PDA

View Full Version : Couple of technical questions about OSX Server




Silas1066
May 3, 2010, 03:40 PM
I am a bit new to OSX Server, and I have a few questions:

1. Once you use binding to secure the connection between the server and client mac, users who do not have local accounts defined on the client can still log into the network through that machine (by selecting "other account")--is this correct?

2. Can setting up trusted bindings be done entirely from the server? Or do I need to do something on the client as well?

3. If you set up managed settings by computer group and user groups, and there is a conflict (e.g. one group is allowed to use calculator and the other is not), what happens?



calderone
May 3, 2010, 04:06 PM
1. Yes, network users can login if a home directory has been defined in WGM. Also, the standard practice for machines connected to a directory server is to show name and password, not user icons at the login window. You can force this with MCX.

2. Binding must be done on the client. There is no way, that I know of, to inform a client that it can use a directory service without doing so from the client. You can script that process however. If you want, I have an AppleScript for it.

3. The order for Managed Preferences in an override situation, from highest precedence to least, is:

User
Computer
Computer Group
Workgroup

An override situation is when you manage one preference at multiple levels.

You don't generally want to manage Application access with Workgroups, which is why they have the lowest precedence. A user can only be in one active Workgroup at a time. The user can choose by holding down "Option" before clicking the login button.

You can set a Primary Group ID, but still, the settings would not be applied in the way you want.

A good managed preference strategy will limit certain preferences to specific account types. For example, managing Applications by Computer Group would be a good idea if you wanted to manage a Lab divided by purpose. Like AudioComputers and VideoComputers. Maybe the AudioComputers are allowed to access GarageBand and iTunes while VideoComputers can access iMove and Quicktime.

It is best to sit down before deploying and develop a clear strategy.

Also be aware, that if you set different Application access per account type, these will combine. For example:

Workgroup: Calculator
Computer Group: Safari
Computer: iCal
User: Preview

A user in these groups will get access to all of these Applications.

Silas1066
May 3, 2010, 04:32 PM
when you say that a user can only be a member of one active group, what does that mean exactly? Surely a user can be in 2-3 groups yes?

calderone
May 3, 2010, 06:10 PM
Of course, a user can be in as many groups as you want.

Of course, what I mean is if a user is in Groups

Test
Test2

The user will only get the managed settings from one group. When a user logs in they are assigned a Workgroup, or a user can choose it by holding "Option" and clicking "Login."

If I allow Test to use Calculator, and I don't give that privilege to Test2, the settings the user gets is dependent upon which Workgroup they are assigned to on login.

What you could do is manage this on the workgroup and level and apply user specific policies. User specific management will override all over account management.

Les Kern
May 4, 2010, 06:40 AM
And just to add, the permissions run from most powerful to least like this:
User, Machine Group, Group.

So user over-rides all, machine settings over-ride group, group is least powerful..

calderone
May 4, 2010, 04:54 PM
And just to add, the permissions run from most powerful to least like this:
User, Machine Group, Group.

So user over-rides all, machine settings over-ride group, group is least powerful..

What permissions are you referring to?

Silas1066
May 6, 2010, 08:21 AM
calderone: I'd love that Applescript if you have it.

I can PM you with my email

and thanks for the comprehensive answer

calderone
May 6, 2010, 12:25 PM
Yeah, no problem.

Let me generalize it a bit more and add some more comments. Expect a PM sometime later this evening.

Also, if you could comment the type of things you need. For example, we have a standard for naming computers. Do you want some logic to check that the machine name is correct and if it is not allow a new one to be entered?

Silas1066
May 8, 2010, 08:21 PM
thanks calderone

I'm thinking about converting 150-200 users to a mac environment (we will stall have some Citrix, Linux, and some windows here)

some logic to check the name would be awesome

calderone
May 8, 2010, 08:35 PM
No problem. I was waiting to hear back from you.

I will tackle the rest of it this weekend. It will require you to modify a few variables for your setup. Expect a PM soon sometime tomorrow.

Silas1066
May 9, 2010, 08:31 AM
No problem. I was waiting to hear back from you.

I will tackle the rest of it this weekend. It will require you to modify a few variables for your setup. Expect a PM soon sometime tomorrow.

Great, thanks! (see, this is why Apple users are the best)