Cylinder of Destiny or Golden Triangle with Lion Server

[tslarkin]

I have a fresh install of Lion Server 10.7.2. I have bound it to my university’s AD service. I can import users from AD into the local LDAP as augmented records, using Server.app. (WGM no longer seems to be able to create augment records.) So far so good.

I’d like to add augment properties for the Mac users’ home directories. I can add those properties using the Directory Editor of the Directory Utility.

But when I run dscl nothing seems to have worked correctly. I can see the augment records in LDAPv3/127.0.0.1/Augments, and they show the augmented properties. According to the Bombich document, I should be able to view in /Search/Users the result of merging the AD records with their OD augments. However, this is not happening. For instance, instead of seeing the augmented record’s value for NFSHomeDirectory, I see /Users/userID.

Curiously, I see this same value for NFSHomeDirectory if I look in the Active Directory node directly, even though that property is not defined by the AD server. It has been automatically merged from some set of defaults distinct from the augmented record properties. (“Force local home directory on startup disk” is turned off in the AD plugin.)

Does anyone have augmented records working correctly with Lion Server 10.7.2? Can you create and augment records from AD, and see correctly merged records using dscl at /Search/Users? Or has Apple quietly dropped support for augments? Or has management of the augment function changed so that the old techniques no longer work?

[Malcolm Rikeur]

Hi,

We’ve done some testing with the ‘new’ augment feature of Lion, without much success I’m afraid (as of 10.7.2 anyway)

If you’ve done it the Snow Leopard way, you would have modified augmentconfiguration within /LDAP/Config. This has now disappeared.
You do get the ability to “Import from another directory” via Server.app, this grabs your AD users and gives them a record within /LDAP/Augments
– only a partial record I’ve noticed, but you can add the appropriate additional fields through the Directory Editor (new feature of Directory Utility) or dscl…

I have to admit I thought I was getting somewhere, but the client still only looked at /Users/username for the home directory regardless of how I configured the augments or the AD connector on the client.

I pretty much gave up when I rebooted the server and found all my augments had gone!

Having spoken to someone at Apple, I believe this hasn’t been implemented fully, the solution for say a separate home folder, is apparently to “use variable mapping within the AD connector” just like you would with LDAP, although I’ve yet to figure out how this works, or indeed if it’s actually possible…

[tslarkin]

I also had the problem with disappearing augments. This went away after I upgraded to 10.7.2, blew away the LDAP database by reverting the server to standalone, and then recreating the OD master. Now my augment records are persistent.

I’m still working on “use variable mapping within the AD connector”, whatever that means.

[Malcolm Rikeur]

Just an update on this subject as I’ve been looking at it for some time now…

Overall idea is that we want our users to log in using AD credentials and mount a home folder from a Mac Lion Server. We’re leaving the profile in AD untouched, so that when they go back to their Windows PCs, they see the original homes, essentially two home folders depending whether they use a Mac or a PC.

We augmented the AD user records in 10.6 with no problems, works as intended. 10.7 is proving problematic. Here are some discoveries:

1) Apple’s official documentation just says something along the lines of, “Importing Users using Server.app from another directory used to be called ‘Augments'” and this indeed works, you can add an AD user, giving them access to services on your Lion Server like AFP.

2) In 10.6 we had this to add… /LDAPv3/127.0.0.1/Config/augmentconfiguration/ – This no longer appears, the only entry we get in 10.7 is now
/LDAPv3/127.0.0.1/Augments/ which contains our augmented records. I’m assuming the old entry is no longer needed.

3) You can create the augments with either Server.app OR Workgroup Manager (WGM) but if you use Server.app it appears that a very minimal augment is created, using WGM does pretty much the same thing except you also get NFSHomeDirectory, and a few other attributes…

4) The WGM Inspector is no longer available of course, so I’ve been using Directory Utility’s new “Directory Editor” on the server to modify the augments and test everything. It’s actually quite good as it will add a specific item in for you from a drop-down box.

The only thing I’ve so far attempted is to try and “id” a user from a bound client, so for example in 10.6 if I had an augment called “aduser1” I could run Terminal and type id aduser1 and get the user checked. This isn’t happening at all with Lion, so I guess the augments aren’t being merged a la 10.6

From an earlier post, I mentioned that someone at Apple said that we could use a form of LDAP mapping. This means that if I wanted to link to a third-party LDAP server, I could the “Search and Mappings” feature of Directory Utility to substitute any attribute at the client side, and you could use either static values or variable mappings, which was great for things like UNIX LDAP servers, but you never had that capability with AD. Unfortunately I can’t see a way to do this sort of thing via the AD plug in, maybe this will appear in a “future release” or something you could do from dsconfigad etc.

Anyway, before I give up on it completely, just wanted to bump this post a bit, to see if anyone had discovered the key to augmenting records successfully in Lion.

Thanks for listening!
M

[ivaldiz]

Hi,

Im running the same thing, the idea is to setup PHD’s for AD users using cylinder of destiny.. i got this working but not sure if thats how it should work!.. i will share my experience and maybe it will help somebody out there.

I’m running 10.7.2 Server and Clients are mix of 10.6 and 10.7 as well.. I setup OD Master in the server and have it bound to AD which is not .local
everything seems to be fine.. imported users from AD using Server App; the user is “adtest” and then I opened Directory Utility, /LDAPv3/127.0.0.1/Augments
I see the users there.. now i added the following attributes:
– HomeDirectory as the following template:
afp://server.mydomain.com/Homesadtest

– NFSHomeDirectory as the following template:
/Network/Servers/server.mydomain.com/Volumes/Homes/adtest

-HomeDirectorySoftQuota; value is set to 10000000000 which is equals to 10GB (this feature didn’t work for me – i don’t know why)

now after i did all that on the server side, I created a Computer Group and added the client mac address as a member of that group so i can assign MCX settings.. i enabled Mobility settings as follows:
– Account Creation: Always : kept everything else the same
– Rules: Homesync: Always: kept everything else the same
– Rules: Options: Always: Sync in the background (Every 20 min’s)

Apply the settings and then click on Preferences button on the top menubar and then select Details, from there click on the + button and navigate to the path :
Server HD:System:Library:CoreServices:ManagedClient” and click add button and that should add other features.
scroll down to Mobile Account and Other Options, and you will notice a little mouse icon next to it, go ahead and double click it, the window will pop up and expand “always” item, then hit the new Key Button and add “Synchronization URL” and add this value template: “afp://server.mydomain.com/Homes/%@”

Now go to the Terminal and run this commands:
– sudo createhomedir -c -u adtest
“this will create the home folder for the user under /Users”
– sudo mv /Users/adtest /Volumes/Homes
“this will move the home folder from the Users folder to Homes share folder.

now that we have everything ready.. go to the client machine and login to the local admin account and bound the machine to AD and OD “doesn’t really matter in which order you bound first”
open the terminal and type in: id adtest
you should get a feedback that tells u that this user is part of ad and he is a member of some ad groups.
Log out of the admin account and u should see Others.. login with your AD account “adtest” and it should ask u to create a mobile account for this user.
Continue and then it will ask you for the username and password to access the share point, type in the adtest and its password and it will start synching just fine.

My senario is kinda different since u are not synching here but i thought i would share my experience, and maybe it will give u an idea.

Good luck!
M

[Malcolm Rikeur]

Thanks for the post, to be honest I’d given up on it for now, at least until 10.7.3 is officially released! 😉

I’m doing pretty much the same thing, except no mobile accounts for MCX, all I was trying to do was mount the AFP home folder, I’ll give it another go…
I did add the HomeDirectory and NFSHomeDirectory attributes to the augment record in my LDAP, weird as Server.app seems to miss a few attributes out whereas WGM adds them, but as long as the record layout is the same, should be ok.

I wonder if the fact they’re mobile accounts makes a difference, I was just mounting the home over AFP, I’m thinking the mobile sync part of Lion talks to the augment and gets the correct attributes…

EDIT: One other thing I noticed is that if I try to augment (or Import as it’s called now) a Windows AD group via Server.app, it adds the group but not the members, this may be due to the way my AD is set up, but it’s pretty straightforward to be honest

[ivaldiz]

I just tested importing AD group, i created a fresh new one and put two test users as members of that group.. and I’m having the same issue, it will import the group but not the users within that group, so its definitely something up with lion server not with the AD setup.

Another thing, have you tested the HomeDirectoryQuota and HomeDirectorySoftQuota attributes?, i added them to the augment user but i couldn’t get them to work.. i put the value as 1000000000 bytes = 1GB and that didn’t work.. maybe am putting the wrong value format..

[Malcolm Rikeur]

Just gone through the whole process again with a clean install of 10.7.3 (on Server and Clients)

…Same problems exist:

– You can import (i.e. Augment) only individual AD users
– Importing the AD group doesn’t import the users
– Adding the necessary NFSHomeDirectory etc. to the augment makes no difference, the Users:username is completely ignored

I was at Apple recently, asked the question, one engineer said “Hang on for a bit!” the other said “Augments are deprecated!”

I’m filing this under “not supported” indefinitely,

[mark9000]

I have had a look in 10.7.4 too. It does not work there either.
It appears that the AD connector in Lion presents a value for the NFSHomeDirectory attribute as /Users/username even if the the box for force home folder in the AD Connector is unticked. Augmented User records will not replace the value of an attribute that it is delivered from else where (in this case the AD Connector) therefore the NFSHomeDirectory value in the Augmented record is not read by the client machine.

[Author]

Posts