[luke]

I just reformatted and started from scratch, and got the very same behavior.

My steps were:

1. Install advanced server

2. Enable reverse and forward DNS

3. Enable AFP

4. Enable automount on the Public share point which was already created for me (mounted at /Network/Public)

5. Try to access that share point from this server.

I guess this is the correct behavior?

[luke]

I assume you want this to be dynamic so that you can save this URI as a .webloc file and have users click it to automatically connect.

I don’t know of any magic variable substitution in the URI parser and would be surprised if they exist. What I would suggest instead is a small applescript to construct the URI based on the current username and then connect to it. If the directory doesn’t exist, you could probably trap it nicely and present a nicer error message to your user.

[luke]

And that, MacTroll, was the aforementioned gap in my understanding. Thank you.

I put the mappings back to normal, pressed Apply, then changed the search policy so that Contacts contains LDAP but Authentication does not.

By “Authentication,” do they also mean things like automounts and MCX? I really don’t want that on my standalone laptop.

[luke]

I would love to help, but I don’t understand your problem. “Domain” is a very overloaded word especially when talking about OpenDirectory.

You have 16 primary DNS zones configured in BIND on this server, and are having trouble connecting to OD with Workgroup Manager because the host you’re connecting to won’t resolve. Is that correct?

What is the server’s search domain (in Network system preferences) and what DNS server is it querying?

Are you running Workgroup Manager on the server or from a client computer? If from a client, what is it’s search domain and what DNS server is it querying?

What is the exact host that you’re connecting to in Workgroup Manager? Can you ping it? Does it resolve using the “host” command?

In most situations, it is a good practice to have nameserver.mydomain.com point to the nameserver, although it is presumptuous of Mac OS X Server to do it for you.

We need some more information about your setup.

[luke]

To force a zone transfer, issue the following command as root on the secondary server:

[code]
rndc -p 54 retransfer mydomain.com
[/code]

where mydomain.com is the name of the zone you want to transfer. This doesn’t require you to restart BIND (downtime is bad).

[luke]

Camelot is right. There is no way to do a redirect with DNS. You can do a redirect with HTTP though.

In Camelot’s option A, you would set up a web site on the mac, let store.company.com point to it, and have it serve an HTTP redirect to store2.company.com. store2.company.com would point to the Windows box and you would be on your way. Of course, if you can’t change the first domain, you probably can’t create store2.company.com to point to the windows box either. You could redirect to the IP of the windows box, but that’s going to look pretty amateur to your customers.

Option B is much better, but quite a bit tougher. If you’ve got a linux or OpenBSD firewall in front of the mac, you can quite easily have it watch for a certain type of traffic and rewrite the packets to go to the windows server. This won’t involve the mac at all, and will actually be very seamless (even with SSL). If you don’t have that sort of firewall in place, or aren’t familiar with how to configure it, it could be quite difficult. Let me know if you’re interested in this route though and I’ll dig up some resources.

Option C is really the easiest and best way: Get them to change the damn DNS or take your business elsewhere. I have a domain with Network Solutions and I use their DNS hosting which is included with the domain (although it’s hidden in their control panel). You have full control over the DNS records (A, CNAME, etc) through a web interface. You can be sure they’ve got good uptime, too.

[luke]

You should run a caching DNS server on your Mac OS X Server and have all clients use it. It will contact the root name servers and cache the results.

If you also need DNS to manage a domain name and public-facing services (a website, email server, etc.) you should look at the Split-Horizon DNS setup. See my post here: [url]https://www.afp548.com/forum/viewtopic.php?showtopic=18688[/url] and more information here: [url]http://homepages.tesco.net/~J.deBoynePollard/FGA/dns-split-horizon.html[/url]

[luke]

You might try using a split-horizon DNS approach.

Your internal DNS server is queried by internal machines only. It does DNS caching and forwarding for when your internal machines are surfing the Internet, and presents itself as the authority for your domain, where you hard-code all of the IPs for the various hosts (mail, helpdesk, www, etc.), and make no mention of any other external DNS servers (from towerstream.com). Don’t even let this internal server be queried from external computers. Block it at the firewall.

Then, create a completely separate DNS server that is available from the outside, and hard code all of the same hosts but with whatever subtle differences you need. This is especially handy if that mail server has an internal IP and an external IP due to NAT forwarding.

Since my internal DNS servers have hundreds of entries (for each internal machine on the network) but my external DNS servers only have a couple, I just use the DNS service provided by Network Solutions that comes with our domain name.

See

YMMV[url]http://homepages.tesco.net/~J.deBoynePollard/FGA/dns-split-horizon.html[/url]

[luke]

Did you import an existing LDAP directory or are you using any custom LDAP schemas?

Because it sounds like you haven’t invested too much in this configuration, I would suggest junking it and starting over. Just think how much easier it will be the second time. 😕

[luke]

You need to make some changes in /etc/authorization on the client machines to grant administrator rights to a user or group from the directory.

See: [url]https://www.afp548.com/article.php?story=20041027093216241[/url]

[luke]

[quote]”What if all my users had mobile accounts ? Why should I use PHDs in some cases and Mobile in others ? How do I choose ?”[/quote]

Portable home directories work directly off the server, so users can log in to multiple machines and changes are instantly reflected between them. This is important if users SSH to other hosts and expect to have access to their files. The downside is that you can’t really do this with laptops because it requires a network connection at all times.

Mobile home directories keep everything locally on the hard drive. This is usually faster and it allows them to disconnect from the network and continue to have access to their files. If they log in from multiple computers though, each computer will have its own version of their home directory, and changes on one won’t be reflected on the others until they sync back to the server (at which point there will likely be conflicts).

I am still looking for the perfect combination of these two concepts. The closest I’ve come is Coda ([url]http://www.coda.cs.cmu.edu/[/url]), but there’s little chance of integrating that with a Mac environment.

[quote]”one user’s laptop may not have all the same apps as his desktop mac, but with PHD I’m not able (is it possible ?) to have him keeping two different Dock setups.”[/quote]

It works best if you image the laptops so they all have identical installations of the OS and applications. I use Radmind for this. As for keeping different Dock setups, you could exclude ~/Library/Preferences/com.apple.Dock.plist from syncing so that each computer has its own Dock settings.

[luke]

I don’t completely understand your issue, but it sounds very similar to mine.

I have a network of Leopard clients bound to an OD server, and they are able to access Directory.app and iCal Server as expected. I have my personal Leopard Laptop which is completely stand-alone. I would like to have some access to the directory from it though Directory.app and iCal Server, but I don’t want to have all of the users, groups, automounts, etc. that come with adding the OD server to the search policy in Directory Utility.app.

I had some limited success by creating a custom LDAP mapping in Directory Utility.app. Go to Services, LDAPv3, select your server, click Edit, Search & Mappings. Then start to delete record types and attributes. It should be possible to prune away everything except what is needed for Directory.app, iCal Server, Address Book.app, etc.

There has got to be a better way to do this though, and I expect I have a gap in my understanding.

[Author]

Posts