New Mac network - is this possible?

[sidewinder]

Currently, all our OSX clients have standalone logons, one for each year, and once logged on under the generic account, students connect to our mac server in which they have a folder to save their work.
The only time the clients touch the Windows network is to get an IP address and to access the net

This isnt ideal as I have to maintain a seperate load of accounts on the mac server, and students have no real restrictions on what they can do on the macs, as none are centrally managed.

Ive now got a brand new 10.5 server, a load of new macbooks, and upgrades to 10.5 for our year old iMacs. So I want to start afresh and have a much better system.

What I want to do is bind to AD so students can use their windows logons, but I want it for authentication only, I dont want them to be able to access their my documents or anything. I want their home drive/documents to be on the mac server, and I want to be able to idally set preferences etc from the mac server as well

Is it possible to do things like this? Ive read a bit about the binding itself but it seems to mention binding the clients themselves to AD? Is there a way for just the server to be bound and the clients rely on that to autheticate them?

[DMcCoy]

What I want to do is bind to AD so students can use their windows logons, but I want it for authentication only, I dont want them to be able to access their my documents or anything. I want their home drive/documents to be on the mac server, and I want to be able to idally set preferences etc from the mac server as well

Is it possible to do things like this? Ive read a bit about the binding itself but it seems to mention binding the clients themselves to AD? Is there a way for just the server to be bound and the clients rely on that to autheticate them?

Mostly the answer to this is yes, it's exactly what I do.

Code:

OS X Server ----
 |              \
 |               ---- OS X Client
 |              /
AD Server   ----

The client is bound to both AD and OD. The binding to OD means you can have managed machine and group preferences (no per user prefs as that needs AD schema extensions). You can nest AD groups within OD groups to make life easy.

The client will use AD info to login, but will also use the home directory setting stored in AD for its home folder. This is where life gets complicated.

For my AD users I have the home folder set to the location of their *Mac* home folder, however when a user logs into windows I have their My docs folder redirected to their windows folder, and a script to map this folder. This gives my windows users both their mac and windows folders when they login.

OS X will NOT create home folders automatically for AD users, so it has to be created manually. I have created a set of scripts that creates the folder, sets permissions (you can apply ACLs from AD users to OS X - see later) and copies the user template over to make things actually work (no user template causes some programs to break).

This user folder creation has to be done manually, although I have it read in the list of users from a file so it's not too bad. There are some issues, you can see the user quotas and how much AD users are using on the Mac file share, but you cannot set a quota as it all becomes the template user.

You also need to bind the OS X server sharing the files to AD so that it can translate AD users and permissions for it's local ACLs.

You cannot have the OS X server manage all the AD user logins, each machine must be bound to AD though.

[sidewinder]

FINALLY I get a chance to have a look at this again...and all I have to do is get it working for September!!

Thanks, that is very helpful. Im going to get through as much as I can but I will probably get stuck somewhere.

Dont suppose you would mind sharing your scripts would you? Both the My Docs redirection and the OSX folder creation ones.

Also, first quick test, added a mac client to AD, seemed to be fine, let me log in with my AD username....but the home drive hasnt mapped...how come? I can get to my docs, as under shared, the 'IT' share has mapped (no idea why) so I can manually get to it, but just wondering.
Not that it matters too much because I want the home drive on the Mac server anyway

Edit: ignore the last bit...just noticed it puts it in the dock!

[sidewinder]

Damn...actually got surprisingly far with this in a few hours but now Im stuck.

Overview:

Ive setup OD on the Mac server, and binded that to AD
Ive binded the client to both OD and AD
Tried logging in with domain users, all works fine, group prefs work etc.

But Im stuck on having the home directories on the Mac server.
I pretty much followed the AD-OD Sandbox guide that was posted a while back. Installed AFP, created a new share called home, and created a folder for my test user. Gave that user read and write access.
Then set on the client under directory utility>services>active directory>advanced 'Network protocol to be use' to AFP and unticked 'Force local home directory on startup disk'

Changed the home directory path in AD

But now I cant log in with that test user (or any user). I just get the message 'You are unable to log in to the user account 'student' at this time. Logging in to the account failed because an error occurred'

What could I have done wrong? What is the OSX equivelent of event viewer so I could see exactly whats causing the error?

[manxdan]

I had that problem until I ticked the checkbox in the Server Admin / Sharing setup area:
"use sharepoint for network home folders"

[DMcCoy]

Damn...actually got surprisingly far with this in a few hours but now Im stuck.

Overview:

Ive setup OD on the Mac server, and binded that to AD
Ive binded the client to both OD and AD
Tried logging in with domain users, all works fine, group prefs work etc.

But Im stuck on having the home directories on the Mac server.
I pretty much followed the AD-OD Sandbox guide that was posted a while back. Installed AFP, created a new share called home, and created a folder for my test user. Gave that user read and write access.
Then set on the client under directory utility>services>active directory>advanced 'Network protocol to be use' to AFP and unticked 'Force local home directory on startup disk'

Changed the home directory path in AD

But now I cant log in with that test user (or any user). I just get the message 'You are unable to log in to the user account 'student' at this time. Logging in to the account failed because an error occurred'

What could I have done wrong? What is the OSX equivelent of event viewer so I could see exactly whats causing the error?

The test user has the path to the AFP home folder set in AD? Also it's case sensitive and won't map to more than one level deep (Sharepoint\Folder)

EDIT: So you have!

[DMcCoy]

What permissions do you have set on the sharepoint and folder?

[sidewinder]

OK sorted it...it was my own stupidity
Our Mac server is called KS-MACSRV, and we have another server called KS-APPSRV - guess which one I had put in the home drive path.....

So it all works now. But it doesnt half take a long time to log in. Probably about 40 seconds stuck with the logon box greyed out before it finally starts loading the desktop. Is that normal?

So permission wise Ive got the student group with read access on the share point, and then the individual user has full control on their own folder, same as I do on my Windows network.

So the main thing I need to do now, is be able to redirect Windows clients back to their My Documents when on a PC

Thankyou for the help btw DmMcCoy

[DMcCoy]

I use a script below modified for each users OU as that was quickest at the time

My Documents is redirected to the same location, windows then maps the mac drive when the user logs on.

Code:

' MNDUserName.vbs
' VBScript to map a network drive to the UserName.
' Author Guy Thomas http://computerperformance.co.uk/
' Version 1.3 - April 24th 2005
' -----------------------------------------------------------------' 
Option Explicit
Dim objNetwork, objShell 
Dim strDriveLetter, strRemotePath, strUserName
strDriveLetter = "H:" 
strRemotePath = "\\morpheus\students$\06"

On Error Resume Next

' Purpose of script to create a network object. (objNetwork)
' Then to apply the MapNetworkDrive method. Result J: drive
Set objNetwork = WScript.CreateObject("WScript.Network") 
' Here is where we extract the UserName
strUserName = objNetwork.UserName 
objNetwork.MapNetworkDrive strDriveLetter, strRemotePath _
& "\" & strUserName

' Extra code just to add a message box
'WScript.Echo " Launch Explorer, check: "& strDriveLetter
'WScript.Quit

Set objShell = CreateObject("Shell.Application")
objShell.NameSpace("H:\").Self.Name = "Windows Home Drive"
objShell.NameSpace("N:\").Self.Name = "Apple Home Drive"
objShell.NameSpace("M:\").Self.Name = "Media Share"
objShell.NameSpace("I:\").Self.Name = "Lessons Share"
Set objShell = Nothing


' End of MapNetworkDrive Example logon script.

[sidewinder]

Excellent, cheers

lol I had to email that to myself since I browse the forum on an external VM to get round filtering, and Ive spent a good half hour having to keep logging on and seeing which bit the bloody webmail had decided to insert random formatting in!
But is now working nicely.

Will have to make a bit of a change over summer, as currently My Docs is redirected to the students home drive path, but thats easy enough to sort.

Couple more things:

Have you got the script to create the home folders and set permissions on the Mac server? I used to use a program called Passenger but I dont think it was free and Ill be buggered if I can find the setup for it anymore

Lastly, not a big problem, but im interested: how come I cant browse to the Mac shares from Windows? I cant do it when Im logged on, I cant do it with a logon script, nothing. Even though the sharepoint is set up with SMB as well as AFP.
Surely I should just be able to put \\ks-macsrv\homes and browse to it from XP assuming permissions are correct?

[DMcCoy]

You need to make sure that kerberos is working on the file server correctly try with kinit to see if it can get a ticket. Is smb turned on, as the windows sharing needs to be started *and* enabled on the share points.

I run the script as "script.sh 06 tempfile"

It's still really for looping through a list of usernames in a temporary file. Not pretty, but it's bash

Code:

#!/bin/sh
if [ $USER = root ]; then
for i in $(tr "[:upper:]" "[:lower:]" <$2)
do
	echo -n "Creating user $i's home folder:"
	if test -d /Volumes/RAIDA/Users/Students/$1/$i/
	then
		echo -n ".Folder exists!."
	else
		echo -n "."
		mkdir /Volumes/RAIDA/Users/Students/$1/$i
	fi
	chmod -R +a "MEDINA\\$i allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit" /Volumes/RAIDA/Users/Students/$1/$i
	echo -n "A"
	cp -r /System/Library/User\ Template//English.lproj/ /Volumes/RAIDA/Users/Students/$1/$i/
	echo -n "T"
	chown -R $i:admin /Volumes/RAIDA/Users/Students/$1/$i/
	chmod -R ug+rwx /Volumes/RAIDA/Users/Students/$1/$i/
	chmod -R o-rwx /Volumes/RAIDA/Users/Students/$1/$i/
	echo -n "P"
	echo "."
done
else
echo "User is not root! Use sudo"
fi

[sidewinder]

Aha...its probably not started, will check in the morning

Thanks for the script!

[HodgeHi]

You need to make sure that kerberos is working on the file server correctly try with kinit to see if it can get a ticket. Is smb turned on, as the windows sharing needs to be started *and* enabled on the share points.

I run the script as "script.sh 06 tempfile"

It's still really for looping through a list of usernames in a temporary file. Not pretty, but it's bash

Code:

#!/bin/sh
if [ $USER = root ]; then
for i in $(tr "[:upper:]" "[:lower:]" <$2)
do
	echo -n "Creating user $i's home folder:"
	if test -d /Volumes/RAIDA/Users/Students/$1/$i/
	then
		echo -n ".Folder exists!."
	else
		echo -n "."
		mkdir /Volumes/RAIDA/Users/Students/$1/$i
	fi
	chmod -R +a "MEDINA\\$i allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit" /Volumes/RAIDA/Users/Students/$1/$i
	echo -n "A"
	cp -r /System/Library/User\ Template//English.lproj/ /Volumes/RAIDA/Users/Students/$1/$i/
	echo -n "T"
	chown -R $i:admin /Volumes/RAIDA/Users/Students/$1/$i/
	chmod -R ug+rwx /Volumes/RAIDA/Users/Students/$1/$i/
	chmod -R o-rwx /Volumes/RAIDA/Users/Students/$1/$i/
	echo -n "P"
	echo "."
done
else
echo "User is not root! Use sudo"
fi

I like the look of this script but unsure as to how to pass usernames into the script itself. I am looking for a script that will create the home dirs for the users in the AD and then set the permissions on the folders. How would i be able to do this? I have already created a profile template and copied it into place. But when i try to create the users profiles using WGM it fails.

TIA for any help you can shed.

[FN-GM]

Hi

Can i just but in with a quick question.

Does the mac get joined to AD or OD?
Can you manage both the user policies and the computer polices?

Thanks

Z

[HodgeHi]

The OD server gets joined to the AD first (to join the ADs kerberos realm) and then promoted to an OD master. This enables you to create user groups in the workgroup manager and add the AD users to that group. You can then manage the preferences for that group. The mac clients also get bound to both AD and OD. This is so that users can authenticate against the AD server and pick up the managed prefs for the machines and groups from the OD.