09 Apr Authenticate Windows Clients against Mountain Lion Server using pGina
Today I had a nice request from a customer, quite unusual, but then it is the new things that are interesting and drive us forward.
The client asked if it is possible to authenticate Windows clients against the Open Directory of his Server for Mountain Lion. While we could use the Samba based Primary Domain Controller feature built into Mac OS X Server 10.6.x (or even 10.5.x) in the old days, these times are over. First, we would not want to have an old NT-Style Domain Controller any more and as of Server 1.x, Apple has simply cut this feature by no longer shipping Samba. This is also true for Server 2.x, which runs on Mountain Lion. With built in tools, you can have a SMB connection from a Windows PC to your Mac Server, but you can’t log into your PC with the credentials of an Open Directory User. Simply, you can not join a domain running on your Mac server, as the Server no longer creates one.
It turned out, that the PCs that should authenticate against Open Directory were in fact all Windows 8 PCs, running in Parallels Desktop on brand new iMacs running 10.8.3, the server was a Mac Mini, running Server 2.2.1 on 10.8.3, but that should not matter at all.
The solution comes as an open source package called pGina. It has been around some time, running at versions 1.x and 2.x for a long time and it even looked like the project was abandoned for some time, but it gained some traction and is now on version 3.0.10 (as the time of writing). pGina is installed on each Windows client, they claim it works from XP to Windows 8 – in my case I only tested it on Windows 8, but we can assume that it works on older Windows as well. While pGina can be used for much more, here it is used to authenticate a user against an existing LDAP and then allow a local login into the Windows PC. This is different from a domain login, as it will not download any profile from the server, won’t configure any ressources and will not mount any network drives (these things might be scripted or done in another way, but it is not included in pGina), but for the login part it serves the purpose of using a central directory to store and manage user credentials. The authentication is a simple LDAP bind/query, so it might not be the most secure thing to do (compared to Kerberos authentication on OS X).
What needs to be done?
Step 1 – Download and install pGina.
Step 2 – Enable and configure the LDAP plugin for pGina. The configuration is really easy, if you know what to enter in all those fields. Of course, if you don’t know what to enter, you might end up pulling your hair… IF you wan’t to learn more on LDAP, you might consider signing up for one of the Directory Services classes, that we offer together with a Training Center near you, jsut drop us an email.
If we just assume that our server is named server.example.com and it is running an Open Directory Master with this hostname the first two fields in the LDAP plugin configuration are:
LDAP Host: server.example.com
In the lower part, we need to set
User DN Pattern: uid=%u,cn=users,dc=server,dc=example,dc=com
Step 3 – Also enable the Local Machine plugin, so after a successful LDAP authentication, a new local user will be created. See the following screenshot how it looks with LDAP and Local Machine plugin enabled:
After applying and saving, you should be able to log in. That was not too hard, right?
I hope you can now enjoy the login on your PC using your Open Directory users.