Network Home Folders w/ AD for Lab

[mharvey]

Hello all,

Have a golden triangle here and are looking to set up a lab full of Mac with network homes. We are using AD to authenticate, but can’t alter the AD profile, as we are but a small school in a large University. Also, it would be unwieldy to create the homes ahead of time for the ~1700 student that could be using the lab. Is there a good way to configure the machines (ideally through WGM, though a login script would work as well) to use AD for authentication, then automatically create a Home Directory directly on an AFP share.

Any help or ideas would be appreciated.

Thanks.

[mcrispin]

We have a very similar issue here. The clear answer is the Augmented User Record process. However the problem with this is that it does not allow for automation without a decent level of scripting knowledge.

If you get the 10.6 Directory Services Manual from the Apple Training Series, and go to pages 377-379, you will see the basic methodology. At minimum it would seem that your AD sysadmin would have to create an OU for just your subset of users to make this process practical (as opposed to trying to import the entire institution, or even worse, importing a name at a time). Another issue I’m finding is that there is no apparent way to efficiently account for changes inside the AD OU when normal add/drop occurs. Meaning, it’s unlikely the AD sysadmin is going to provide you a constant list of user changes when they occur.

The “Passenger” application is certainly the best (if not only) solution for native OD users when you need to mass import, and Passenger does know how to handle duplicate records, but I don’t believe it has any kind of AD functionality. Passenger has been used to great affect by K-12 sysadmins for years – it does not seem as practical for college departmental needs.

As for creating homes ahead of time, I might be off base here, but I don’t see why that would be necessary if the client is a) bound to an OD master, and 2) authenticated against a Kerberos realm on which the user’s AFP home is a part (meaning, the user home template for OD bound OSX clients comes from the server and not the client in Snow Leopard), therefore, there are no permissions issues that I can see which would cause an issue here – but I have no tried this myself, so buyer beware. This can also be used to great affect for getting around certain application level configuration issues to which neither MCX, not preference manifests can easily solve.

Since our population is much lower (500-700) with only about 50% turnover per year, I run a local OD Master with direct attached storage (and then mirrored via central campus Tivoli (IBM) and use the account creation process as a kind of administrative sieve because our area is a very power-user orientated multimedia space and is therefore not exactly open to the University as a whole. I should also mention we are fully networked home directory environment with no mobile users (yet).

Not any solutions here, but I hope this does some legwork for you.

Michael Crispin
Duke University

[Author]

Posts