|Jul 18, 2013, 10:52 AM||#1|
OS X network and local homes for Active Directory users
Currently I'm in the process of setting up a new ML (10.8.4) Mac Pro to act as an OD server in our College. I have successfully bound it to Active Directory, and any AD user can log in to the test Mac I have also bound. So far so good.
What I want, is for all users to have local home folders on whichever Mac they log in to. This is working. What I also want is to mount a Network home folder located on the Mac server, on user login, so all preferences for software etc will be stored locally, but any files can be saved to a network location and accessed from any Mac.
I have read various set up guides, white papers etc and I have reached a stumbling block. I checked both 'Force local home directory on startup disk' and 'Use UNC path from Active Directory to derive network home location'. The problem comes when defining the home folder in the AD user's profile. I input \\server\share\%username% and when I click 'Apply' I get an error, 'The home folder could not be created because: the request is not supported.' However, if I check on the server, it has actually created the folder. When I click 'Apply' again, I get a message saying the folder already exists, do I want the user to be granted full control. I click 'Yes', BUT, and this is where I'm coming unstuck, when I check the permissions of the folder created, I get access to the folder, and everyone gets no Access. The user of the folder has no rights therefore when I log in as that user to test, it doesn't work. If I manually add rights for that user to the folder, then that works, but this is impractical as I'd have to do this individually for a large number of students.
As an aside, if I use the Attribute Editor in AD to add a homeDirectory and homeDrive, and Apply this, I get no error, but also no user folder created. It doesn't create the folder on login either. This is an issue, as the user creation process is automated, and I intend to get this field updated as part of the creation process for those students who will be using Macs.
Both Domain Admins and Enterprise Admins have administrative rights to the ML Server. I am a Domain Admin. The Users sharepoint has R+W access for System Administrator, Administrators group and Everyone Else. I also tried adding Domain Admins and a local group called MacStudents, that contains an AD group (done in WGM) that the above users are members of.
My next step is to update the AD Schema to include Apple specific attributes and see if I can get it work that way, though I have no guarantee it will work this way either.
If there was a way to query a group, automatically create server based home folders with appropriate user names and grant the proper rights then this would be acceptable, however my scripting ability and knowledge is fairly non-existent.
Any help would be hugely appreciated as I've spent a long time trawling through google and various forums to no avail.
|Jul 18, 2013, 03:24 PM||#2|
I did this once in a test environment, but since I didn't have access to our AD, I abandoned the project. I don't remember everything I did but the setup was difficult and it does work. Hopefully my memory will help you in the right direction
You are on the right track and it comes down to permissions on the network drive.
IIRC, in AD the only thing you need to setup is the User Profile path. Use the IP address for the OD rather than the hostname. Windows SMB/CIFS doesn't work well with Apple's new implementation of SMB/CIFS. Not sure what they did but it's VERY minimal.
On the Client, it needs to be setup to use: "Use UNC path..." using SMB protocol. The OD sharepoint needs to have appropriate permissions for the Domain Admin, Domain users, and OD admin to have access to it. This is where my memory fails. It was something like the sharepoint was shared to everyone with full permissions. The security permissions took care of actual read/write permissions. If you search for setting up roaming profiles in Windows, it will also give you some clues.
You do not need the Apple Schema for AD for what you are trying to accomplish unless you plan to manage the Apple Machines using AD. The Apple Schema does not manage users, at all. Since you are using an OD, just use the OD to manage the machines. It will do much better at managing machines than the AD will.
I was able to successfully mount network homes using either the AD sharepoint or the OD sharepoint for network homes. What didn't work for me is that it also forced local homes, which I didn't want.
|Jul 24, 2013, 08:12 AM||#3|
rlkarren - Thanks for your reply.
That does make sense - I've got it to a point now that when I specify the home folder in AD, and check the permissions after creation, there is one unspecified user that has R&W access that just says 'Fetching' for however long I've tried leaving it.
I've given Domain Admins and Users access to the share, as well as local Mac admin, though I've unticked inheritance for Domain Users. I've also enabled File Sharing for Domain Admins and Users (previously it was just for a specific security group in AD)
Somewhere it seems there is almost definitely a permissions error, I just can't pin it down! Anything else you can recall would by much appreciated!
|Jul 25, 2013, 03:26 PM||#4|
network home woes
Let me start by saying I'm not really proposing any sort of solution to the mentioned problem. Instead what I've found so far trying to get AD/OD "Magic Triangle" working. I'm working in a large university environment and really can barely touch AD... extending the schema of AD is not an option.I've been running os 10.5 server for several years now with 10.6 clients. AD is used to authenticate and OD is used to manage but mostly just to host the network home. Students can sit at any computer in my lab and get the same desktop all while using there University username and password from AD. In order to get this all working I had to use augmented records from AD imported into Workgroup Manager on 10.5 server. Not the easiest of routes but works. I'm currently trying to get 10.8 server to work preferably without an augmented record. So far everything works without augments except hosting the users network home on the OD master. I really need to present the user with the same desktop regardless of which computer they choose to sit at. I have found how to get augments working with the os 10.8 server and 10.6 clients. It's very similar to 10.5 setup but instead using the directory utility and directory editor instead of making a change in workgroup manager. However, 10.7 and 10.8 clients seem to just ignore the augmented record and mount the local drive regardless of how I have the client AD plugin set. Every combination has been tried unc path ,no unc path,smb,afp,mobile accounts,everything disabled, you name it I've tried it. I called Apple and they will not help unless I purchase an enterprise support agreement. Kinda a bummer since everything works as it should on 10.6 clients. Well this probably didn't help at all but I'm hoping someone will have a thought or a direction to get this all working preferably without augments. It seems simple enough but just can't get clients to look at OD for the home directories when AD is involved.
|Jul 26, 2013, 04:56 AM||#5|
You're right - it doesn't help me! Actually that might be premature, as I have yet to investigate augmented records properly. It does seem like you're trying to do it slightly differently to me. Our current set up has all users hosted on 10.6 with no integration, but the network traffic caused by all the home directories on the server was too much for the server to cope with, and resulted in lots of beachballing. Hence trying to do it with local home directories and auto-mounting individual network homes too - we don't have the storage capacity on the windows side of things for all the graphics intensive work done on the Macs and students will have to learn that if they save to the desktop, that's where it stays. This is how the PCs have been for years, so it's no biggy.
Have you read Apple's white paper on the topic?
There might be some pointers in there to help you...
|Jul 26, 2013, 10:01 AM||#6|
Ok, having failed to get this to work, I've decided to resort to resetting permissions on the home folders. Luckily we have a licensed version of Passenger and I've discovered that it's possible to batch process user folder permissions and you can also export a script to do it for you, so this is what I will be doing.
|Sep 10, 2013, 11:11 AM||#8|
Someone on another forum suggested using ADmitMac or similar 3rd party solution....
Here's what I've got in place now:
AD users (Students) get created automatically.
Those on courses that will use Macs are flagged and details exported to csv.
A powershell script runs to populate the home directory attribute in AD, add the users to a security group and create a user home folder on the Mac server, and a subfolder within that folder.
As it's the start of term, new users are appearing daily, so this process runs daily.
I have a script created in Passenger to correct permissions on the user folders.
I have a plist file that lauches this script daily, after the user creation process, to correct the permissions on the user folders (took a while to get this working!)
On the windows side, using Group Policy folder redirection, the Documents folder is set to redirect to the subfolder within the user folder on the Mac server, created in the above process. This way, the students can access files on Macs and PCs.
The client Macs are bound to AD and OD. They are set to use UNC path from AD via SMB (AFP would be better but I think there are issues to do with passwords not being sent in plain text, so authentication fails) and also to force local home folder on startup disk. The user folder then mounts in the dock, although it isn't a default file location for saving unfortunately, which would be useful.
It's long winded, but it works, and fortunately I have access to people with scripting skills!
|Sep 10, 2013, 06:24 PM||#9|
Some programs (MS Office, and TextEdit if I remember correctly) don't appreciate it when the cache and home folders are on different partitions. So, once the Caches folder is created in /tmp, I link back to the network home for "TemporaryItems" and "Cleanup At Startup" in the Caches/ folder. I don't remember specifically why each of them was important; but, I'm pretty sure there was a reason.
Another directory to look at is ~/Library/PubSub/ where Safari keeps its RSS and favorite site info.
|Thread Tools||Search this Thread|
|thread||Thread Starter||Forum||Replies||Last Post|
|How can I chroot sftp-only users into a directory different from their homes?||carlosribas||Mac OS X Server, Xserve, and Networking||1||Sep 3, 2013 02:58 PM|
|Active directory and changing passwords||pctomm||Mac OS X Server, Xserve, and Networking||1||Aug 27, 2013 02:36 PM|
|Active Directory||MonsterRain||OS X 10.8 Mountain Lion||1||Aug 8, 2013 01:09 PM|
|Putting Macbook on Active Directory - Keeping local user||Duinan||Mac Basics and Help||2||Jun 20, 2013 04:31 PM|
|MacBook Pro 10.8.2 with Active Directory||MsCasey99||MacBook Pro||3||Jan 30, 2013 03:54 PM|
All times are GMT -5. The time now is 10:49 PM.