dsconfigad(8) BSD System Manager's Manual dsconfigad(8)
NAME
dsconfigad -- retrieves/changes configuration for Directory Services Active Directory Plugin.
SYNOPSIS
dsconfigad -h
dsconfigad -show [-lu username] [-lp password]
dsconfigad [-f] [-a computerid] -domain fqdn -u username [-p password] [-lu username] [-lp password]
[-ou dn] [-status]
dsconfigad -r -u username [-p password] [-lu username] [-lp password]
dsconfigad [-lu username] [-lp password] [-mobile enable | disable] [-mobileconfirm enable | disable]
[-localhome enable | disable] [-useuncpath enable | disable] [-protocol afp | smb]
[-shell value] [-uid attribute | -nouid] [-gid attribute | -nogid]
[-ggid attribute | -noggid] [-preferred server | -nopreferred]
[-groups "group1,group2,..." | -nogroups] [-alldomains enable | disable]
[-packetsign allow | disable | require] [-packetencrypt allow | disable | require]
[-passinterval value] [-namespace forest | domain] [-enableSSO]
dsconfigad -staticmap attribute-type attribute-value [-lu username] [-lp password]
DESCRIPTION
This tool allows command-line configuration of the Active Directory Plugin. dsconfigad has the same
functionality for configuring the Active Directory plugin as the Directory Access application. It
requires "admin" privileges to the local workstation and to the Directory to make changes.
A list of flags and their descriptions:
-h Lists the options for calling dsconfigad
-show Shows the current configuration of the Active Directory Plugin
-f Force the process (i.e., join the existing account or remove the binding)
-a computerid
Add "computerid" to the specified Domain
-r Remove this computer from the current Domain
-status Print status information while adding computer to domain.
-u username
Username of a Network account that has administrative privileges to add/remove this computer
to/from the specified Domain
-p password
Password to use in conjunction with the specified username. If this is not specified, you
will be prompted for entry.
-lu username
Username of a local account that has administrative privileges to this computer
-lp password
Password to use in conjunction with the specified local username. If this is not specified,
you will be prompted for entry.
-domain fqdn
The fully-qualified DNS name of the Domain to be used when adding the computer to the Direc-tory Directory
tory (e.g., domain.ads.demo.com).
-ou dn The LDAP DN of the container to use for adding the computer. If this is not specified, it
will default to the container "CN=Computers" within the domain that was specified (e.g.,
"CN=Computers,DC=domain,DC=ads,DC=demo,DC=com"
-mobile enable | disable
This flag determines whether the plugin will enable mobile account support for offline logon
(disabled by default). This flag is a hint. If the appopriate Workgroup Management settings
exist for a user, this will not override, as directory settings for the user take precendence.
-mobileconfirm enable | disable
This flag determines whether the plugin will warn the user when a mobile account is going to
be created. This flag is a hint as discussed in -mobile
-localhome enable | disable
This flag determines whether the plugin forces all home directories to be local to the com-puter computer
puter (i.e., /Users/username) (enabled by default).
-useuncpath enable | disable
This flag determines whether the plugin uses the UNC specified in the Active Directory when
mounting the network home. If this is disabled, the plugin will look for Apple schema exten-sions extensions
sions to mount the home directory.
-protocol afp | smb
This flag determines how a home directory is mounted on the desktop. By default SMB is used,
but AFP can be used for use with Mac OS X Server or 3rd Party AFP solutions on Windows Servers
(previously known as mountstyle)
-shell value
Use the specified shell (e.g., "/bin/bash") if a shell attribute does not exist in the direc-tory directory
tory for the user logging into this computer. Use a shell value of "none" to disable use of a
default shell, preserving values that are only specified in the directory.
-uid attribute
This specifies the attribute to be used for the UID of the user. By default, a UID is gener-ated generated
ated from the Active Directory GUID.
-nouid Turn off any previously mapped attribute and generate the UID from the Active Directory GUID.
-gid attribute
This specifies the attribute to be used for the GID of the user. By default, a GID is derived
from the primaryGroupID of the user (typically Domain Users).
-nogid Turn off any previously mapped attribute and use the GID from the directory.
-ggid attribute
This specifies the attribute to be used for the GID of the group. By default, a group GID is
generated from the Active Directory GUID of the group.
-noggid Turn off any previously mapped attribute and generate the group GID from the Active Directory
GUID.
-preferred server
Use the specified server for all Directory lookups and authentications. If the server is no
longer available, it will fail-over to other servers.
-nopreferred
Turn off any previously specified server and default to dynamic server discovery.
-groups group1,group2,...
Use the listed groups to determine who has local administrative privileges on this computer.
Groups can be specified by domain to ensure security is not compromised, e.g., "domain
admins@domain.ads.demo.com"
-nogroups
Disable use of the current groups for determining administrative privileges on this computer.
-alldomains enable | disable
This flag determines whether the plugin allows authentication from any domain in the forest.
When this is enabled, individual domains will not be visible, only "All Domains". If it is
disabled, you will have the ability to select the specific domains that can authenticate to
this computer. Enabled by default.
-staticmap attribute-type attribute-value
Enable static mapping of an attribute-type to a specific attribute-value for User records. Do
not static map values such as UID, RecordName and GeneratedUID as unexpected behavior will
occur. This is for use in other attributes that are not typically searched. Attribute types
are Directory Service types (i.e., "dsAttrTypeStandard:State"), see DirectoryServiceAt-tributes(7). DirectoryServiceAttributes(7).
tributes(7).
-packetsign allow | disable | require
By default packet signing is allowed but not required, but can be required or disabled (for
example if debugging a problem). This ensures that the data to/from the server is not tam-pered tampered
pered with by another computer before received it is received.
-packetencrypt allow | disable | require
By default packet encryption is allowed but not required, but can be required or disabled (for
example if debugging a problem). This ensures that the data to/from the server is encrypted
and signed guaranteeing the content was not tampered with and cannot be seen by other comput-ers computers
ers on the network.
-passinterval value
Set how often the computer trust account password should be changed (default 14).
-namespace forest | domain
Sets the primary account username naming convention. By default it is set to "domain" naming
which assumes no conflicting user accounts across all domains. If your Active Directory for-est forest
est has conflicts setting this to "forest" will prefix all usernames with "DOMAIN\" to ensure
unique naming between domains (e.g., "ADDOMAIN\user1"). Warning: this will change the pri-mary primary
mary name of the user for all logins. Changing this setting on an existing system will cause
any existing homes to be unused on the local machine.
-enableSSO
(Server Only) When using MacOS X Server with Active Directory, this enables SSO for all sup-ported supported
ported services.
EXAMPLES
Adding a computer to a Directory:
dsconfigad -a ThisComputer -u "administrator" -ou "CN=Computers,OU=Engineering,DC=ads,DC=demo,DC=com"
-domain domain.ads.apple.com
Giving a set of groups administrative access to the local computer:
dsconfigad -groups "DOMAIN\domain admins,FOREST\enterprise admins,DOMAIN\desktop techs"
SEE ALSO
DirectoryService(8), DirectoryServiceAttributes(7)
Darwin April 2, 2008 Darwin
|