# Joining Apple Devices to khalsa.local Domain

## Prerequisites
- Mac must be on the network and able to reach DC (TROUT at 10.11.12.254)
- DNS must resolve khalsa.local (primary DNS should be 10.11.12.254)
- Ports 88 (Kerberos), 389 (LDAP), 445 (SMB) must be open to DC
- Domain admin credentials (guru)

## Steps (run all as localadmin)

### 1. Verify connectivity
```bash
ping -c 2 10.11.12.254
nc -z -w 3 10.11.12.254 389 && echo "LDAP open" || echo "LDAP closed"
nc -z -w 3 10.11.12.254 88 && echo "Kerberos open" || echo "Kerberos closed"
```

### 2. Join the domain
Run in Terminal (not ScreenConnect — password prompt):
```bash
sudo dsconfigad -add khalsa.local -username guru -force
```
Enter guru's password when prompted. No output = success.

### 3. Verify binding
```bash
dsconfigad -show
id guru
```
Should show `uid=...(guru)` with KHALSA\Domain Admins in groups.

### 4. Grant Domain Admins local admin rights
```bash
sudo dsconfigad -groups "KHALSA\Domain Admins"
```

### 5. Set default domain (so users type just username, not KHALSA\username)
```bash
sudo defaults write /Library/Preferences/com.apple.loginwindow DefaultDomain -string "KHALSA"
```

### 6. Reboot and test
Log in with just the domain username (e.g., `guru`) — no `KHALSA\` prefix needed.

## Troubleshooting

**"Connection failed to the directory server" (2100)**
- If the Mac was previously joined and the trust is broken, force remove first:
  ```bash
  sudo dsconfigad -remove -username guru -force
  ```
  Then redo step 2.

**"Data source (/Active Directory/KHALSA/All Domains) is not valid"**
- Directory plugin not loading. Run:
  ```bash
  sudo killall opendirectoryd
  ```
  Wait 10 seconds, then test with `id guru`.

**Domain user doesn't have sudo**
- Must be logged in as localadmin to run step 4. Domain Admins group must be added via `dsconfigad -groups`.

**User has to type KHALSA\ at login**
- Step 5 wasn't applied, or needs a reboot after applying.

## Network Info
- DC: TROUT (10.11.12.254)
- Domain: khalsa.local
- DNS: 10.11.12.254 (primary), 10.11.12.1 (secondary)
- 10.11.12.243 is a DNS server but NOT the DC