[Legacy] How to setup the Mac OS X Magic Triangle

KB Home   |   [Legacy] How to setup the Mac OS X Magic Triangle

The contents of this article are most pertinent to Macintosh-centric installations running Mac OS X 10.6.x and earlier.

Due to the vast array of changes Apple has made to OS X Server, most notably the removal of printer administration from within Server.app, transitioning Open Directory to a smaller intended scope of support, and the complete deprecation of Workgroup Manager starting with Mac OS X Yosemite (10.10) there is no longer a tenable way to implement Magic Triangle solutions in modern Mac environments.

Alternate documentation on deploying the PaperCut Client to Macintosh installations will be posted, and a link to such documentation will be listed on this page when available.




This document is a Work In Progress (Last Updated: 20140103 Original: 20130708). Check with PaperCut Technical Support for more details: support@papercut.com

This information is current as of Mac OS X version 10.8.4. These steps may work for other versions but your mileage may vary.

What is the Magic Triangle you ask? It’s where you setup a Mac OS X environment to be able to authenticate to a Windows environment without the Mac users having to continuously type in their username and password each and every time they connect to a Windows resource be it a shared folder or a print queue.

By implementing the Magic Triangle you will avoid some of the “gotchas” around the traditional setups used to integrate Mac into a Windows environment such as Microsoft Windows LPR Print queue limitations.

During this guide we’ll cover the setup of a very simple Apple Open Directory environment which integrates into a fairly simple Windows Active Directory environment. At the end of this guide you’ll be able to login to the Mac OS X client (desktop or laptop) with Windows credentials and have Printers and Network Folders automatically added to the users session. You can then on your own time expand this to include any resources such as Home Directories, DFS shares or similar.

What you will need

  1. Working Active Directory environment
  2. Windows Print Server with or without PaperCut installed to it
  3. Mac OS X 10.8.x Server installed but otherwise blank.
  4. Mac OS X 10.8.4 client machine (desktop or laptop)
  5. Another Mac OS X client machine for use with Workgroup Manage (WGM). More about this later.
  6. Some elbow grease

Acronyms used:

  • AD - Active Directory
  • OD - Open Directory
  • WGM - Mac OS X’s Workgroup Manager
  • FQDN - Fully Qualified Domain Name
  • A / PTR - DNS Record types
  • GPO - Windows Group Policy Object
  • OU - Organisational Unit, common to Active Directory and Open Directory

Step One - DNS

Both Active Directory and Open Directory (AD and OD) rely heavily on DNS. Without a correctly functioning DNS environment you will have severe problems.

We need to make sure DNS is correct for your OD server, both Forward and Reverse (A and PTR). This needs to be done in the DNS Zone for your AD environment. We’ll use papercutsoftware.com as this domain moving forward.

As System Administrators are really creative, I’ve called my Mac OS X 10.8 server mac-mini-108 which when combined with the domain name above gives us the Fully Qualified Domain Name (FQDN) of mac-mini-108.papercutsoftware.com and I’ve given it the static IP address of 10.100.64.19. I have created both A and PTR records for this new server and have confirmed via terminal on a Mac OS X client that they’re working.

# dig a mac-mini-108.papercutsoftware.com
;; ANSWER SECTION:
mac-mini-108.papercutsoftware.com. 86400 IN A   10.100.64.19

# dig -x 10.100.64.19
;; ANSWER SECTION:
19.64.100.10.in-addr.arpa. 604800 IN    PTR     mac-mini-108.papercutsoftware.com.

Editing a DNS Zone in Windows Server 2012

TODO To do this in Windows Server 2012, do the following…. [screenshots]

Tip: Mac OS X Servernames

To update a Mac 10.8 server’s hostname, open the Server app, select your Mac OS X server if required, click the Network Tab when the Overview tab is shown. Click the Edit button next to Hostname, Click the Continue button, select Host name for Internet and click the Continue button. Let it figure out it’s own hostname, this should match your above A and PTR records. If not you will need to revisit your DNS before continuing.

Step Two - Create Open Directory Master

Your Mac OS X Clients can happily authenticate to a Windows Active Directory environment but without 3rd party software they can not be managed easily in that configuration. Part of the Magic of this setup is that your Mac and Windows networks will play nicely with each other and handle things like centralised authentication and preferences appropriately.

Mac OS X Preferences are similar to Windows Group Policies. These preferences can control what Applications are shown on the Dock for a user, mapped network folders and of course printers. In simplistic terms, these Preferences are controlled by OD. We’ll create a new OD environment.

Open Server app, select your Mac OS X server if required, click Open Directory and click the OFF ON slider, select Create a new Open Directory domain and click the Next button, enter appropriate Directory Administrator details (diradmin is a traditional username to use), and click the Next button. Provide appropriate Organization Information and click the Next button. Click Set Up on the Confirm Settings confirmation screen.

As of writing, this should now make the Mac OS X 10.8 server a Master for the domain you have selected above.

Step Three - Bind OS X Client to Open Directory

Make sure your OS X 10.8 client can resolve the Open Directory master by pinging it, e.g. ping mac-mini-108.papercutsoftware.com. If you’ve just added it to DNS, you may need to flush the DNS cache on the client workstation. This is done via sudo killall -HUP mDNSResponder in Terminal.

In OS X 10.8, make sure your DNS server is a Windows Active Directory DNS Servermac then load System PreferencesUsers & Groups → Click the Lock to authenticate yourself then click Login Options and then the Join... button next to Network Account Server:. Click the Open Directory Utility... button.

Then with Directory Utility open, Click the Lock to authenticate yourself then double click the LDAPv3 item in the list then the New button and put in your OD server name, e.g. mac-mini-108.papercutsoftware.com and click Continue. You should then be asked for a username and password, we suggest using diradmin from earlier.

In this example we use mac-mini-108.papercutsoftware.com. It might pre-populate with mac-mini-108.local, don’t use this unless you Active Directory Domain/Forest is .local! Also in this example we Trust the SSL certificates. The story behind this is outside of the scope of this guide. Allow for the insecure connections.

Tip: Mac OS X Login Screens

Consider changing the login screen to not display a list of users, instead show a Username and Password prompt.

Step Four - Bind OS X Client to Active Directory

Ensure that you have a Computer Object in your Active Directory in-built OU Computers matching the name you want the OS X 10.8 Client to be known as, in this guide we’re using “mac-client-02”. Experience tells us this is easier than typing in a custom OU structure when binding later.

You should now have the Directory Utility open still and you can then double click the Active Directory] item in the list then type in the [@Active Directory Domain and Computer ID and click Bind. You will need your Active Directory administrative username and password. Click OK when done.

Tip: Mobile Users

Consider ticking “Create mobile account at login” for users with Laptops.

Tip: Error message “Node name wasn’t found. (2000)

If you receive an error “Node name wasn’t found. (2000).”. Check that you have the correct time on your Mac OS X Client. You can use your Domain Controllers as a NTP server!

You should now have the Directory Utility again so click the Search Policy Tab and make sure for Authentication that the /Active Directory/[domain]/All Domains is above the /LDAPv3/[open-directory server]. This ensures that you use your Active Directory for authentication rather than Open Directory and it should create a nice authenticated session between your Mac and Windows environments.

Tip: Unclear on how to change this order?

Drag the items around. It wasn’t obvious the first time we did this either!

Leave “Contacts” as above /LDAPv3/[open-directory server] the /Active Directory/[domain]/All Domains item. Click Apply.

You should now be able to log in as an Active Directory user to the Mac OS X machine.

As OS X may not be able to contact Active Directory when disconnected from the network, you may need to run the following command inside of terminal for any administrative user: sudo dseditgroup -o edit -a "$3" admin

This command will manually add the currently logged in user to the local admin group.

Step Five - Managing the Macs, e.g. adding home dirs and Mac OS X print queues.

You can now login via Active Directory but things like Print Queues, Shared Folders etc all still need work. To do this you will want to use Workgroup Manager (WGM) on Mac OS X and so that you can make WGM aware of Active Directory groups you’ll need to bind the Mac OS X Open Directory server to the Windows Domain.

This process is exactly the same as binding the Mac OS X client to AD. You’ll need to do these steps again with your Mac OS X Server. Once done, WGM should then be able to see AD’s Users and Groups.

Now for one of the magical bits, we’re going to create a Group in OD that it’s only purpose is to have a Group from AD so we can apply Preferences via WGM to Windows Users logging into the Mac OS X Client. An example in this case is to deploy printers from your Mac OS X Server to your Mac OS X Clients when an Active Directory user logs in.

We already have a group in AD called “PaperCut Staff” and we want to deploy printers to those users when they login to the Mac OS X client workstations. To do this we’ll create a group in OD called “PaperCut Staff Mac” and make the AD group a member of the OD group.

Make sure you’re authenticated to Open Directory by clicking the the drop down arrow next to the tiny globe (see screenshot) and selecting /`LDAPv3/127.0.0.1 and then clicking the closed padlock on the right.

Next select the Group tab and then click the New Group button and give it an appropriate name, then click the Members tab then click the + button then select /Active Directory/[domain]/All Domains then click on the Group tab and find the group you want to add. Double click it and then click the Save button.

Now you can select the Preferences tab and select Printing icon. From here you will see all of the locally installed printers.

Select the Printers you want to deploy to that Group by clicking on them and clicking the Add button. Once you’re happy with your choices, click Apply Now, then Done.

You can explore other preferences (Dock items is good for Network Shares), but otherwise you’re now at a point where you can login to a Mac OS X Client workstation with the a username and password from the Windows domain and have your printers on the Mac OS X server show up along with any network drives on

Warning: Deploy means Copy

When deploying printers in this manner, Mac OS X essentially copies the configuration for the print queue to the Mac OS X client machine. You can compare the contents of /etc/cups/printers.conf on the server and client machine to see how this works.

At a technical level, PaperCut adds it’s own backend to the DeviceURI option for the printer. This is in the /etc/cups/printers.conf. Traditionally you will see something like socket:, ipp:, mdns: and others. PaperCut will add it’s own papercut: backend so that CUPS will call PaperCut to handle the print job. This is done by executing the binary located in /usr/libexec/cups/backend/papercut.

When Work Group Manager copies the config from the server to the client, it doesn’t modify the DeviceURI variable.

To work around this quirk you have two options: 1 - Use WGM on a client machine that already has all of the print queues from the print server connected. This means WGM will copy the client’s configuration rather than the server. 2 - Create duplicate print queues on the server that point to the queue on the server, e.g. macserver\queue-shared & macserver\queue. macserver\queue points to nacserver\queue-shared and macserver\queue-shared is monitored by PaperCut. You deploy macserver\queue to your workstations.

This is a bit a complex situation, please contact PaperCut Support if you have further questions.

Step Five point One - Adding a Windows Print Queue to a Mac OS X Client

To Do

Step Six - Running the PaperCut User Client

To Do

Step Six point One - Running the PaperCut User Client from a Windows server

To Do

TODO link your page here: https://www.papercut.com/kb/Main/Miscellaneous


Categories: TODOFirstCategory?, TODOSecondCategoryIfNeeded?


Keywords: golden triangle

Comments

Share your findings and experience with other PaperCut users. Feel free to add comments and suggestions about this Knowledge Base article. Please don't use this for support requests.

Article last modified on July 21, 2015, at 06:05 AM
Printable View   |   Article History   |   Edit Article