OD homedirs to a ADOD magictriangle

[sheridanp]

Greetings everybody,

We have “successfully” converted an existing OD network environment to a Golden Triangle because the organisation I work has decided to bring windows clients into our network.

We currently have 150 macs and 20 pc’s (which as management tells me will be breeding). The implementation we are using is having the AD controller for just network wide authentication and group policy settings and a MacPro running as a OD pushing out preferences (great!) and is hosting user home directories, not so great.

Our initial plan was to host the home directories on a new windows server box and have the mac clients connect to it via SMB and the AD plugin but due to fiscal and time constraints we where force to reuse the exiting MacPro and host the directories on that

Before we undertook the upgrade we made sure to look around online and familiarise ourselves with will golden triangle process (the AD-OD Sandbox guide hosted here) was a real help to us as it gave us the option to host home directories on the windows or osx servers.

We have been able to create new user home directories with the createhomedir -a command, it went through our OD to our AD and pulled all our users names (we are using nested AD groups in OD groups) and created the home folders beautifully, we have no problems logging from windows (via SMB as per normal) or Mac clients (via AFP) and saving and creating and modifying files from both platforms.

But we have hit a pretty big snag …. how do we restore the old home directories full of data in the newly created empty directories made on the fresh installation of Leopard Server on the MacPro server.

How do people do it?, with scripts, a application, a feature of the operating system its self i.e.. they have a great utility like createhomedir but not one like assignhomedir that takes a directory, searches for a user on the directory server (i.e. AD) and assigns it the correct permissions to it and its children

Our existing home directories utilized short names for the home path but upper management stressed to us they would like to be able to change the convention to and that’s what we did in the AD.

Again the Macs have no problem with this, everything is working swimmingly, well there is that warning in in AD every time you create the a new user of AD being unable to create the home directory on the OD server, but if they login into a MAC first everything is created for them, and even if they don’t we can always click on Create Home Now in workgroup manager to make their directories.

We renamed the short name home folder backups and inserted a space between the first name and last name (matching their AD login), also we can leave them with their existing short names and just change the profile path in AD just in case the Macs have problems with spaces in the home dir path.

So how do people do it? I found one way by using ARD, setting the user owner to the domain user name (i.e. student guest) and the group owner to a domain group like CURRIC\domain users and then during the copy if it finds existing folders (i.e. the new empty home folders) replaces them, but this method is prone to error and we have over 300 users.

Is there a rapid way doing it in one shot.

Thank you for reading this long post

Peter

[sheridanp]

So….

Nobodies tried to restore user home folders from a OD based network to a network that has been converted to a golden triangle. I’m sure for a AD-Integration forum, things like this must of have occurred.

I understand it would be a complex process, but a point in the right direction would be great. I am looking at things like ditto, cpmac….

I am open to any ideas at even if you guys recommend a fundamental change to the setup we have undertaken…. we are still open for some sort of feedback.

Anything .. anything at all

[dagothere]

Your best bet is to run a UNIX loop/command on the server where the share is. Run this loop from a terminal prompt while working in the directory your share is in (use the “cd” command to work in the root of the share).

for i in `ls -d *`; do chown -R $i:staff $i; chmod -R 700 $i; done

Run that loop (EXACTLY as written, copy and paste it to make sure) and it will loop the user homes by name of the folder and pull the name of that folder to find the user (the name of the folder has to be the same as the users name). It will set that user as the owner (chown -R) and will allow only that user to access that folder and sub folders (chmod -R 700). It will loop through to every folder. Make sure you are logged in as ROOT user or lead the command with sudo to run the command as root.

Example: If you have home folders named Bill, Rob, Joe, and Sam, it will find users in the directory named Bill, Rob, Joe, and Sam and set them as the owner and sole users of that folder.

You can run the main portion of this command on any folder anywhere.
sudo chown -R Sam /homefolder/Sam This command will set Sam as the owner of his homedirectory and sub files. (My home directory folder here is called “homefolder” and the second “Sam” is the folders name. The first Sam is my AD user account)

sudo chmod -R 700 /homefolder/Sam will set the current owner (Sam at this point) to be the sole user of the entire home directory and will dis-allow everyone else. You can drag folders into a terminal prompt to get the exact path names.

email me with any questions [email protected] ~iann

[sheridanp]

dagothere thanks for the most excellent reply,

I was lucky enough to find the a utility called passenger (which is used a lot in Apple networks), its a for payment utility i.e. you can only import like 20 users at a time when its in unregistered mode BUT there is a feature that called Batch Permissions MOD which is basically a front end for a script that your creating here. You should really look at it (not that you need to), it allowed me to assign base permissions to a home dir and propagate them from that point onwards. Then I was able to assign permissions to specific directories in the user home dire i.e.

/studdata/year1//Documents
/studdata/year1//Desktop
/studdata/year1//public
/studdata/year1//public/dropbox
etc. etc.

As long as the base directory name () matched a user name in AD it assigned what ever POSIX permissions I wanted to. What was even better i was able to assign AD group permissions to the files as well in the following format

‘CURRIC\domain users’

the commas around the string are important, that way I was able to assign user and group permissions in any configuration I wanted. What really great its all done in a GUI interface that is easy to use and logs everything so you can go back and see what went wrong i.e. a user dir is spelt incorrectly or doesn’t exist in AD.

Oh when I mentioned before its a pay for utility, the batch mod part isn’t, you can use to build the script and then run it on a directory hierarchy of 10 users, 1000 users or even 10,000 users, its all scalable.

The only thing I had to do before hand was run chmod -RN * (when in the base dir where the users where stored) to make sure there weren’t any acl blocking access to any files or folders.

Again thank you for the reply and I hope my reply augments your excellent suggestion.

Regards

sheridanp

[Author]

Posts