Manual Pages for UNIX Darwin command on man dsconfigad

dsconfigad(8) BSD System Manager's Manual dsconfigad(8)

NAME

ddssccoonnffiiggaadd - retrieves/changes configuration for Directory Services

Active Directory Plugin.

SYNOPSIS

ddssccoonnffiiggaadd -hh

ddssccoonnffiiggaadd -sshhooww [-lluu username] [-llpp password]

ddssccoonnffiiggaadd [-ff] [-aa computerid] -ddoommaaiinn fqdn -uu username [-pp password]

[-lluu username] [-llpp password] [-oouu dn] [-ssttaattuuss]

ddssccoonnffiiggaadd -rr -uu username [-pp password] [-lluu username] [-llpp password]

ddssccoonnffiiggaadd [-lluu username] [-llpp password] [-mmoobbiillee enable | disable]

[-mmoobbiilleeccoonnffiirrmm enable | disable]

[-llooccaallhhoommee enable | disable] [-uusseeuunnccppaatthh enable | disable]

[-pprroottooccooll afp | smb] [-sshheellll value] [-uuiidd attribute | -nnoouuiidd]

[-ggiidd attribute | -nnooggiidd] [-ggggiidd attribute | -nnooggggiidd]

[-pprreeffeerrrreedd server | -nnoopprreeffeerrrreedd]

[-ggrroouuppss "group1,group2,..." | -nnooggrroouuppss]

[-aallllddoommaaiinnss enable | disable]

[-ppaacckkeettssiiggnn allow | disable | require]

[-ppaacckkeetteennccrryypptt allow | disable | require]

[-ppaassssiinntteerrvvaall value] [-nnaammeessppaaccee forest | domain]

[-eennaabblleeSSSSOO]

ddssccoonnffiiggaadd -ssttaattiiccmmaapp attribute-type attribute-value [-lluu username]

[-llpp password]

DESCRIPTION

This tool allows command-line configuration of the Active Directory Plug-

in. ddssccoonnffiiggaadd has the same functionality for configuring the Active Directory plugin as the Directory Access application. It requires "admin" privileges to the local workstation and to the Directory to make changes. A list of flags and their descriptions:

-hh Lists the options for calling ddssccoonnffiiggaadd

-sshhooww Shows the current configuration of the Active Directory Plugin

-ff Force the process (i.e., join the existing account or remove the

binding)

-aa computerid

Add "computerid" to the specified Domain

-rr Remove this computer from the current Domain

-ssttaattuuss Print status information while adding computer to domain.

-uu username

Username of a Network account that has administrative privileges to add/remove this computer to/from the specified Domain

-pp password

Password to use in conjunction with the specified username. If this is not specified, you will be prompted for entry.

-lluu username

Username of a local account that has administrative privileges to this computer

-llpp password

Password to use in conjunction with the specified local user-

name. If this is not specified, you will be prompted for entry.

-ddoommaaiinn fqdn

The fully-qualified DNS name of the Domain to be used when

adding the computer to the Directory (e.g., domain.ads.demo.com).

-oouu dn The LDAP DN of the container to use for adding the computer. If

this is not specified, it will default to the container "CN=Computers" within the domain that was specified (e.g., "CN=Computers,DC=domain,DC=ads,DC=demo,DC=com"

-mmoobbiillee enable | disable

This flag determines whether the plugin will enable mobile account support for offline logon (disabled by default). This flag is a hint. If the appopriate Workgroup Management settings exist for a user, this will not override, as directory settings for the user take precendence.

-mmoobbiilleeccoonnffiirrmm enable | disable

This flag determines whether the plugin will warn the user when a mobile account is going to be created. This flag is a hint as

discussed in -mmoobbiillee

-llooccaallhhoommee enable | disable

This flag determines whether the plugin forces all home directo-

ries to be local to the computer (i.e., /Users/username) (enabled by default).

-uusseeuunnccppaatthh enable | disable

This flag determines whether the plugin uses the UNC specified in the Active Directory when mounting the network home. If this is disabled, the plugin will look for Apple schema extensions to mount the home directory.

-pprroottooccooll afp | smb

This flag determines how a home directory is mounted on the desktop. By default SMB is used, but AFP can be used for use with Mac OS X Server or 3rd Party AFP solutions on Windows Servers (previously known as mountstyle)

-sshheellll value

Use the specified shell (e.g., "/bin/bash") if a shell attribute does not exist in the directory for the user logging into this computer. Use a shell value of "none" to disable use of a default shell, preserving values that are only specified in the directory.

-uuiidd attribute

This specifies the attribute to be used for the UID of the user. By default, a UID is generated from the Active Directory GUID.

-nnoouuiidd Turn off any previously mapped attribute and generate the UID

from the Active Directory GUID.

-ggiidd attribute

This specifies the attribute to be used for the GID of the user. By default, a GID is derived from the primaryGroupID of the user (typically Domain Users).

-nnooggiidd Turn off any previously mapped attribute and use the GID from

the directory.

-ggggiidd attribute

This specifies the attribute to be used for the GID of the group. By default, a group GID is generated from the Active Directory GUID of the group.

-nnooggggiidd Turn off any previously mapped attribute and generate the group

GID from the Active Directory GUID.

-pprreeffeerrrreedd server

Use the specified server for all Directory lookups and authenti-

cations. If the server is no longer available, it will fail-

over to other servers.

-nnoopprreeffeerrrreedd

Turn off any previously specified server and default to dynamic server discovery.

-ggrroouuppss group1,group2,...

Use the listed groups to determine who has local administrative privileges on this computer. Groups can be specified by domain to ensure security is not compromised, e.g., "domain admins@domain.ads.demo.com"

-nnooggrroouuppss

Disable use of the current groups for determining administrative privileges on this computer.

-aallllddoommaaiinnss enable | disable

This flag determines whether the plugin allows authentication from any domain in the forest. When this is enabled, individual

domains will not be visible, only "All Domains". If it is dis-

abled, you will have the ability to select the specific domains that can authenticate to this computer. Enabled by default.

-ssttaattiiccmmaapp attribute-type attribute-value

Enable static mapping of an attribute-type to a specific

attribute-value for User records. Do not static map values such

as UID, RecordName and GeneratedUID as unexpected behavior will

occur. This is for use in other attributes that are not typi-

cally searched. Attribute types are Directory Service types

(i.e., "dsAttrTypeStandard:State"), see DirectoryServiceAt-

tributes(7).

-ppaacckkeettssiiggnn allow | disable | require

By default packet signing is allowed but not required, but can be required or disabled (for example if debugging a problem). This ensures that the data to/from the server is not tampered with by another computer before received it is received.

-ppaacckkeetteennccrryypptt allow | disable | require

By default packet encryption is allowed but not required, but

can be required or disabled (for example if debugging a prob-

lem). This ensures that the data to/from the server is encrypted and signed guaranteeing the content was not tampered with and cannot be seen by other computers on the network.

-ppaassssiinntteerrvvaall value

Set how often the computer trust account password should be changed (default 14).

-nnaammeessppaaccee forest | domain

Sets the primary account username naming convention. By default it is set to "domain" naming which assumes no conflicting user accounts across all domains. If your Active Directory forest has conflicts setting this to "forest" will prefix all usernames with "DOMAIN\" to ensure unique naming between domains (e.g., "ADDOMAIN\user1"). Warning: this will change the primary name

of the user for all logins. Changing this setting on an exist-

ing system will cause any existing homes to be unused on the local machine.

-eennaabblleeSSSSOO

(Server Only) When using MacOS X Server with Active Directory, this enables SSO for all supported services. EEXXAAMMPPLLEESS Adding a computer to a Directory:

ddssccoonnffiiggaadd -a ThisComputer -u "administrator" -ou

"CN=Computers,OU=Engineering,DC=ads,DC=demo,DC=com" -domain

domain.ads.apple.com Giving a set of groups administrative access to the local computer:

ddssccoonnffiiggaadd -groups "DOMAIN\domain admins,FOREST\enterprise

admins,DOMAIN\desktop techs"