Forum Discussion

mikecd's avatar
mikecd
Copper Contributor
Nov 21, 2024

Configuring AD with macOS mobile account

I'm needing to use Active Directory and file sharing to create functional macOS mobile accounts. I've created the user accounts in AD and assigned them to a Profile Path on a valid share.  I success...
Active Directory
Windows Server
kyazaferr's avatar
kyazaferr
MCT
Nov 25, 2024

When you bind a macOS device to AD, the system uses the mobile account feature to allow users to log in locally (even when disconnected from the network) and synchronize data with the AD server when reconnected. However, for the roaming profiles to work correctly, some specific configurations need to be followed.

Possible Causes and Solutions

1. Profile Path Configuration

  • Check the Profile Path in Active Directory: Ensure that the Profile Path for the user account in AD is set correctly to a shared location on your file server. The path should be something like \\server\share\username.
    • Example: \\fileserver\profiles\%username%
  • On macOS, you may also need to set up the profile path slightly differently, depending on the version of macOS and the file-sharing protocol (like SMB vs. AFP).

2. Ensure the SMB Protocol Is Configured

macOS, starting with macOS 10.7 and later, typically uses SMB (Server Message Block) for file sharing with Windows/Active Directory servers instead of AFP (Apple Filing Protocol), which was used earlier. Ensure that your file server is configured to use SMB, and that the file share is accessible via SMB.

  • Verify SMB is enabled on your file server (Windows or NAS device).
  • Ensure that the shared folder allows read/write access to the user or group the AD user belongs to.

3. Check macOS Login and Mobile Account Settings

  • When you bind a macOS device to AD, ensure that the Create mobile account at login option is enabled. This ensures that macOS will create a local mobile account and map it to the AD user’s profile folder.
    • Go to System Preferences > Users & Groups > Login Options.
    • Ensure Network Account Server is showing your AD server and Create mobile account at login is selected.

4. Permissions Issues on the File Server

The issue could also be related to file share permissions. macOS needs the appropriate permissions to create and write to the shared folder.

  • Check that the AD user has Full Control or at least Modify access to the folder where you expect the profile to be created.
  • On the file server (if it's a Windows server), ensure that the share permissions are set correctly and that the NTFS permissions allow the AD user to create folders and files in the profile directory.

5. Verify the Creation of the Home Folder

  • Check the File Server: After logging in with an AD user account on macOS, check the shared folder to see if the home folder was created but may be missing certain permissions. Sometimes the home folder gets created but with incorrect permissions that prevent syncing or proper usage.
  • If the folder is not created at all, check the Console logs on macOS for any errors or messages related to profile creation.

6. Mobile Account Settings on macOS

You’ll want to make sure that mobile accounts are configured correctly. When the user logs in for the first time, macOS should create the mobile account and store the local home folder on the Mac. The roaming profile on the server should be used for subsequent logins and sync actions.

  • Check the /var/db/dslocal/nodes/Default/users/ directory on the macOS machine to see if the user’s account is created as a mobile account.
  • If macOS is creating only a local home folder and not syncing with the AD profile, ensure the following:
    • The home folder location is specified in the Directory Utility for the AD binding.
    • You can set the home directory path in the AD binding settings in System Preferences > Users & Groups > Login Options > Network Account Server > Edit > Directory Utility.

7. Use of dsconfigad for AD Binding Configuration

If you are using macOS’s built-in AD binding, ensure that the dsconfigad tool is correctly configured. This tool helps set key settings for AD binding, including the creation of mobile accounts and syncing the home directory.

  • Run the following commands on macOS to check the AD binding configuration: dsconfigad -show
  • Check if the home directory is set correctly in this output.

8. Check the macOS Logs

  • Review the Console logs on the macOS machine during login to check for any errors related to the profile creation process. Look for any messages related to Directory Services, SMB, or AD.
  • To view logs:
    • Go to Applications > Utilities > Console.
    • Filter logs for "DirectoryServices" or "AD" to see if there are any errors when the mobile account is being created.

9. Other macOS Configuration Settings

  • Ensure that the user is not configured with a "local" home directory. You can check the Directory Utility settings, as macOS sometimes defaults to creating local accounts rather than using roaming profiles from the network.
  • Consider using Apple’s mcx settings for further control over mobile accounts if necessary.
mikecd's avatar
mikecd
Copper Contributor
Dec 03, 2024

kyazaferr, I really appreciate your information and help. Below is the output from dsconfigad -show. 

If the mobile account's home directory was not created on the Windows server at first attempt on the MacBook, when the user first logs into the MacBook, shouldn't the account be attempted to be made whenever the machine successfully connects to the AD server?

I ask because once the user is logged into the Mac, it definitely shows that the "Network account server" is accessible (it shows the green dot) on the User & Groups preference panel.

 

>>

dsconfigad -show
Active Directory Forest          = icad.local
Active Directory Domain          = icad.local
Computer Account                 = it-backup-mb$

Advanced Options - User Experience
  Create mobile account at login = Enabled
     Require confirmation        = Disabled
  Force home to startup disk     = Enabled
     Mount home as sharepoint    = Enabled
  Use Windows UNC path for home  = Enabled
     Network protocol to be used = smb
  Default user Shell             = not set

Advanced Options - Mappings
  Mapping UID to attribute       = not set
  Mapping user GID to attribute  = not set
  Mapping group GID to attribute = not set
  Generate Kerberos authority    = Enabled

Advanced Options - Administrative
  Preferred Domain controller    = 192.168.8.81
  Allowed admin groups           = domain admins,enterprise admins
  Authentication from any domain = Enabled
  Packet signing                 = allow
  Packet encryption              = allow
  Password change interval       = 14
  Restrict Dynamic DNS updates   = not set
  Namespace mode                 = domain

Resources