Authenticate via OD with local home directories?

[jaronbrass]

I work for a very large ad agency, and we’re in the process of doing a massive upgrade of all of our systems to 10.3 and 10.4. We’ve purchased an Xserve and Xserve RAID to act as an art server, but I have a predicament I’m trying to solve and cannot quite seem to find a satisfactory solution.

We have around 450 Mac workstations all running a variety of OS versions, from 9.1 all the way up to 10.4 on our most recent purchases. Each machine is effectively an island: local user accounts, local home directories, etc. We’ve been mandated by our parent company to start enforcing policies and managed preferences on our Macs in order to survive a forthcoming Sarbanes-Oxley audit for our internal systems.

Our Windows NT PDC will authenticate PC users, and, if necessary, create a home directory but will NOT create one on the server. I want the same to apply to the Macs in our agency. The Macs would authenticate against OD in order to force preferences, password changes and so on, but I wouldn’t have to worry about migrating user data from a workstation. I simply do not have the space to store an average home directory size that is roughly 4-12GB for 450 machines. Plus, our network would crash in a heartbeat as soon as our artists start saving massive Photoshop files to their desktops.

Is there any way to achieve my goal of having systems authenticate to OD, yet maintain local home directories? And, if OD cannot do this, will Active Directory support something similar, if the Macs authenticate to it? Our NT4 PDC will be migrated to 2003 Server, soon, so AD is also a possibility.

I appreciate any help!

Thanks,
JB

[Ross]

Very easy… Set up users on the OD server and use Mobile Accounts. When a user logs in it will create a mobile account on the local machine (local home directory). All the data is stored locally and does not sync (with Panther).

Or just create local account and bind the client to the server and managed by computer lists. This way you still manage prefs, but account are local.

[puskas]

Be careful with Mobile Accounts under 10.3.9. There seems to be a bug with it. When users change their password, their keychain is not updated. Meaning that you have to re-create it.

I think that this only affects users who have been forced to change their password through OD options in WGM. I think that it may have been fixed in Tiger.

Through memory, I think that there is a way to have local folders by simply typing /Users/ in the WGM home tab section. However, if your server is not available then the users can’t login as their password is not cached.

[AMSR]

If you don’t use mobile accounts you can still do this. Instead of creating an automount record in OD to assign to your users in the “Home” tab of WGM, just assign them to “/Users/shortname”. The first time you do this, it will add “/Users” as an option for homes, and any use you assign in this way will create a local home (using their OD shortname as the folder name) in /Users on each local machine.

There is a good summary of how to do this in the XSan admin guide on Apple’s site. Because of performance implications for FCP, this is the recommended way to do things with XSAN in a video environment. Suffice it to say, even if you aren’t doing that, the instuctions in the XSAN guide will help out out.

[Author]

Posts