Home › Forums › OS X Server and Client Discussion › Active Directory › Hybrid Homes
- This topic has 5 replies, 2 voices, and was last updated 15 years, 1 month ago by
cmra.
-
AuthorPosts
-
September 3, 2009 at 7:55 am #377055cmraParticipant
Wondered if any other people here have attempted a similar setup. We have a large AD Network running 2008 with Unix DNS and an OD network running leopard. At present the two directories are separate but we are hoping to change so that all users authenticate to AD rather than OD eliminating the need for separate accounts for the two systems. I have looked at the magic triangle cylinder of destiny etc and they dont seem to fit what we want which is when users login to the macs they authenticate via AD but their mac mobile account resides on the OS X server and when they login to a PC’s their PC account is located on the AD server. The other issue which Im not sure if this has been resolved yet is that our AD network uses .local, is this still an issue?
September 3, 2009 at 10:21 am #377058sramdeenParticipantIt is most definitely possible, but it’s not really something that’s publicly documented by Apple.
What you can do is manage the ‘Synchronisation URL’ setting in the mobile account MCX for a given workgroup. From the description:
[quote]URL of the network home used for home sync. Only setable for mobile account creation. The string “%@” will be substituted with the user record name before use. Example: afp://myserver.apple.com/Users/BuildingA/%@ .[/quote]
I have a setup so that:
AD users can log in to the Macs with their normal everyday username and password and have a homedir located live to the mac server (using augmented records, as described here http://209.85.229.132/search?q=cache:1cpVgeTTKs0J:developer.apple.com/releasenotes/MacOSXServer/RN-DirectoryServicesSession549/index.html+extending+directory+services&cd=1&hl=en&ct=clnk&client=safari – God bless ’em, they’ve broken the link)
If users want to use iMovie or FCE, they log in with their ‘movie’ username assigned to them/their group. This user account is also in AD, but it is in a OD workgroup that has its Synchronisation URL set, so that the homedir sync up and down to/from the xserve in order to make video apps play nicely.Let me know if you have any questions.
Stu
September 3, 2009 at 12:37 pm #377059cmraParticipantAh cheers thats all good stuff, they way I would want it would be that the PC and Mac user areas were totally separate, PC one an a AD Server Mac home on the Xserve, but still using the same user id. I suppose I could set the URL via a computer list mcx so if users logged into a mac in the list the home url parameter is changed to point at the xserve. Then reset on logout to the AD default using a logout hook?
September 3, 2009 at 12:54 pm #377060sramdeenParticipantno, you wouldn’t even need to do that. Sorry, perhaps my explanation wasn’t clear. For your setup you would edit the synchronisation URL on a machine group basis, meaning that all users logging in to a Mac in that list had their sync URL settings applied to them so that their home dir effectively lives on the Mac server. The users record on the AD is not touched at all – the AD doesn’t know that the user’s home is on a Mac server, that’s down to the Mac client and OS X Server.
the only real thing you need to decide is whether or not you want mobile accounts with synchronisation (users almost always sit at the same machines and they are hard-wired) or live network homes to the Mac server (users move around a lot, you have laptops running wirelessly). The other benefit of synchronised homes is that things like Adobe CS and M$ stuff plays better compared to them being run from a ‘live’ network home directory, as to the running application the home directory is a local one.
The former is where Synchronisation URL comes into play, the latter is simply a case of augmenting the users’ AD record with an OD one providing certain bits of info for the client (Home directory location being the obvious one).
Stu
March 4, 2010 at 2:43 pm #378124cmraParticipantHi Stu, its been a long time since you replied to this post but we are only just moving on this now and we have run into a couple of stumbling blocks namely the creation of the mobile accounts at first login, I wonder if you could point out anything we may have missed
The steps we have taken so far are:
We have bound our OD Master (currently running KDC for mac users, though this wont be the case for much longer) to AD
Bound a test client to AD and OD (OD first in search path) unticking use UNC path and unticking create mobile account at login.Created a computer group on the master
Added ManagedClient to preferences
In the details tab I have modified the “Mobile Account & Other Options” to include the following
“Create Mobile Account” “True”
“Create Portable Home Directory” “True”
“Mobile Home Location” “path”
“Mobile Home Parent Path” “/Network/Servers/our-server.com/Volumes/DATADRIVE/Home”
“Synchronisation URL” “afp://our-server.com/Home/%@”No problems with authentication but when logging on with the client and “ad_username” I get the error “Unable to create Mobile account” There was a problem while creating or accessing “/Network/Servers/our-server.com/Volumes/DATADRIVE/Home/ad_username”
KDC is still on the OD (would this make a difference?)
The path is accessible from the client in terminal, initially I thought it was a permissions issue and gave the user write permissions to the share, just to test but that made no difference.
Is there something Im missing here, any tips would be gratefully recieved!
March 4, 2010 at 4:51 pm #378127cmraParticipantI forgot to add the error which makes it a little more clear where the problem lies
“04/03/2010 12:57:09 com.apple.loginwindow[3879] 2010-03-04 12:57:08.998 ManagedClient[3886:903] MCXCCreateMobileAccount(): Failed to create account. Error = -6304 (mobile account file path is either not a directory or could not be properly created). Cleaning up mobile account record.”
just to note that directory does exist!
-
AuthorPosts
- You must be logged in to reply to this topic.
Comments are closed