[chrisjasper]

We have had some serious problems along the same lines and it has turned out to be because the time on the servers is going outside the kerberos window.
Auto update for the date and time control panel has not been working and the xserves have been losing as much as 6 minutes in two weeks.
Eventually I have had to schedule ntpdate -u cron jobs to ensure the servers keep time with the AD Domain Controller.
Its worth looking at the time on your server before rebooting and rebinding.

[chrisjasper]

Silly question I know, but have you added the OD server as an LDAP entry on the directory access app?
You should have the local database, then the AD settings then the OD/LDAP entry on the authentication and contacts tabs.

Also are you trying to apply the settings to AD user groups added to the managed OD groups or are you adding the AD users to managed OD groups?
The first method doesnt work for us, but adding AD users to OD groups works most of the time, there are a few oddities if the AD users are in too many OD groups.

[chrisjasper]

As Macshome stated, use WGM (Workgroup Manager), make sure your OSX server is set up as an Open Directory Master create the user accounts and on the home directory tab for each user account, specify the path to the directory.
Make sure the user actually has permission to the folder and you should be fine.

You can use the other mac without too many problems, as long as you add the LDAP setting for the OD Master to it so that authentication works.
Although there is a limit to the number of users that are allowed to connect to a standard OSX machine for file sharing, 4 or 5 should be okay.

You should find that you can specifiy the solaris box for the home directories though, but I’m not entirely sure how you set up the authentication between the OD Master and the Solaris box.

As for the order, the OD Master needs to come up first, so that you have authentication for the home directories and the client macs. then the Home Directory machine, If your clients cant get authentication for the home directories they will be unable to login to the client Macs as they have to have a home directory.

[chrisjasper]

No, Zeheeba, the seting is to prefer a DC, if the client is unable to find the preferred DC it will check DNS to find another.

Cant think of a way to ensure that it fnds the other local DC first though as I believe it queries DNS and takes the first apllicable record it receives so if the 3rd DC is named in a way as to place it higher in the list of entries it would probably get picked up first.

[chrisjasper]

You can specify which domain controller you can use in the administrative tab of the AD plugin.
If you specify the DC, and have the correct forest and domain then remove the tick from “Allow authentication from any domain in the forest” that should mitigate the problem.

Fingers crossed.

[chrisjasper]

Dom9inic, the AD plugin derives the path from the AD account and mounts that path as your home directory as if it were on the local hard drive. If you customize the toolbar on your finder windows and add the path command you will be able to see where the home directory is coming from.

If the directory is on a non apple server it will mount the entire users share on the desktop as well and users will be able to see all the user folders, but as long as you have the correct security setup they will only be open their own.
This is due to Windows file sharing being a bit pants for Macs.

They should access their home directories through the home icon on the dock or the home icon on the sidebar in finder windows, rather than trying to browse the mounted share..

if you e-mail me I can send you a set of screenshots of an example setup that should work.

Do bear in mind though that SMB home directories can be pretty flaky from a windows box, if you are intent on sharing home directories from a windows server I would advise getting Extreme Z-IP and sharing through AFP instead.

[chrisjasper]

To Dom9inic:
As long as you have the correct path in the AD profile setting and set the correct protocol (SMB in your case I believe), it should mount the network home directory in the local file structure, it should go direct to the necessary folder rather than mounting the entire share (Although the share will mount as a volume on your desktop, but the home folder will be directly placed in your sidebar).

to LazLong:
Got me stumped, not sure if the version of netatalk that comes with RHEL is fully compatible with OsX 10.4.3. Could you share a folder on a standard mac workstation with the home folder to see if it mounts?

[chrisjasper]

Its worth checking the permissions on your folders, try setting a generic users account to “everyone” access on the folder and see if that mounts, if not then the problem lies elsewhere.

SMB mounting for a windows shared folder work for me, we are running windows 2003 server, 2000 may be a little more finicky.

To be honest though, we are starting to look at migrating away from network home folders and using mobile users instead, we have had a few instances where the appletalk listener has crashed and all our network home users just died, despite a complete reconfig of our entire network inrastructure. Mobile accounts give us the best of both worlds in terms of user experience and redundancy/backup.

[chrisjasper]

The path is set in the profile tab of the AD user account in Active Directory Users and Computers, set the path to the correct server, share and folder e.g. \\\\Server1\\Users\\ANOther, it doesnt matter which drive letter you map the folder to, I use P: for personal out of habit, the mac ignores that part anyway.

There is no specific directory structure required, as long as you have the correct path typed in and the user has access to it it should work fine, not sure if the mac will fill the folder with the necessary folder structure when the user first connects (Public, Movies, Pictures etc.) as we create our home folders manually at the moment so we can use a specific template for the neccesary settings and folders we need where I work.

(Edit: Apologies, the path above is supposed to have backslashes in but this forum appears to remove them, replace the forward slashes with backward ones. Ed. note: You have to escape your backslashes with yet more backslashes. 🙂 )

[chrisjasper]

The setting comes from the AD plugin in Directory Access, as long as you have bound the machine and set the correct kind of home directory it will work 10.4.3.

You need to make sure “Force local home directory on startup disk” is unticked and make sure that “Use UNC path from Active Directory to derive network home location” is ticked.
Try to use AFP on an apple server for the network home folder if you can, if you have it on a windows server do not use AFP as the windows AFP stack will not work at all, use SMB.
Extreme Z-IP will work very well though for AFP.
Make very certain that you have the correct path set in the users AD account, it is very case sensitive.

Also ensure that the AD setting comes directly after the /NetInfo/DefaultLocalNode setting (this should be at the top and greyed out as you should not be able to remove it) in the Authentication tab in Directory Access. If you have any other kind of authentication set up, such as ldap authentication to an OD server it must come after the AD setting.

[chrisjasper]

Flaky as in sometimes it just does not work over SMB, you will be unable to login as the system cannot mount your home directory. This does seem to be dependant on setup of your Windows server, win2k seems less prone to not working than win2k3 for some reason, at least that swhat I have seen here.
It does work a lot better under 10.4.3, But OsX networking is still a little touchy and doesnt always work as advertised.

And if you are going to use Entourage and Exchange server, make sure you apply all the patches to the Exchange, as Entourage simply does not like network home folders….

[chrisjasper]

SMB homes are definitely flaky………….

EZIP is very good, if you dont have a mac server, although moneywise a Mac server with an XRaid is cheaper per gigabyte than a windows server with EZIP.
Budegtary considerations are always a good way to get a couple of decent mac servers in, finance departments like cheaper.

[chrisjasper]

Apologies, I was looking at my setup which uses an LDAP OD connection as well as the AD one.
The local one stays there.
It looks like you are not connecting to AD correctly, the machine may not be correctly bound to the domain.
Remove the account from AD, re-bind, reboot, login locally and make sure you can ping a domain controller.

When setting the domain names at the top of the dialog window, its generally best to only enter the domain and let the machine find the forest names itself.
Its also worth specifying a domain controller, either by IP address or fully qualified domain name.
Open the advanced options for the AD plugin and click the administrative button.

[chrisjasper]

As long as you are authenticated as a local admin you delete the local one then add it back in, it will automatically place it after the AD entry.

Make sure you have a backup of your files before testing of course, you dont want to find out that because your AD and local usernames are the same that you get all your files overwritten by an empty network home folder.

[chrisjasper]

Apologies for the name change, hadnt got around to registering before now.

If you are using Network Home directories then you dont need to synch anything, the networked folder is mounted in the local machines directory structure and functions exactly as a local home folder (with allowances for speed of network of course)

As long as the AD plugin is set to use the network home specified in AD, and you dont use force local home you dont need to chown anything on the local machines, they work exactly the same as roaming profiles under windows.

It does actually work very well, do not attempt to use the mobile users feature though, it is really only any good for synching documents, library files and prefs just dont work.

[Author]

Posts