[OmniBlade]

I found that a combination of both provided the most reliable solution, you augment the user accounts with the correct home directory location and then add the Sync URL at group level to ensure the correct settings get written locally when the account is first set up.

[OmniBlade]

I couldn’t get the bombich script to run properly either. I ended up having to modify some bash scripts someone had already done the hard work on to make queries against AD records using ldapsearch and get user names for the groups and OUs I was interested in, pass them into an array and use an if loop to iterate over the user names, creating an augment for each user with dscl and filling out some records with defaults that I wanted to be able to manipulate later (such as quota augments and such).

[OmniBlade]

I was never able to fix this since I don’t have sufficient access to the AD side of our network for the solutions I found, however my research led me to articles discussing this as being similar to a “Split Horizon DNS” configuration so you may wish to start your investigations there.

[OmniBlade]

Are you applying augments to the AD accounts then? If so, have you set the paths for HomeDirectory and NFSHomeDirectory to point to the correct places? Also, you may find it works better if you rely on the AD plugin to prompt for mobile home creation rather than managed prefs, just use managed prefs for specifying the syncURL.

[OmniBlade]

I believe I’ve solved the issue. To get single sign on working, I followed a guide advising to change “builtin:authenticate,privileged” to “builtin:krb5authnoverify,privileged” under system.login.console in /etc/authorization. This works great as long as the computer is connected to the network as this change REQUIRES contact with the KDC to authenticate, a fact not pointed out by the people suggesting this as a solution. For those wanting mobile accounts that may be used offline, adding “builtin:krb5login” under system.login.done instead in /etc/authorization seems to have the desired effect of grabbing the tgt after authentication if the KDC is available but otherwise allowing login to proceed.

I figured it couldn’t be the AD plugin after I tried using a pure AD account without any augments and still having no luck.

[OmniBlade]

Sorry, I probably haven’t been as clear as I needed. The home folders are on an xsan that the OD server is a part of and it shares the home folder location via afp and the home folder locations are augmented to reflect that (the same as if they were just specified uner the home tab in workgroup manager for a user). That all works fine and users can log on when they are connected to the network. What I am trying to do for the AD users (and can for an OD user) is create a portable home directory on the local machine that will sync to the server via afp and log on using directory authentication, but will cache the credentials so it can be used away from the network. I have everything working apart from that last part.

[OmniBlade]

Can you get a kerberos ticket using the kerberos app (10.5) or ticket viewer (10.6) and then access the kerberized services without entering further credentials?

[OmniBlade]

Well I seem to have partially solved the problem by copying the 10.5 kerberos utility across and using it to destroy the existing TGT and get a new one. Why that has kind of worked I don’t know, I just wanted to use it to get more info on what tickets I had. Only problem is that its hit and miss, some services work and some don’t. For those that don’t I appear to get a malformed ticket dated to 1970 of the form “krb5_ccache_conf_data/negative-cache/http/server.domain.com@@X-CACHECONF”. Strangely this doesn’t happen if I access kerberised services from the ODM, they all work fine and I get the correct tickets, only the test client. A Google search didn’t turn up anything useful on this unfortunately.

Using the PHDs offline still doesn’t seem to work though :/

[Author]

Posts