Augmented users with network home directories – making them PHDs?

[Mike Boylan]

Hi Guys,

I’ve been poised with the project of trying to get all of our Macs to let users log in with their AD credentials so we don’t have to keep two separate user databases, and so we can provide a centralized password change service, etc. We still need to apply some basic policy to these users, so the magic triangle seemed like a good solution.

Following Arek’s excellent guide in the OS X Directory Services 10.6 book, I created a test environment and I started with a fresh install of snow leopard server. I ran all the updates and then I bound the server to AD, kerberized the services, and then configured the OD master. All went as expected. We’re in a disjoint namespace here though, so I followed the instructions in [url=http://support.apple.com/kb/HT3795]this[/url] article and made the necessary edit to the AppleFileServer plist to use the correct principal. All other services seemed to update automatically.

What I didn’t know was the bosses also wanted to have two separate home directories for our Mac users. One on the windows server for the windows machines and one on the Xserve for the Mac machines. To do this, I edited the augmentconfiguration to allow for the home directory attributes, and then I augmented a test account record and provided the NFSHomeDirectory and HomeDirectory attributes per Arek’s guide. I then created the home folder using createhomedir and everything went smoothly.

On the client machine, I bound it to OD first, then AD (unchecked all of the options except default user shell). I then logged in with the test augment user. Success. Everything loaded, there was an active AFP session listed in Server Admin, running klist in terminal showed the tgt from the AD controller and the afpserver ticket from the Sserve in the correct AD realm. Trying to access another service on the Xserve like SMB presented me with the list of shares without having to re-authenticate, thus telling me SSO was working correctly.

Here’s where things got tricky, and here’s where I need your help…
Ideally, we’d like to make these augmented users’ network home directories also PHDs that sync in an effort to put less strain on the Xserve at peak login times.

I created a new computer group, added the test client machine I’ve been using as a member, and set the following Mobility settings for the group:
Account Creation >> Creation >> Always >> Create mobile account (and all sub checkboxes)
Create Home Using: network home…
Account Creation >> Options >> Never
Account Expiry >> Never (for now)
Rules >> Preference Sync >> Never (for now)
Rules >> Home Sync >> Always >> Default options for now
Rules >> Options >> Always >> Sync in background manually and show status

I then edited the preference manifest for “Mobile account and other options” for the group to include the Synchronization URL for the share. It’s something like afp://macmini.subdomainhere.rmu.edu/StuDirs/%@

I then tried logging in as the augmented user again. It prompted me for the mobile account, I created it, and it seemed to sync on [i]login[/i].

The problem is, on a [i]manual sync or logout sync[/i], it’s asking for the password of the test account. klist shows no cached tickets for the account either.

Why are the tickets generated and cached correctly when I log in as this augmented user just as a normal network user, but as soon as I enable mobilty options, SSO seems to break?

I’ve also tried using the AD connector to create the mobile account rather than MCX and only specified the Synchronization URL via MCX. That also didn’t work.

Thanks so much. Any help would be much appreciated. If I’m going about this the complete wrong way, please tell me. I’m certainly new to incorporating multiple directory services.

Mike Boylan
RMU IT :: Mac OS X

Home

@mboylan on Twitter

[nvp]

I came across this article while research my Augmented user project:
https://wiki.cmich.edu/groups/techops/wiki/a9668/Augmented_Network_Home_Directories_with_PHDs.html

Might be of some help….

[Mike Boylan]

Thanks. I saw this actually and it served as the guide for my efforts. I talked with the creator a bit over the weekend because it’s (obviously) not working for me. :p

Hopefully someone else has tried this. 🙂

[Malcolm Rikeur]

Hi!

We’ve just been testing this and we initially had the same issue with the authentication window coming up for the AFP share.
On closer inspection we noticed the AFP Kerberos ticket seemed a little ‘late’ appearing! Once you attain the afpserver ticket all worked fine with every type of sync.

We’ve logged out and back in again with the local copy of the user and all’s good, but if it’s deleted (i.e. you move to a different Mac) the same problem re-appears… if we run klist it gives us no tickets at all, if we log out and back in again all tickets are there and sync works fine.

Looks like we need to poke the Mac into getting a kerberos ticket when you first create the account on the local machine.
Weird though as it logs in from AD and you can access the AFP share and the SMB home folder too…

*UPDATE!*
working on this issue as I’m posting!
Seems when you log in for the first time and the local account is created, ALL kerberos tickets are missing (again try klist from Terminal)
The AFP share is accessible (via SASL authentication) if we look at the SMB share, or anything that requests authentication, all kerberos tickets then come in (tgt, afp, smb etc.) and we’re off…
I’m using an OD group for the management policies (populated with the AD users)

*SOLUTION*
it’s here at Apple: [url]http://support.apple.com/kb/HT4100[/url]
Seems that with an Active Directory login, the client doesn’t necessarily always request a TGT from the Windows server, you have to request a service to get one. The KB article tells you to basically edit the /etc/authorization file so that you’ll always get a TGT when you log on, did this and everything works fine now…

Next step is to automate the process of augmentation!

Cheers

[Mike Boylan]

Thanks for the reply! I had found that article as well and it seemed to work for us, too.

However, after some discussion with our Apple Systems Engineers, we decided to stick with all OD and ditch the idea of having the dual directory structure with augmented records. Essentially the main question they asked us was “Why?” Our Mac install base isn’t very large, and it’s not a whole lot of work to run the oracle export through Passenger and import the accounts into OD. It’s like a 20 minute process. The main advantage for us was going to be integration with our Password Change service, but it looks as though we can do a native OD password change script anyway.

I wish you the best of luck, though. The vibe we got from our SEs was to really not go down the road of augments for two different home folders, and especially not for syncing. It can and should work, but it’s supported very little and can always be prone to problems.

As far as scripting the augmentation process, Mike Bombich has a nicely script written to do this. It’s at the bottom of this page:
http://www.bombich.com/mactips/scripts.html

You’ll have to add support for the keyword attribute in your augmentconfiguration as well as the home folder attributes. It’s all documented in the Read me.

Good luck!

Mike Boylan
Student IT Assoc Sys Admin
Mac OS X / Mac OS X Server
Robert Morris University

[Malcolm Rikeur]

Cheers,

Got Mike’s script working apart from one niggling problem:

It cannot add the NFSHomeDirectory entry if there is a space in the path name e.g. /Network/Servers/macserver.com/Shared Items/machomes/
the script fails when it gets to this part… works okay manually though, either via WGM or using:

dscl -u diradmin /LDAPv3/127.0.0.1 create /Augments/Users:dave NFSHomeDirectory “Network/Servers/macserver.com/Shared Items/machomes/dave”

The space in “Shared Items” is happily accepted in dscl and WGM… also if I type in the path in the script rather than the variable it fails.
Wondered if dscl was doing something weird in the script…

*UPDATE*
sorted this too… just adjust the line in the script to add in quotes, I wasn’t doing a “dry run” (see Mike’s script!)
looking at the text file created, it missed out the quotes around the /Network/Servers path

changed it to:

printf(“create /Augments/Users:%s NFSHomeDirectory \”%s/%s\”\n, sn, home_path, sn) >> “/tmp/f”

All users now in and working fine…

[ejaramillo1006]

Malcolm Rikeur,

I’m having an issue running the script on 10.6. I’m sure it’s something I’m doing wrong since I’m not very familiar with scripting on a mac.

I keep getting a Syntax Error Expected expression but found “/”.

It points me to the first line of the script .. Path=/bin:/usr/bin:/sbin:/usr/sbin export PATH

Any ideas?

[Author]

Posts