Home Forums OS X Server and Client Discussion Active Directory AD authentication OD Mobile Account 10.6.2

Viewing 15 posts - 1 through 15 (of 20 total)
1 2
  • Author
    Posts
  • March 3, 2010 at 4:58 pm #378119
    cmra
    Participant

    We are in the process of moving over to having all users log into their macs using their existing windows username rather than having two seperate user directories as it currently stands. The process we wish to achieve is the user to be authenticated by the AD directory when logging in and their home folder to be a mobile account with synchronisation which resides on the Mac servers.From various posts I gather that this is possible without extending the AD Schema to incorporate apple objects

    The steps we have taken so far are:

    I have bound our OD Master to AD
    Bound a test client to AD and OD (OD first in search path) unticking use UNC path and unticking create mobile account at login.

    Created a computer group on the master

    Added ManagedClient to preferences
    In the details tab I have modified the “Mobile Account & Other Options” to include the following
    “Create Mobile Account” “True”
    “Create Portable Home Directory” “True”
    “Mobile Home Location” “path”
    “Mobile Home Parent Path” “/Network/Servers/our-server.com/Volumes/DATADRIVE/Home”
    “Synchronisation URL” “afp://our-server.com/Home/%@”

    No problems with authentication but when logging on with the client and “ad_username” I get the error “Unable to create Mobile account” There was a problem while creating or accessing “/Network/Servers/our-server.com/Volumes/DATADRIVE/Home/ad_username”

    The path is accessible from the client in terminal, initially I thought it was a permissions issue and gave the user write permissions to the share, just to test but that made no difference.

    Is there something Im missing here, any tips would be gratefully recieved!

    March 9, 2010 at 5:18 am #378152
    arekdreyer
    Member

    In order to access /Network/Servers/our-server.com/Volumes/DATADRIVE/Home, you’ll have to set up network mounts. See http://www.peachpit.com/articles/article.aspx?p=1412022&seqNum=16

    March 11, 2010 at 2:46 pm #378173
    OmniBlade
    Participant

    Are you applying augments to the AD accounts then? If so, have you set the paths for HomeDirectory and NFSHomeDirectory to point to the correct places? Also, you may find it works better if you rely on the AD plugin to prompt for mobile home creation rather than managed prefs, just use managed prefs for specifying the syncURL.

    March 15, 2010 at 10:56 am #378188
    cmra
    Participant

    I understood it possible to do the above process without doing any augments. We don’t want to change anything on the AD record. The user is using the AD just for authentication purposes.
    The idea is that when the user logs into the mac a mobile account is created for them on the mac server which is just for mac use. The users also use PC’s which have a home directory set on the windows server. The two have to be separate. We dont want the users to be prompted for a mobile account if possible as this will cause confusion.

    Apparently this is undocumented by Apple but this is possible so I was informed

    Im not sure why the preferences don’t work as the path is set to a network share

    March 16, 2010 at 1:31 am #378198
    arekdreyer
    Member

    The procedure for using augmented user records to provide customized home folders is documented in a WWDC2009 session (which is not publicly available), but it is publicly available in the book Mac OS X Directory Services v10.6.

    March 19, 2010 at 7:21 am #378233
    rstasel
    Participant

    We’re looking at something similar… where we’re tying into central IS AD for auth, but want to provide network homes/PHDs for people via an OD/AFP solution (which is what we’re doing now, completely outside of AD).

    Mike Bombich’s info about augments for 10.5 seem like what you have to do, but I’m stopped in my tracks by the fact you can’t add augment user records to OD groups. We have to lock down who can use our computers to just those who are within our program (not everyone at the university).

    I’m not sure why Apple hasn’t implemented some function where you can have a “default” user record within OD that says “augment all records coming from AD with this template”, that would say “NFSHomeDirectory = /Network/Servers/server.example.com/Users/%username%”, etc. Then we’d just add the AD users to an OD group and be done with it.

    Creating an augment record for each user, when they’re all “the same” seems a bit extreme.

    Any additional info that can be supplied would be extremely helpful. Ideally this would also work on 10.5.8 clients since we still have some of those around to… if not, please note what isn’t possible on 10.5.x?

    Thanks!

    March 19, 2010 at 9:42 am #378234
    cmra
    Participant

    I totally agree however I was told that Augments were not necessary for Mobile Accounts only for network homes. I was told that if you applied the following preferences which are defaults in the managedclient.app then these settings would be applied to anyone who was in that group or logging into a machine in that computer group.

    We have this setup as a preference in a test computer group

    After adding the managedclient.app the settings are set under “Mobile Accounts and other options”

    Create Mobile Account” “True”
    “Mobile Home Location” “path”
    “Mobile Home Parent Path” “/Network/Servers/our-server.com/Volumes/DATADRIVE/Home”
    “Synchronisation URL” “afp://our-server.com/Home/%@”

    The bottom line should set the mobile account path sync url to whoever logs onto the particular machine. However as listed above the error indicates it either cant find the path or write to the path, even though its shared I have given the AD group permissions to write to that share and I can access and create a folder there on the command line using the test AD account.

    I suspect we will have to go down the augments path in any case as we need to add in user quotas .

    To lock down the machine to particular users just add the AD users who have access, to an OD group (or users within an AD group nested in an OD group) and setup a managed preference to only allow users within that group to logon to machines within a particular computer group.

    March 19, 2010 at 2:29 pm #378235
    cmra
    Participant

    Managed to take this a stage further with the following changes

    create PHD false
    Create Mobile Account” “True”
    “Mobile Home Location” “path”
    Create Mobile account from Local template true
    “Mobile Home Parent Path” “/Users”
    “Synchronisation URL” “afp://our-server.com/Home/%@”

    This now creates the local mobile account and the network one, however syncing prompts for username and password, need to to do further testing as we are getting password prompts at sync..

    March 19, 2010 at 9:30 pm #378242
    rstasel
    Participant

    I get similar results on 10.5.8 clients. It creates the home on the client, and even mounts the /Users share from the server, but it doesn’t create the home folder on the server, so sync doesn’t work. If I create the folder on the server, it works perfectly!

    So, the steps required would be adding the AD user to the OD group, and then manually creating their home directory on the Users share.

    Haven’t tried with 10.6 yet, but, this is extremely promising in 10.5.8.

    March 19, 2010 at 9:37 pm #378243
    rstasel
    Participant

    Here’s what I have:

    Create Mobile Account: true
    Create Mobile Home with Local User Template: true
    Create Portable Home Directory: false
    Mobile Account Lifetime: 86400
    Mobile Home Location: path
    Mobile Home Parent Path: /Users
    Require Sync to Delete Mobile Account: true
    Show Mobile Account Dialog: false
    Synchronization URL: afp://server.example.com/Users/%@
    Time Server: time.apple.com

    March 22, 2010 at 5:17 pm #378253
    rstasel
    Participant

    cmra,

    Thinking about this, it sounds like the AFP server that’s hosting the home directories isn’t a member of the Kerberos realm. That would be why it’s asking for a network login…

    I could be wrong, but that’s certainly what it sounds like.

    March 22, 2010 at 6:45 pm #378254
    cmra
    Participant

    Hi Ryan thanks for that, yes thats exactly what the issue is, we are still working on a dev setup that has mac OD accounts so will be moving it to the AD realm soon.
    I think its going to work pretty well as it does create the home folder for the user in 10.6.2
    Now If I could only do the quota’s without augments!

    March 22, 2010 at 7:51 pm #378255
    rstasel
    Participant

    Hmmm… I hadn’t thought of quotas. Damn.

    Guess I may be looking at Augments myself. Do we know if Augments in 10.6 can be added to OD groups?

    March 22, 2010 at 8:45 pm #378256
    cmra
    Participant

    Apparently you can setup quota’s for AD users using the edquota command (though this is broken in 10.5, not sure if its fixed in 10.6)

    See page 20

    https://www.afp548.com/filemgmt_data/files/AD-OD-2.1.pdf

    Not sure about adding augments to AD groups in 10.6

    April 15, 2010 at 2:10 pm #378396
    cpakhale
    Participant

    HomeDirectory and NFSHomeDirectory to point to the correct places? Also, you may find it works better if you rely on the AD plugin to prompt for mobile home creation rather than managed prefs,

    [url=http://www.y3.com/search-results/10582/racing-gams]racing gams[/url]
    [url=http://pro.yudu.com/catalogs/index.php]digital catalogs[/url]

  • Author
    Posts
Viewing 15 posts - 1 through 15 (of 20 total)
1 2
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.