Joining a macOS Client to a Domain

From SambaWiki

Introduction

After setting up a Samba Active Directory (AD) Domain Controller (DC), you can join machines to the domain. Only machines joined to the domain are enabled to use domain resources. During the join, a machine account is created in the domain to authenticate the computer as a member.

These instructions can be used to join a macOS client to a Samba AD as a domain member.

Prerequisites

Supported macOS Versions

Active Directory support was added in Mac OS X Panther (version 10.3 released in 2003). However, these instructions have only been tested with the following versions of macOS:

  • macOS Monterey (version 12.6.6) client and Samba version 4.13.13-Debian as AD DC

Permissions

  • Local administrator account on the computer to be joined to the domain
  • Domain account allowed to join machines to the domain, like the domain administrator account

DNS configuration

Active Directory (AD) uses DNS to locate other Domain Controllers (DC) and services, like Kerberos. Thus, AD domain members and servers must be able to resolve the AD DNS zones.

The instructions on the page, macOS DNS Configuration, can be used to manually configure the DNS settings on macOS.

Time Synchronisation

Kerberos requires time to be synchronised on all domain members. For further details about Time Synchronisation and Samba, see the Time Synchronisation page.

To manually configure time synchronisation on a macOS domain member:

  • Open System Preferences, then click on Date & Time.
macOS security settings may require clicking on the padlock in the bottom left of the window and entering a local administrator account's credentials, before being able to make changes.
  • On the Date & Time tab, the Set date and time automatically: checkbox must be ticked. The text entry box, can be used to enter server information.

Joining a macOS client to a Domain

  • Open System Preferences, then click on Users & Groups.
macOS security settings may require clicking on the padlock in the bottom left of the window and entering a local administrator account's credentials, before being able to make changes.
  • On the left pane, click on Login Options, then click on the Join… button.
  • Enter the AD DC server name in the Server: text entry box. For example, dc1.samdom.example.com.
  • Immediately after entering the AD DC server name, the window should automatically change, now showing Active Directory Settings:.
  • Enter the credentials of a domain account allowed to join machines to the domain, like the domain administrator account, then click OK.
  • Enter the credentials of a local administrator account, then click Modify Configuration.
  • Wait for the operation to complete. Once finished, Login Options should show the domain name with a green light, for example SAMDOM.
  • If your security settings initially required you to click on the padlock, click on it again to lock the preferences.
  • Close System Preferences.
  • Restart the computer.