I've been asked to update the macs in our music classroom (19 iMacs and a MacMini server 10.8 which uses WGM to lock down student permissions & they are also binded to AD so students log on with their windows credentials) to 10.9 in order for them to use the updated version of Garage band.
Can you see any problems arising from this, will the WGM settings still apply when updated to Mavericks? Will I need to update the server also, if so will the settings be saved does WGM run on 10.9 or will i have to go to profile manager?
Any help would be much appreciated.
mike86 (8th July 2014)
We left our server on 10.8 for the foreseeable, upgraded clients to 10.9 with a fresh image and used deploystudio to roll it out, we are full mac over here though so this was for a wide-scale update process over a few hundred machines.
Thanks, looks like either way is good then...Did you find when leaving 10.8 on the server that WGM settings applied to machines?
Mavericks has an issue that cripples ACLs on the server-side, rendering the files inaccessible by the domain admin. To make matters worse if the user account does not have a home directory pre-populated with the mac home dir structure, the mac client will fail to create it also causing the files to be inaccessible but the domain admin.
If you're macs are not bound to the AD then the issue is non-existent.
Beware of Mavericks when bound to a 20087/2012 server. 10.9.3 also does not resolve the issue.
I don't think the issue is going to go away to be honest. Apple could develop their implementation further and then tomorrow MS could release an update. the SMB protocol seems to be being developed quite quickly at the moment at MS. Not sure how well the Open Source version of SAMBA is doing with regards to compatibility.
You can check the issue by going to a mac client that is bound to the AD, opening the get info pane and changing the ACLs. On 10.9.2 the server-side ACLs will disappear from the list. But they also disappear from the Security tab on the windows server too.
Thanks for that, was just about to install the update too...Could you explain this a bit more please? Our macs are bound to AD & the users get their windows home directory plus another drive is mapped from the share on the OSX server. From reading your post I imagine that when the users log on their home drives would become inaccessible by the domain admin & the user...Starting to think may be worth just updating the clients and leaving the server on 10.8.
Its the clients that cause the issue more so than the server, but the server would have the same issue since it is basically Mavericks with an app chucked on top.
The issue is seen with a mac client being connected to the AD and the shares on the windows servers, predominantly server 2008r2/2012 (not sure about 2012 r2 but i would take a stab guess that as well).
If a mac client is NOT bound to the AD then the problem doesn't arise. However, as soon as that client is bound to the AD the mac client can then edit ACLs in the Get Info pane that it should not have access to. The user gets a warning but the damage occurs anyway.
You also don't need to login using AD credentials either. You can log on to the mac as the localadmin, Use connect to Server to mount the share and authenticate as a standard AD user. This also replicates the problem.
In 10.9.3 this does not happen in the get info pane, but the creation of Home Dirs continues to fail. This may not sound like a problem, but then how do you create all of the new home dirs for the new Yr7s coming in in September?
thanks for that mate, starting to be a bit clearer...Sounds like that could cause a lot of damage...although would they only be able to destroy their home folders? Can you see any problems with having a 10.8 server and 10.9 clients?
Ignore the 10.8 server. The issue is with 10.9. Clients or otherwise. The Mac server being 10.8 is irrelevant. You can remove the mac server from the set up completely and the issue with the AD file shares still remains.
You can test the problem if you like. Simply upgrade one client to 10.9 and test with what I said above. Create a test share with some test data though. And yes the issue should be contained in the individual home dir. It only affects shares where the user has full control/ read/write access.
Some say that a workaround is to remove the change ownership rights, but this could potentially cause more issues.
Will give that a go...all this just for the new garage band!!
Garageband is worth it though
There are currently 1 users browsing this thread. (0 members and 1 guests)