[arekdreyer]

I’ve seen some strange things, but not this. Anything interesting in the password service logs in /Library/Logs on the server?

[arekdreyer]

Ugh, well, I can think of two ugly ways to do it.

Option 1: Set your server to host dyndns.org. home1.dyndns.org will always resolve to 192.168.0.10 for instance. Note that this will, um, break any resolution for anything other than the fakey DNS records you create in your bogus dyndns.org zone. Yuck.

Option 2: If you don’t want to break resolution for everything ending in dyndns.org (including http://www.dyndns.org! ) , use another of their free domains, or fork over the money to dyndns.org for your own domain name. dynadrian isn’t taken 🙂 Have your server serve up your bogus domain to the local network, but everyone outside your local network will get resolution from dyndns.org.

In either case, point your internal clients to your server for DNS service, and allow your DNS server to recursively look up DNS for everything else it is not already serving.

Ugly.

[arekdreyer]

Wow, you’ve ducked a bullet! There is a pull-down menu in Directory Access on how the home directory should be translated: SMB or AFP. I would venture to say that Services For Macintosh will make you very sad, and you’d be better off using SMB. Some might say SFM is evil. Seriously, check out ExtremeZ-IP; it is the only way I would serve AFP from a Windows server.

[arekdreyer]

If you are pointing to your internal IP addresses for network home directory, you can’t sync when your not at home, right?

[arekdreyer]

I’ve had success with a three step process.
I assume your client is bound to both OD and AD.

Executive Summary:
Assign the home directory
Set AD plugin options
Use WGM to force synchronization

Details:
Step 1
In Active Directory Users & Computers, assign a user an SMB Home Directory like X: and \\server\share\username.

Step 2
In Directory Acess -> Active Directory -> Show Advanced Options,
enable “Create mobile account at login”, “Force home directory on startup disk” [This is ignored if the user elects NOT to create a mobile account], and “Use UNC path from Active Directory to derive network home location”. [Note that the AD plugin uses the \\server\share\username you set in step 1].

Step 3
Workgroup Manager -> Accounts -> Computers -> Guest Computers -> “Define Guest Computer preferences here”
Preferences -> Mobility -> Synchronization
Enable “Synchronize account for offline use”
[Of course, you can have much more granular control, but this gets all bound Mac clients. Careful!]

Step 4
Are you using ExtremeZ-IP to share out these files via AFP? SMB home direcrtories have some, er, limitations.

[arekdreyer]

Did you see this thread?
[url]https://www.afp548.com/forum/viewtopic.php?showtopic=16099[/url]

[arekdreyer]

[QUOTE][u]Quote by: dewats7[/u][p]
I would like to have all user accounts in OD and have AD manage preferences and group policies for the computers.
[/p][/QUOTE]

We currently can’t manage AD Group Policy Objects from Open Directory.
When we want to manage OD preferences from AD, we simply extend the AD schema, so that it includes the OD attributes and objects. Likewise, it would be technically possible to extend the OD schema to include AD attributes and objects, but supporting GPOs would require more that simply extending the OD schema, unfortunately.

[arekdreyer]

When binding to Active Directory, the default is to “Force local home directory on startup disk”. I don’t quite understand what you want, but it sounds like you want to uncheck that option. Open Directory Access, (click the lock if necessary and authenticate as an admin) double click Active Directory, click Show Advanced Options.

[arekdreyer]

In my experience, “disable clear text passwords” is enabled by default for all clients, and I’ve only seen the “DSLDAPv3PlugIn: Required Policies not Supported: No ClearText. LDAP Connection for Node xx.yy.zz denied.” message if using trusted binding.

[arekdreyer]

That’s not supposed to happen, and you shouldn’t have to jump through these hoops, however, I ran into something which sounds really similar.

Previous situation:
I have two home folders servers, each with two external drives for homes. The home folders on home1 were /Volumes/AF/AF and /Volumes/GM/GM. On home2 they were /Volumes/NS/NS and /Volumes/TZ/TZ. (I didn’t want to share out the entire drive, otherwise they could have been just like /Volumes/AF I suppose)

When making these network mounts, the network mount looked like:
/Network/Servers/home1.ssh22.local/Volumes/AF/AF.

I put \home1.ssh22.localVolumesAFAFusername into the SMB Home Direcory field with the AD users and computers tool. The AD plug-in translated this into something wrong, like /Network/Servers/home1.ssh22.local/AF/username (I don’t remember what exactly, but the subfolders were getting stripped out). (I just tested this again with another sample network mount on an external drive, and there was no problem – why was it broken before but not now?)

Steve Burke pointed me to a solution:
I used /etc/fstab to statically mount the drives at the root of the boot volume, rather than relying on automount to mount them in /Volumes, by using /etc/fstab.

Here’s the /etc/fstab of home1:
[code]
UUID=7F72E558-0680-3756-B1F1-64C9A5AA46AC /AF hfs rw 0 0
UUID=17AA3F8B-7183-3133-BA5E-4F3F4878CD5D /GM hfs rw 0 0
[/code]
I used Disk Utility to determine the UUIDs of each drive.

Finally, I created a symbolic link from /HomesAF to /AF/AF, so there are no subdirectories involved, and /Network/Servers/home1.ssh22.local/HomesAF is the format of where home directories live.

[arekdreyer]

Are you using trusted binding to bind the client to the ODM?

[arekdreyer]

[quote]So: is it possible to issue an LDAP-modify command that succeeds in changing a user’s password on OpenDirectory?[/quote]

Try asking again. Normally, a user’s password is not stored in Open Directory (if it is stored, it would be stored in a crypted hash, readable by any user who wants to grab it for an offline attack).

A user’s password [actually various hashes of the password] is stored in the password server database, and in the kerberos principal database.

So, no, it’s not possible to use LDAP commands to modify pws and kdc info.

[arekdreyer]

Sorry, I should have said PAT rather than NAT. All ports are forwarded to the internal address of the Mac OS X server. Yes, that makes a big difference.

[arekdreyer]

Are you sure your mac os x client is bound to the open directory master? Believe it or not, automount can work even if the client is not bound! Show us your evidence (via dscl) that your client-master relationship is ok.

[arekdreyer]

[QUOTE]when I log in to the server using a Domain Admin account, I am not able to administer[/QUOTE]

This just refers to local administration, like being able to run Software Update or change system preferences that affect more than the currently logged in user.

I suppose you can’t lock the server in a room that non-admins don’t have a key to?

[Author]

Posts