Couple of technical questions about OSX Server

Discussion in 'Mac OS X Server, Xserve, and Networking' started by Silas1066, May 3, 2010.

  1. macrumors member

    Joined:
    Nov 1, 2009
    #1
    I am a bit new to OSX Server, and I have a few questions:

    1. Once you use binding to secure the connection between the server and client mac, users who do not have local accounts defined on the client can still log into the network through that machine (by selecting "other account")--is this correct?

    2. Can setting up trusted bindings be done entirely from the server? Or do I need to do something on the client as well?

    3. If you set up managed settings by computer group and user groups, and there is a conflict (e.g. one group is allowed to use calculator and the other is not), what happens?
     
  2. macrumors 68040

    calderone

    Joined:
    Aug 28, 2009
    Location:
    Seattle
    #2
    1. Yes, network users can login if a home directory has been defined in WGM. Also, the standard practice for machines connected to a directory server is to show name and password, not user icons at the login window. You can force this with MCX.

    2. Binding must be done on the client. There is no way, that I know of, to inform a client that it can use a directory service without doing so from the client. You can script that process however. If you want, I have an AppleScript for it.

    3. The order for Managed Preferences in an override situation, from highest precedence to least, is:

    User
    Computer
    Computer Group
    Workgroup

    An override situation is when you manage one preference at multiple levels.

    You don't generally want to manage Application access with Workgroups, which is why they have the lowest precedence. A user can only be in one active Workgroup at a time. The user can choose by holding down "Option" before clicking the login button.

    You can set a Primary Group ID, but still, the settings would not be applied in the way you want.

    A good managed preference strategy will limit certain preferences to specific account types. For example, managing Applications by Computer Group would be a good idea if you wanted to manage a Lab divided by purpose. Like AudioComputers and VideoComputers. Maybe the AudioComputers are allowed to access GarageBand and iTunes while VideoComputers can access iMove and Quicktime.

    It is best to sit down before deploying and develop a clear strategy.

    Also be aware, that if you set different Application access per account type, these will combine. For example:

    Workgroup: Calculator
    Computer Group: Safari
    Computer: iCal
    User: Preview

    A user in these groups will get access to all of these Applications.
     
  3. thread starter macrumors member

    Joined:
    Nov 1, 2009
    #3
    when you say that a user can only be a member of one active group, what does that mean exactly? Surely a user can be in 2-3 groups yes?
     
  4. macrumors 68040

    calderone

    Joined:
    Aug 28, 2009
    Location:
    Seattle
    #4
    Of course, a user can be in as many groups as you want.

    Of course, what I mean is if a user is in Groups

    Test
    Test2

    The user will only get the managed settings from one group. When a user logs in they are assigned a Workgroup, or a user can choose it by holding "Option" and clicking "Login."

    If I allow Test to use Calculator, and I don't give that privilege to Test2, the settings the user gets is dependent upon which Workgroup they are assigned to on login.

    What you could do is manage this on the workgroup and level and apply user specific policies. User specific management will override all over account management.
     
  5. macrumors 68030

    Les Kern

    Joined:
    Apr 26, 2002
    Location:
    Alabama
    #5
    And just to add, the permissions run from most powerful to least like this:
    User, Machine Group, Group.

    So user over-rides all, machine settings over-ride group, group is least powerful..
     
  6. macrumors 68040

    calderone

    Joined:
    Aug 28, 2009
    Location:
    Seattle
    #6
    What permissions are you referring to?
     
  7. thread starter macrumors member

    Joined:
    Nov 1, 2009
    #7
    calderone: I'd love that Applescript if you have it.

    I can PM you with my email

    and thanks for the comprehensive answer
     
  8. macrumors 68040

    calderone

    Joined:
    Aug 28, 2009
    Location:
    Seattle
    #8
    Yeah, no problem.

    Let me generalize it a bit more and add some more comments. Expect a PM sometime later this evening.

    Also, if you could comment the type of things you need. For example, we have a standard for naming computers. Do you want some logic to check that the machine name is correct and if it is not allow a new one to be entered?
     
  9. thread starter macrumors member

    Joined:
    Nov 1, 2009
    #9
    thanks calderone

    I'm thinking about converting 150-200 users to a mac environment (we will stall have some Citrix, Linux, and some windows here)

    some logic to check the name would be awesome
     
  10. macrumors 68040

    calderone

    Joined:
    Aug 28, 2009
    Location:
    Seattle
    #10
    No problem. I was waiting to hear back from you.

    I will tackle the rest of it this weekend. It will require you to modify a few variables for your setup. Expect a PM soon sometime tomorrow.
     
  11. thread starter macrumors member

    Joined:
    Nov 1, 2009
    #11
    Great, thanks! (see, this is why Apple users are the best)
     

Share This Page