Joining a Windows domain

The Black Oil

Hi folks,

All our workstations in work are Windows XP connecting to a domain run by a server with Server 2003 on it. One PC recently went on the blink due to a hardware fault. Anyway, I've been trying to use my Macbook as a stop gap until I've access to a PC again.

I'm running Snow Leopard (2007 Macbook). I'm stuck on joining the domain, though. Any pointers? I've looked around through the web, but haven't found a guide that's decent. One or two seem to date back to Leopard, or others have stuff in System Preferences - Network that I don't have because I don't have 10.8. I've tried Finder - Connect to Server - smb://IP address/ and that seems to half work, sorta, but when I get a list of folders they're just blank when I click into them even though they're all shared on the server and I know they work on the PC side because everyone has access to them. For example, if try to get into smb://IP address/datafolder, I can 'see' it on the Macbook, but it's just empty when there should be a load of stuff in it.

I must be going wrong somewhere or haven't configured things correctly. I can access the server's admin stuff if I need to change anything there.

muggyog

First question is do you want to join the windows domain or just access the windows shares on the server?

If you just want to connect to the shares you appear to be going in the correct direction. To connect to Windows file system you use smb:// and for Mac you use afp://. The PC format is either smb://IPAddress/ShareName or smb://ServerName/ShareName. Using this convention should bring you to an authentication window ( if your Mac is not bound to AD ). You don't seem to be asked to authenticate to see the folders so is your machine already bound to your domain? I suggest you check in the network preferences of your System Preferences and check your DNS settings and put in your DomainName.local in the Search Domains box to allow the Mac to be aware of the domain.
What happens if you use the browse button in the connect to server window? Can you browse to your windows server and connect ( by double clicking the icon)? Can you use the Connect as button ( top right hand side ) and gain better access? Sounds like an authentication issue.

Joining the domain is a different thing. To do this you must use the Active Directory plug-in in the Directory Utility. You obviously require the Domain Administrator credentials to bind the Mac to AD.

The Black Oil

Thanks for all that. I guess accessing the Windows share would be enough for the moment.

If I go to Finder - Go - Connect to Server - smb://192.blah blah/ I get prompted 'enter your name and password for the server 192. blah blah', so I try to connect as a registered user, that prompts 'select the volumes you want to mount on 192.blah blah, I click the main company data folder, but after that, I can't see anything - 0 files. And in Finder, it says Shared - 192.blah blah on the left, then 'Connecting..', does seem to allow me in, but the folders still remain empty. I've had a look at DNS and the domain.local seems fine.

muggyog

Can you log in as the domain admin or higher than standard user and is there any difference? Sounds like a permission problem to me, the files may just be invisible. You should have a look at permissions of domain users on the server.

What happens if you copy a file from the Mac into the 'empty' folder?

The Black Oil

It would seem to be some sort of permissions issue. I was back on an XP workstation under my normal work log in yesterday, and it wouldn't even let me rename one of the subfolders I have on the service. I then went to the server room, and it wouldn't let me despite permissions being set to 'full control' or whatever it is. Tbh, server permissions, etc are not an area I'm too comfortable messing with.

Colonel Panic

You need to set permissions for the share and the actual directories too.

The Black Oil

So, would that be giving permission to and sharing, say Data>Work>Black Oil>Files (about 20 subfolders) - just Files, or Black Oil as well? Data is open to all, iirc, but obviously something is preventing me accessing it from a Mac system.

Stuxnet

the mac object would need to be added to the domain's Active Directory first I'd imagine ...before you could join the domain. Just a guess from my intern experience as a sys admin

nialler

Hi Blackoil

Got to your system preferences, then accounts, click lock to unlock panel, click on login options.

Click then on network server edit, type in your AD server there and bind, type in the necessary Domain Admin account username and password when binding, once bound go back to your login screen, login with your PC username and password and all should be well.

Clear as mud?

Nialler

muggyog

The Black Oil wrote: »

I guess accessing the Windows share would be enough for the moment.

The OP does not need to bind to Active Directory to access the Windows share ( the Mac can connect to a Windows workstation share the same way ).
There appears to be a permission problem which does not allow viewing the files. This could be at the Windows server end or at the Mac end. One option is to create a new local user account on the Mac and try and connect from it. This will rule out any corruption in the current user account.

I assume you have allowed the user read access on the share as per the first image on this page( I'm on an iPad so I cant link to the image only)

The Black Oil

Hey,

Thanks for all that. I'm not able to test your advice out today. However, one step forward in that I can now access my files Data>Work>Black Oil>Files (about 20 subfolders), but I can't read or write to them from my Mac, don't have permission. As an alternative, I copy whatever files I need from the server to the Mac, edit them there, save to USB stick, put it into the server and update the files. Not ideal, but it'll do as a temp fix.

We've someone coming in to do a network review or something, so things might change. I'll stay away from permissions, etc until he's done his work.

nialler

muggyog wrote: »

The OP does not need to bind to Active Directory to access the Windows share ( the Mac can connect to a Windows workstation share the same way ).
There appears to be a permission problem which does not allow viewing the files. This could be at the Windows server end or at the Mac end. One option is to create a new local user account on the Mac and try and connect from it. This will rule out any corruption in the current user account.

I assume you have allowed the user read access on the share as per the first image on this page( I'm on an iPad so I cant link to the image only)

Muggyog if he is bound to the directory, and logs onto the server with his directory credentials all the permissions will be correct. Rather than having to log on to the server via DOMAIN\firstname.lastname

Colonel Panic

That doesn't sound right. My Mac isn't part of the domain in work, which I manage, and I can put in domain\username for SMB and CIFS shares without any of that drama.

muggyog

Last input to this.

You do not have to be bound to AD to access the shares. All binding does is make the AD Database aware of the Mac. Authentication is automatic when bound versus a dialogue box when you are not. When you are authenticated ( whichever method used ) you acquire the user permissions. Clearly the problem is permissions and being bound to AD will not change that. The OP can of course bind the Mac to AD but it is just another factor being brought into the problem.

Easiest thing to do is create a new user on the Mac which excludes any kind of keychain nonsense in the current account preventing access. If that does not work go back to the server and have a look at the permissions on the share.

nialler

Panic and Mugg, I'm not saying he HAS to be bound to the server I'm just saying the network account when he is Bound will come from the AD and the permissions associated with that domain account, bypassing any local accounts on his machine (effectively like creating a new user muggyog).

I'm currently having a similar issue with a win7 machine to my mac server, XP clients working a treat, win7 client doesn't wanna know.

Colonel Panic

I still think it's bad advice. The OP should confirm that his AD user has share access AND security access to the directory in question before doing anything else.

If it's permissions and he adds his laptop to the domain, the problem will remain.

Adding a new account on his machine is a bit of a strange one too. You can just delete saved credentials from KeyChain and even that isn't necessary as you can sign in as whatever user you like with shares, which the OP has already been instructed about and tried.

nialler

Panic, I'm assuming that his PC was working perfectly with this line

"All our workstations in work are Windows XP connecting to a domain run by a server with Server 2003 on it. One PC recently went on the blink due to a hardware fault. Anyway, I've been trying to use my Macbook as a stop gap until I've access to a PC again. "

If not then it's a whole different ball game.

N

Just thinking, get the OP to sign in with his account on another XP machine and see if it's account/permissions based problem on the server.

Colonel Panic

Good suggestion to test from a different Win machine.

The Black Oil

The XP PC that went on the blink has a CPU fan failure message and turns itself off after 15-20 minutes making it unusable. There is no issue with me logging in under job title username and company domain on another XP workstation. I can access all my files there as normal, and read and write.

I'll review the posts above to see if there's anything I can do to get my Macbook working re editing files.

stevek93

Stuxnet wrote: »

the mac object would need to be added to the domain's Active Directory first I'd imagine ...before you could join the domain. Just a guess from my intern experience as a sys admin

+1. The admin will need to add the computers name to the active directory before you can join.

nialler

stevek93 wrote: »

+1. The admin will need to add the computers name to the active directory before you can join.

I haven't experienced that on macs to be honest when binding them, and only experienced it for the first time on a PC yesterday, one thing that's very buggy on the macs is the single sign on also Outlook needs to be configured manually unlike PCs.

stevek93

nialler wrote: »

I haven't experienced that on macs to be honest when binding them, and only experienced it for the first time on a PC yesterday, one thing that's very buggy on the macs is the single sign on also Outlook needs to be configured manually unlike PCs.

Have never used a Mac but it would be very unwise to leave a domain open and let whoever to connect. Where I work we add the Computers name to the domain plus if the computer hasn't logged on after 3 months the Computer name locks out and can no longer connect.

muggyog

The Black Oil wrote: »

The XP PC that went on the blink has a CPU fan failure message and turns itself off after 15-20 minutes making it unusable. There is no issue with me logging in under job title username and company domain on another XP workstation. I can access all my files there as normal, and read and write.

I promised I would leave this but just one final observation. The above points to the problem being at the Mac end. Creating a new local account on the Mac is the easiest way to test if there are issues related to Mac user account.

Note regarding this comment.

Have never used a Mac but it would be very unwise to leave a domain open and let whoever to connect. Where I work we add the Computers name to the domain plus if the computer hasn't logged on after 3 months the Computer name locks out and can no longer connect.

Windows domains have only relevance to Windows machines. Effectively the Mac is a Unix box looking at the Windows shares. An unbound Mac can see the shares but to access them must use domain credentials to authenticate.

This is the authentication window you are presented with on the Mac.



For further insight read under Native OS X Support on this page.

The Black Oil

I created another user on my Macbook. Through it, I can see the files on the work server OK, but they are coming up as read only, so this may be a permissions issue from the server. We had a tech guy out yesterday, but I forgot to ask him about it. When I was on an XP machine it sometimes wouldn't let me rename some of my subfolders, which is odd. Problem must be at that end somewhere.

Re smb://servername/sharename
smb://IP address 192, etc/ is what I connect to.