Providing Home Folders for AD users using the "Magic Triangle"

[abrose]

Hello everyone,
I have an issue that I have yet to find a clear and detailed answer to. I am the lead Mac admin at a large public university of 40,000+ users that uses Active Directory for all user accounts, home volumes, etc. I have read the white pages published by Joel Rennich, Mike Bombich, and the custom OD page by John Grigutis from IU and I have the whole “Magic Triangle” setup working great for managed preferences and fully kerberized services. The only issue that I have run into is that I cannot find a way to provide an alternate home volume location (using a kerberized AFP/SMB Mac OS X server) for any AD user. Our AD system uses the Distributed File System (DFS) for all shares and home volumes and Mac OS X doesn’t support DFS, which is a big pain in the rear. We have evaluated ADmitMac but due to the cost, it is not a real option for our users and local admins. Since our AD admins are not willing to make changes to the schema or allow anyone other than AD admins to edit profiles, I have no way of editing AD user records to have the AD users’ home location to point to another non-DFS file server. I have tried creating a custom LDAP setup on the client side in Directory Access to remap NFSHomeDirectory (#/Network/Servers/FQDN_of_my_fileserver_server/Users/$uid$), HomeDirectory (#afp://FQDN_of_my_file_server/Users$uid$) and when I attempt to login with an AD user, the client machine appears to authenticate but then I immediately get an error stating,

[i]”You are unable to log in to the user account “username” at this time. Logging in to the account failed because an error occurred. The home folder for the user account is located on an AFP or SMB server. Contact your system administrator for help.”[/i]

Well, I am the system administrator and I know that the home volume is located on an AFP/SMB share. Duh. 😉 I have also tried the solution that John Grigutis uses at IU where he exports users from AD and imports them to a main OD server that is kerberized and I cannot get that to work either. I have enabled the debug log with all of my testing and I cannot find anything that sticks out like a sore thumb. All of my test servers/clients are running Mac OS X 10.4.8 for what it is worth.

Basically, what I would like to know is providing alternate home folders even possible without making changes to the schema or user account attributes? So many local departmental admins and users have been asking me this for awhile now and I am really close to giving them a working solution, with the last piece being home folders managed by OD. Any ideas, tips, suggestions, or questions will be greatly appreciated.

Many thanks!

[Ross]

You’re just about there…

– OD server is a Master with DNS (reverse and forward) working.
– Create your home directory share with networking mounting enabled (automount) on your OSX server.
– Bind your clients to AD and OD, but AD would be first under authentication,
– On the AD server select a drive letter and the path would be “/servername/share/username”
– In directory access on the client go under the advanced AD plug-in settings and uncheck “Force Local Homes” and change the network protocol to AFP.

That’s about it.

[abrose]

Many thanks for the reply Ross. I have done everything that you suggested. My OD Master server does have forward and reverse DNS lookup working since I am using my university’s DNS servers and I have no issues with resolving FQDN and IP addresses. The order for authentication is correct on the client side and I have set the proper options within the AD plug-in. However, as mentioned in my previous post, I have no access to change any attributes on the AD side since our AD admins do not seem to be willing to assist, and that allowing me to do so would be “against policy.” In other words, I have no way to select a drive letter and set a path on the main campus AD servers since I do not have access. Everything with the magic triangle setup works great except for the fact I do not have a way to serve out home folders that do not reside on AD, but on a private AFP/SMB server. It has been a very frustrating battle.

At this point, I am open to all ideas, questions, and suggestions.

[Ross]

Without the ability to select a drive letter in the profile path and putting in the home directory path you will not be able to do this as far as I know. This should not be against policy as the xserve is just a domain member now, so its just another windows server as far as the AD admins are concerned. Your not changing attributes, you’re simply defining the home directory location. I can see the concern for extending the schema but this has nothing to do with that.

[danbgood]

Greetings Ross and Abrose,
One trick that I am trying, and I am looking for the reference script on is to use a login script to set the home area by look up (in either Directory Service). Two troubles that I have experienced with university having similar issues is that neither the UIDs nor the home areas in an acceptable form.

If it were just our Macs this would only be a small issue. However, my department has legacy UNIX (Sun, IRIX, AIX, and Linux) which are not considered legacy and must be supported too. The OD can do this by itself for the other UNIX(s).

The options we have considered are
– The magic triangle (discussed at WWDC 2005/2006)
Critical user variables not set are UID and home area.
Weird authentication issues for clients, along with strange file sharing experiences.
– The reverse magic triangle (with cross realm)
It works great for remote login, but console login forces AD identity which requires the script to alter the home area.
The UID(s) do not match thus NFS is rendered ineffective, to say the least.
– A hybrid of the magic triangle with duplicate entries to handle the other UNIX(s)
for the Macs, the same issues result in this case as they do in the reverse magic triangle.
Since Abrose and I have nearly identical problems, it seemed appropriate to collaborate on this point.

Later,
Dan Beatty
dan.beatty@ttu.edu
CS, Texas Tech University

[dom9inic]

Hi danbgood,

may I ask what you mean when you say

[quote]Two troubles that I have experienced with university having similar issues is that neither the UIDs nor the home areas in an acceptable form. [/quote]

I am in a similar situation to abrose, but only need to use the Windows SMB Home, which is not DFS, but nevertheless does not mount, or even attempt to mount.

I agree with Ross when he says that it ought not to be against policy for the Home path to be adjusted in the profile. The only issue I can see is if those users also use Windows and there are issues with home connection your AFP Home share.

Goos luck.

[danbgood]

Greetings dom9inic,
In my university’s case, the variables for user’s home are purposefully not set. The IT department does not permit any changes to the AD entries, despite the fact the schema supports it.

Also, my department happens to be a very UNIX centric department and has been for nearly 20 years. As far as my department is concerned, upgrading means the next model of UNIX infrastructure. Amongst services used in the department is NFS. Laugh all you want, but in the department’s case it makes sense. The UniqueID attribute in our university’s AD server for certain does not match the UID in our present directory service.

In our university’s case, it is illegal for a departmental IT service professional to make any such adjustment to a user’s directory entries. The run around our students will see for even trying to making such an adjustment is ennormous. The university avoids the issue to avoid the ensueing choas that would result for filling these user variables. I can not say that I blame them, since the rush of 30,000 students would be quite substansial.

Later,
Dan

[dom9inic]

Hi danbgood,

thaks for answering that. I do understand and am generally for tight policing of directory changes. But I’m also for good discussion surrounding very valid needs for directory attriubute changing. Without the possibility of dialogue it seems to create the us v them departmental gridlock that seems unfortunately entirely inevitable in IT.

Sorry, that sentence ran away from me. Sometimes it can feel that more of my job is political than managing computer systems. Very thrustrating and tedious.

[thepulsingeye]

The problem may be that the auto-mount path is too long. This could have started if you’ve recently changed the Share volume there
may be something like a 64 character limit to the automounted share… It’s worth checking on your client’s system.log.

just try trimming the shared mount’s name, it’ll work wonders.

…and don’t forget, if you do do this make sure you remove the /path/to/networkusers/home/com.apple.sidebar.plist
otherwise you users won’t be get to their home using the finder window…

>> Unable to log in at this time. Your home folder is located on an afp or smb server. please contact your system administrator. <<

[Author]

Posts