Joining a macOS Client to a Domain
Introduction
After setting up a Samba Active Directory (AD) Domain Controller (DC), you can join machines to the domain. Only machines joined to the domain are enabled to use domain resources. During the join, a machine account is created in the domain to authenticate the computer as a member.
These instructions can be used to join a macOS client to your Samba AD as a domain member.
Prerequisites
Supported macOS Versions
Active Directory support was added in Mac OS X Panther (version 10.3 released in 2003). However, these instructions have only been tested with the following versions of macOS:
- macOS Monterey (version 12.6.6) client and Samba version 4.13.13-Debian as AD DC
Permissions
- Local administrator account on the computer to be joined to the domain
- Domain account allowed to join machines to the domain, like the domain administrator account
DNS configuration
Active Directory (AD) uses DNS to locate other Domain Controllers (DC) and services, like Kerberos. Thus, AD domain members and servers must be able to resolve the AD DNS zones.
The instructions on the page, macOS DNS Configuration, can be used to manually configure the DNS settings on macOS.
Time Synchronisation
Kerberos requires time to be synchronised on all domain members. For further details about Time Synchronisation and Samba, see the Time Synchronisation page.
To manually configure time synchronisation on a macOS domain member:
- Open
System Preferences
, then click onDate & Time
.
- macOS security settings may require clicking on the padlock in the bottom left of the window and entering a local administrator account's credentials, before being able to make changes.
- On the
Date & Time
tab, theSet date and time automatically:
checkbox must be ticked. The text entry box, can be used to enter server information.
Joining a macOS client to a Domain
- Open
System Preferences
, then click onUsers & Groups
.
- macOS security settings may require clicking on the padlock in the bottom left of the window and entering a local administrator account's credentials, before being able to make changes.
- On the left pane, click on
Login Options
, then click on theJoin…
button.
- Enter the AD DC server name in the
Server:
text entry box. For example,dc1.samdom.example.com
.
- Immediately after entering the AD DC server name, the window should automatically change, now showing
Active Directory Settings:
.
- Enter the credentials of a domain account allowed to join machines to the domain, like the domain administrator account, then click
OK
.
- Enter the credentials of a local administrator account, then click
Modify Configuration
.
- Wait for the operation to complete. Once finished,
Login Options
should show the domain name with a green light, for exampleSAMDOM
.
- If your security settings initially required you to click on the padlock, click on it again to lock the preferences.
- Close
System Preferences
.
- Restart the computer.