[dom9inic]

Judging from your last post, it’s clear I’ve not really understood how this setup should work.

My setup is as follows (briefly):

Macs authenticate against Active Directory server on our subnet and get SSO access to any AD shares.

They also get MCX from my ODM, and get SSO to any afp shares, not that I have a mix, but they can if needed.

I have one Xserve, it is my ODM. Its roles are ODM, iChat server for staff, NetBoot, NetInstall and hopefully intranet for the Macs.

Kerb is enabled on this ODM, if I do ‘sudo klist -kt’ I get an appropriate entry:

3 07/11/05 13:59:43 http/[email protected]

When I log in as an AD user (desktop managed in OD groups through WGM on my ODM) I cannot hit the site when I create a realm for it and insist on Kerb authentication.

Am I fundamentally missing the point?

Help is much appreciated as usual.

[dom9inic]

Thanks Josh,

I had read the article a few times, but re-reading it I notice you say something about “then user who login to their network homes, will get a TGT ticket and be able to surf to the site..”

Well, that’s the problem in my environment, AD logins but the AD HomeDirs are not mounting for some reason I cannot get to the bottom of, so perhaps that’s why the Kerb REALM on my site does not work.

Cheers anyway

[dom9inic]

Good point, I was forgetting that, silly me. I’ll look when I’m back in.

Cheers for the sanity check.

[dom9inic]

I’d suggest reading this:

https://www.afp548.com/filemgmt_data/files/AD-OD-2.1.pdf

It shows you how to host HomeDirs on your ODM for your AD logins.

[dom9inic]

Excuse my ignorance but, if I don’t have Mail services started, how does it do this?

Also in the From box in Server Monitor > Edit Notifications, should this be the Superuser account at the Xserve? Or from an existing AD Exchange account?

Thanks again,

[dom9inic]

Hi,

You need to use WGM to create an Open Directory Printer.

Click the Bullseye in WGM
Then create New Record
In the main window edit the attribute RecordName, this is the name you wish your users to see. It can be anything.
Then hit the new attribute button and from the resulting window drop down the Attribute Type menu and choose PrinterLPRHost and supply the IP address of the printer in the “Text” window. Save.
Then hit the new attribute button again and from the drop down choose PrinterType. You must then give the exact Model Name as shown in the actual PPD file for the printer. Hit save.

That’s it. Now when users add a new printer, they can browse open dir and see the printer. It will then give the user all the options that that PPD allows, including Duplex.

Hope this helps.

[dom9inic]

To ChrisJasper,

when you say mount the network home in the local filesystem, you don’t mean?:

/Users/username

Surely it must be

/Network/Servers/servername/username

or something similar?

Either way, what I get is a local homedir as I can see throughout the DirectoryService.debug.log

I can see NetInfo creating it. I just don’t see any AD activity failing.

Any idea why when I mount the share it only goes to the whole mount point? Again, this is me doing the following:

smb://servername/staff/username

I get the staff share mount on the desktop and I open it and can see every users folder, but can only see the contents of my username.

[dom9inic]

Hi all,

No MS Cluster behind the scenes.

Don’t know where to check the NIDB Cached User.

Connect to server mounts the entire User Home Dir, so I can see all user home folders, but only have permissions to read write within my home dir. (My meaning test account). Is that the problem? That I cannot mount an individual Home Dir? That I’m only able to mount the whole share? The connect looks something like this:

smb://eg-example/staff/user.name

But this only results in the whole share being mapped. I can do the same leaving out the user.name

Directory Service debug shows nothing that I can decipher. I see the CreateHomeDir running through NetInfo but no errors about trying to mount a remote HomeDir through the AD plug. Then again, that logfile is long and as I don’t know what a correct AD Plug Home Dir mount logfile should look like, I’m not sure what to look for.

tcpdump showed lots of handshaking between the AD servers but nothing of note about HomeDirs. Will do a few more, see if anything jumps out.

Will check sys log tomorrow, tired.

Thanks for all your help.

[dom9inic]

Cheers Chrisjasper,

that’s what I thought you were driving at, just wanted to be clear. Especially as yet, the AD Home folder does not mount for my 10.4.3 clients at all. I even spoke to the Apple tech gurus at a recent event in London and they testified to my Directory Access setup. However, can’t get that folder to mount, which is delaying our rollout.

Need to remote monitor the login with DirectoryService.debug in hyper mode , see what gives.

[dom9inic]

Hi Chrisjasper,

when you say,

[QUOTE]Make very certain that you have the correct path set in the users AD account, it is very case sensitive.[/QUOTE]

What does that mean? You don’t mean specify the correct path in the Directory Access Plugin as there is no option to do so. You mean at the AD server? In that case, what is a correct Windows path that is compatible with the Mac Directory Access Plugin?

Does the Mac Directory Access Plugin require a specific Directory Structure on the AD Home Folder server? I didn’t think so, but then again, I’m not an authority.

Cheers

[dom9inic]

As a small update, way upthread we spoke about permissions on a localhome folder being incorrect due to naming convention. This was true, my account with the damned apostrophe was the problem, ah well, guess I’ll have to have that changed and email aliased to the new account, joy.

[dom9inic]

Hi Macshome,

when you say,

[QUOTE]When using the mount on desktop setting of the AD plugin, it’s best to click the folder that it places in the Dock to jump right to the user folder.[/QUOTE]

Not sure where in the AD Plugin you are looking. Do you mean Use UNC path to derive network home blah blah?

Perhaps of note, is that when I manually mount the WinHome Share over SMB, you can only mount the root path, not the individual home of a user. YOu therefore, as you say, get everybodies home folder at a really sluggish pace. Permissions are retained, but you can see all the root level home folders.

[dom9inic]

Hi there,

Well, I will be attempting to have the Win AD specified home (as you said, a home dir mapped to a drive letter that follows win clients around) mount at login. Presumably this is the SMB home you are referring to?

When you say flaky, what issues are you talking about?

I don’t believe it is behind an MS cluster, but must ask more questions.

Cheers

[dom9inic]

The setup is students logging into to any machine in a lab, so catering for permission issues would require a login script to auto chmod the HomeDir.

[dom9inic]

Hi Chris,

thanks for that, trouble is, that would require a login hook, however, I will forge ahead with getting the Win HomeDirs to mount, that ought to sort things out.

I will also have my username changed to ommit the apostrophe.

[Author]

Posts