[Legacy] How to setup the Mac OS X Magic Triangle
The contents of this article are most pertinent to Macintosh-centric installations running Mac OS X 10.6.x and earlier.
Due to the vast array of changes Apple has made to OS X Server, most notably the removal of printer administration from within Server.app, transitioning Open Directory to a smaller intended scope of support, and the complete deprecation of Workgroup Manager starting with Mac OS X Yosemite (10.10) there is no longer a tenable way to implement Magic Triangle solutions in modern Mac environments.
Alternate documentation on deploying the PaperCut Client to Macintosh installations will be posted, and a link to such documentation will be listed on this page when available.
This information is current as of Mac OS X version 10.8.4. These steps may work for other versions but your mileage may vary.
What is the Magic Triangle you ask? It’s where you setup a Mac OS X environment to be able to authenticate to a Windows environment without the Mac users having to continuously type in their username and password each and every time they connect to a Windows resource be it a shared folder or a print queue.
By implementing the Magic Triangle you will avoid some of the “gotchas” around the traditional setups used to integrate Mac into a Windows environment such as Microsoft Windows LPR Print queue limitations.
During this guide we’ll cover the setup of a very simple Apple Open Directory environment which integrates into a fairly simple Windows Active Directory environment. At the end of this guide you’ll be able to login to the Mac OS X client (desktop or laptop) with Windows credentials and have Printers and Network Folders automatically added to the users session. You can then on your own time expand this to include any resources such as Home Directories, DFS shares or similar.
- Working Active Directory environment
- Windows Print Server with or without PaperCut installed to it
- Mac OS X 10.8.x Server installed but otherwise blank.
- Mac OS X 10.8.4 client machine (desktop or laptop)
- Another Mac OS X client machine for use with Workgroup Manage (WGM). More about this later.
- Some elbow grease
- AD - Active Directory
- OD - Open Directory
- WGM - Mac OS X’s Workgroup Manager
- FQDN - Fully Qualified Domain Name
- A / PTR - DNS Record types
- GPO - Windows Group Policy Object
- OU - Organisational Unit, common to Active Directory and Open Directory
Both Active Directory and Open Directory (AD and OD) rely heavily on DNS. Without a correctly functioning DNS environment you will have severe problems.
We need to make sure DNS is correct for your OD server, both Forward and Reverse (A and PTR). This needs to be done in the DNS Zone for your AD environment. We’ll use
papercutsoftware.com as this domain moving forward.
As System Administrators are really creative, I’ve called my Mac OS X 10.8 server
mac-mini-108 which when combined with the domain name above gives us the Fully Qualified Domain Name (FQDN) of
mac-mini-108.papercutsoftware.com and I’ve given it the static IP address of
10.100.64.19. I have created both A and PTR records for this new server and have confirmed via terminal on a Mac OS X client that they’re working.
# dig a mac-mini-108.papercutsoftware.com ;; ANSWER SECTION: mac-mini-108.papercutsoftware.com. 86400 IN A 10.100.64.19 # dig -x 10.100.64.19 ;; ANSWER SECTION: 188.8.131.52.in-addr.arpa. 604800 IN PTR mac-mini-108.papercutsoftware.com.
Editing a DNS Zone in Windows Server 2012
TODO To do this in Windows Server 2012, do the following…. [screenshots]
Tip: Mac OS X Servernames
To update a Mac 10.8 server’s hostname, open the
Server app, select your Mac OS X server if required, click the
Network Tab when the
Overview tab is shown. Click the
Edit button next to
Hostname, Click the
Continue button, select
Host name for Internet and click the
Continue button. Let it figure out it’s own hostname, this should match your above A and PTR records. If not you will need to revisit your DNS before continuing.
Your Mac OS X Clients can happily authenticate to a Windows Active Directory environment but without 3rd party software they can not be managed easily in that configuration. Part of the Magic of this setup is that your Mac and Windows networks will play nicely with each other and handle things like centralised authentication and preferences appropriately.
Mac OS X
Preferences are similar to Windows Group Policies. These preferences can control what Applications are shown on the Dock for a user, mapped network folders and of course printers. In simplistic terms, these Preferences are controlled by OD. We’ll create a new OD environment.
Server app, select your Mac OS X server if required, click
Open Directory and click the
OFF ON slider, select
Create a new Open Directory domain and click the
Next button, enter appropriate
Directory Administrator details (diradmin is a traditional username to use), and click the
Next button. Provide appropriate Organization Information and click the
Next button. Click
Set Up on the
Confirm Settings confirmation screen.
As of writing, this should now make the Mac OS X 10.8 server a
Master for the domain you have selected above.
Make sure your OS X 10.8 client can resolve the Open Directory master by pinging it, e.g.
ping mac-mini-108.papercutsoftware.com. If you’ve just added it to DNS, you may need to flush the DNS cache on the client workstation. This is done via
sudo killall -HUP mDNSResponder in Terminal.
In OS X 10.8, make sure your DNS server is a Windows Active Directory DNS Servermac then load
System Preferences →
Users & Groups → Click the
Lock to authenticate yourself then click
Login Options and then the
Join... button next to
Network Account Server:. Click the
Open Directory Utility... button.
Then with Directory Utility open, Click the
Lock to authenticate yourself then double click the
LDAPv3 item in the list then the
New button and put in your OD server name, e.g.
mac-mini-108.papercutsoftware.com and click
Continue. You should then be asked for a username and password, we suggest using
diradmin from earlier.
In this example we use
mac-mini-108.papercutsoftware.com. It might pre-populate with
mac-mini-108.local, don’t use this unless you Active Directory Domain/Forest is
.local! Also in this example we Trust the SSL certificates. The story behind this is outside of the scope of this guide. Allow for the insecure connections.
Tip: Mac OS X Login Screens
Consider changing the login screen to not display a list of users, instead show a Username and Password prompt.
Ensure that you have a Computer Object in your Active Directory in-built OU Computers matching the name you want the OS X 10.8 Client to be known as, in this guide we’re using “mac-client-02”. Experience tells us this is easier than typing in a custom OU structure when binding later.
You should now have the Directory Utility open still and you can then double click the
Active Directory] item in the list then type in the [@Active Directory Domain and
Computer ID and click
Bind. You will need your Active Directory administrative username and password. Click OK when done.
Tip: Mobile Users
Consider ticking “Create mobile account at login” for users with Laptops.
Tip: Error message “Node name wasn’t found. (2000)
If you receive an error “Node name wasn’t found. (2000).”. Check that you have the correct time on your Mac OS X Client. You can use your Domain Controllers as a NTP server!
You should now have the Directory Utility again so click the
Search Policy Tab and make sure for
Authentication that the
/Active Directory/[domain]/All Domains is above the
/LDAPv3/[open-directory server]. This ensures that you use your Active Directory for authentication rather than Open Directory and it should create a nice authenticated session between your Mac and Windows environments.
Tip: Unclear on how to change this order?
Drag the items around. It wasn’t obvious the first time we did this either!
Leave “Contacts” as above
/LDAPv3/[open-directory server] the
/Active Directory/[domain]/All Domains item.
You should now be able to log in as an Active Directory user to the Mac OS X machine.
As OS X may not be able to contact Active Directory when disconnected from the network, you may need to run the following command inside of terminal for any administrative user:
sudo dseditgroup -o edit -a "$3" admin
This command will manually add the currently logged in user to the local admin group.
You can now login via Active Directory but things like Print Queues, Shared Folders etc all still need work. To do this you will want to use
Workgroup Manager (WGM) on Mac OS X and so that you can make WGM aware of Active Directory groups you’ll need to bind the Mac OS X Open Directory server to the Windows Domain.
This process is exactly the same as binding the Mac OS X client to AD. You’ll need to do these steps again with your Mac OS X Server. Once done, WGM should then be able to see AD’s Users and Groups.
Now for one of the magical bits, we’re going to create a Group in OD that it’s only purpose is to have a Group from AD so we can apply Preferences via WGM to Windows Users logging into the Mac OS X Client. An example in this case is to deploy printers from your Mac OS X Server to your Mac OS X Clients when an Active Directory user logs in.
We already have a group in AD called “PaperCut Staff” and we want to deploy printers to those users when they login to the Mac OS X client workstations. To do this we’ll create a group in OD called “PaperCut Staff Mac” and make the AD group a member of the OD group.
Make sure you’re authenticated to Open Directory by clicking the the drop down arrow next to the tiny globe (see screenshot) and selecting
/`LDAPv3/127.0.0.1 and then clicking the closed padlock on the right.
Next select the
Group tab and then click the
New Group button and give it an appropriate name, then click the
Members tab then click the
+ button then select
/Active Directory/[domain]/All Domains then click on the
Group tab and find the group you want to add. Double click it and then click the
Now you can select the
Preferences tab and select
Printing icon. From here you will see all of the locally installed printers.
Select the Printers you want to deploy to that Group by clicking on them and clicking the
Add button. Once you’re happy with your choices, click
Apply Now, then
You can explore other preferences (Dock items is good for Network Shares), but otherwise you’re now at a point where you can login to a Mac OS X Client workstation with the a username and password from the Windows domain and have your printers on the Mac OS X server show up along with any network drives on
Warning: Deploy means Copy
When deploying printers in this manner, Mac OS X essentially copies the configuration for the print queue to the Mac OS X client machine. You can compare the contents of
/etc/cups/printers.conf on the server and client machine to see how this works.
At a technical level, PaperCut adds it’s own backend to the DeviceURI option for the printer. This is in the
/etc/cups/printers.conf. Traditionally you will see something like
mdns: and others. PaperCut will add it’s own
papercut: backend so that CUPS will call PaperCut to handle the print job. This is done by executing the binary located in
When Work Group Manager copies the config from the server to the client, it doesn’t modify the DeviceURI variable.
To work around this quirk you have two options: 1 - Use WGM on a client machine that already has all of the print queues from the print server connected. This means WGM will copy the client’s configuration rather than the server. 2 - Create duplicate print queues on the server that point to the queue on the server, e.g. macserver\queue-shared & macserver\queue. macserver\queue points to nacserver\queue-shared and macserver\queue-shared is monitored by PaperCut. You deploy macserver\queue to your workstations.
This is a bit a complex situation, please contact PaperCut Support if you have further questions.
Keywords: golden triangle