AD-bound servers show fake user homes in share lists

[giskard22]

I recently bound a couple of 10.4.8 server to our AD. This is a magic triangle setup, where the OD exists purely for groups and MCX. Since then, when you authenticate to the servers via AFP or SMB with an AD user you get the appropriate list of shares, plus one extra. It appears that the servers are attempting to “patch through” a user’s home directory; for me, the extra share is called MROSENBERG$, corresponding to my username. If I logged into a client Mac with that username, that’s the name the network home would have. The network homes are actually somewhere on big NAS boxes, mountable via SMB from a Mac.

The system logs on the servers have tons of entries like these:

[code]Mar 19 11:55:43 dcxserv01 automount[28703]: Can’t mount REDOUBT.mgmmirage.org:/VHANLEY$ on /private/Network/Servers/REDOUBT.mgmmirage.org/VHANLEY$: Invalid argument (22)
Mar 19 11:55:43 dcxserv01 automount[28703]: Attempt to mount /automount/Servers/REDOUBT.mgmmirage.org/VHANLEY$ returned 22 (Invalid argument)[/code]

The sequences of entries from the same timestamp is long, and appears to contain these two lines for every AD user who has ever connected with AFP or SMB. Both servers give the entire sequence of errors every few minutes. What’s going on, and how do I stop it?

[giskard22]

Thanks, Joel. I actually discovered that, but it doesn’t explain the behavior. Why does the server want to re-share data that doesn’t exist on it? It’s just supposed to be an AFP/SMB server that’s using AD for authentication.

The list of shares its trying to automount is going to keep getting longer and longer. I was going to ignore it, but yesterday the automount process went crazy, trying to do the mounts over and over without a break in between. It definitely seems like it’s going to cause problems down the road.

[giskard22]

Not to my knowledge, and most would have no idea what that is. AFP & SMB only.

[themonkman]

I had this problem, too. It’s caused by the setting “enable virtual sharepoints” under Server Admin -> Settings -> Advanced -> Homes: [enable virtual sharepoints]. That should fix your issue I think.

[giskard22]

Definitely on the right track here! That setting applies only to SMB, though. There doesn’t appear to be an equivalent for AFP. However, I discovered that if you enable the “Force local homes” option for the AD DirectoryServices plug-in, the issue goes away for AFP too.

Thanks to both of you for the help!

[2smuth]

Auto generated home folders is easy to setup on the AD side, I find it bizarre it is going to an invisible share though. It sounds like the admin has set the permissions wrong on the share point and the user is getting a folder created but isn’t the owner. Is that a possibility? As this is now AD bound, I do something sililar for PC users in all my OUs where they get aMy Documents moved to the SAN and their actual storage is mapped to a drive letter however if a Mac logs in and is bound with SMB, they get the Home folder in the same spece and the entire folder appears within their Home Folder. If you’re Authenticating through the Xserve and AD both, with a Kerbros ticket running on the xserve, it could cause strange behavior. The Invalid argument would be the password being encrypted then going to AD, it would appear to be an encrypted, encrypted password and authentication on AD would fail.

[Author]

Posts