from your PBISE management tools workstation.
  5. The PowerBroker Cell Settings user properties tab contains fields for Login Name and GECOS Comment. MI does not allow these values to be set via this UI. You must use the Support Org tool or a GPO to set these values.
  6. If you are using the Enterprise version, you must create a PBIS licensing container in your delegated OU and add your machine licenses to it. To do this, you must install the PBISE management tools on a MI-delegated-OU-joined Windows computer. It may be necessary to request permission to create a container. Delegated OU admins were not granted this permission in the past. Open a request in UW Connect to ask for create-container permission and be sure to mention “UW Windows Infrastructure.”
  7. The UW does not have a site license for PBIS Enterprise. Departments wishing to use PBISE must obtain per-computer licenses from BeyondTrust.
  8. The MI team does not support PowerBroker. PBIS Enterprise licensees may obtain support through BeyondTrust. PBIS Open support is available through their user forums.

Option 3: Linux native Winbind/krb5

We have no direct experience with this but do know that several campus departments have successfully utilized this technique. Many of the specifics are identical to the SSSD ones below. One department’s experiences are summarized in this PDF (which we offer without warrantee since it is outside of our area of expertise): it-ConnecttoUWMIActiveDirectory-101014-1502-1324.pdf

Option 4: Linux native ssd

Please reference the Red Hat whitepaper Integrating Red Hat Enterprise Linux 6 with Active Directory. See Section 6.3 “Configuration 3 – SSD/Kerberos/LDAP”. Also RHEL7 Windows Integration Guide provides some advanced coverage and a version 7 update.

Options for Joining a Mac Computer to MI

Option 1: Using the OS X Tools

See https://itconnect.uw.edu/wares/msinf/ous/add-computer/add-mac/

Option 2: Using PowerBroker Identity Services

See the above section on PBIS