+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 29
Mac Thread, New Mac network - is this possible? in Technical; Currently, all our OSX clients have standalone logons, one for each year, and once logged on under the generic account, ...
  1. #1

    Join Date
    Jul 2006
    Location
    London
    Posts
    2,963
    Thank Post
    160
    Thanked 153 Times in 117 Posts
    Rep Power
    50

    New Mac network - is this possible?

    Currently, all our OSX clients have standalone logons, one for each year, and once logged on under the generic account, students connect to our mac server in which they have a folder to save their work.
    The only time the clients touch the Windows network is to get an IP address and to access the net

    This isnt ideal as I have to maintain a seperate load of accounts on the mac server, and students have no real restrictions on what they can do on the macs, as none are centrally managed.

    Ive now got a brand new 10.5 server, a load of new macbooks, and upgrades to 10.5 for our year old iMacs. So I want to start afresh and have a much better system.

    What I want to do is bind to AD so students can use their windows logons, but I want it for authentication only, I dont want them to be able to access their my documents or anything. I want their home drive/documents to be on the mac server, and I want to be able to idally set preferences etc from the mac server as well

    Is it possible to do things like this? Ive read a bit about the binding itself but it seems to mention binding the clients themselves to AD? Is there a way for just the server to be bound and the clients rely on that to autheticate them?

  2. #2
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,505
    Thank Post
    10
    Thanked 508 Times in 445 Posts
    Rep Power
    116
    Quote Originally Posted by sidewinder View Post
    What I want to do is bind to AD so students can use their windows logons, but I want it for authentication only, I dont want them to be able to access their my documents or anything. I want their home drive/documents to be on the mac server, and I want to be able to idally set preferences etc from the mac server as well

    Is it possible to do things like this? Ive read a bit about the binding itself but it seems to mention binding the clients themselves to AD? Is there a way for just the server to be bound and the clients rely on that to autheticate them?
    Mostly the answer to this is yes, it's exactly what I do.

    Code:
    OS X Server ----
     |              \
     |               ---- OS X Client
     |              /
    AD Server   ----
    The client is bound to both AD and OD. The binding to OD means you can have managed machine and group preferences (no per user prefs as that needs AD schema extensions). You can nest AD groups within OD groups to make life easy.

    The client will use AD info to login, but will also use the home directory setting stored in AD for its home folder. This is where life gets complicated.

    For my AD users I have the home folder set to the location of their *Mac* home folder, however when a user logs into windows I have their My docs folder redirected to their windows folder, and a script to map this folder. This gives my windows users both their mac and windows folders when they login.

    OS X will NOT create home folders automatically for AD users, so it has to be created manually. I have created a set of scripts that creates the folder, sets permissions (you can apply ACLs from AD users to OS X - see later) and copies the user template over to make things actually work (no user template causes some programs to break).

    This user folder creation has to be done manually, although I have it read in the list of users from a file so it's not too bad. There are some issues, you can see the user quotas and how much AD users are using on the Mac file share, but you cannot set a quota as it all becomes the template user.

    You also need to bind the OS X server sharing the files to AD so that it can translate AD users and permissions for it's local ACLs.

    You cannot have the OS X server manage all the AD user logins, each machine must be bound to AD though.

  3. Thanks to DMcCoy from:

    sidewinder (15th July 2008)

  4. #3

    Join Date
    Jul 2006
    Location
    London
    Posts
    2,963
    Thank Post
    160
    Thanked 153 Times in 117 Posts
    Rep Power
    50
    FINALLY I get a chance to have a look at this again...and all I have to do is get it working for September!!

    Thanks, that is very helpful. Im going to get through as much as I can but I will probably get stuck somewhere.

    Dont suppose you would mind sharing your scripts would you? Both the My Docs redirection and the OSX folder creation ones.

    Also, first quick test, added a mac client to AD, seemed to be fine, let me log in with my AD username....but the home drive hasnt mapped...how come? I can get to my docs, as under shared, the 'IT' share has mapped (no idea why) so I can manually get to it, but just wondering.
    Not that it matters too much because I want the home drive on the Mac server anyway

    Edit: ignore the last bit...just noticed it puts it in the dock!
    Last edited by sidewinder; 15th July 2008 at 11:08 AM.

  5. #4

    Join Date
    Jul 2006
    Location
    London
    Posts
    2,963
    Thank Post
    160
    Thanked 153 Times in 117 Posts
    Rep Power
    50
    Damn...actually got surprisingly far with this in a few hours but now Im stuck.

    Overview:

    Ive setup OD on the Mac server, and binded that to AD
    Ive binded the client to both OD and AD
    Tried logging in with domain users, all works fine, group prefs work etc.

    But Im stuck on having the home directories on the Mac server.
    I pretty much followed the AD-OD Sandbox guide that was posted a while back. Installed AFP, created a new share called home, and created a folder for my test user. Gave that user read and write access.
    Then set on the client under directory utility>services>active directory>advanced 'Network protocol to be use' to AFP and unticked 'Force local home directory on startup disk'

    Changed the home directory path in AD

    But now I cant log in with that test user (or any user). I just get the message 'You are unable to log in to the user account 'student' at this time. Logging in to the account failed because an error occurred'

    What could I have done wrong? What is the OSX equivelent of event viewer so I could see exactly whats causing the error?

  6. #5
    manxdan's Avatar
    Join Date
    May 2007
    Location
    Isle of Man
    Posts
    43
    Thank Post
    5
    Thanked 3 Times in 3 Posts
    Rep Power
    16

    I've seen that message.

    I had that problem until I ticked the checkbox in the Server Admin / Sharing setup area:
    "use sharepoint for network home folders"

  7. #6
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,505
    Thank Post
    10
    Thanked 508 Times in 445 Posts
    Rep Power
    116
    Quote Originally Posted by sidewinder View Post
    Damn...actually got surprisingly far with this in a few hours but now Im stuck.

    Overview:

    Ive setup OD on the Mac server, and binded that to AD
    Ive binded the client to both OD and AD
    Tried logging in with domain users, all works fine, group prefs work etc.

    But Im stuck on having the home directories on the Mac server.
    I pretty much followed the AD-OD Sandbox guide that was posted a while back. Installed AFP, created a new share called home, and created a folder for my test user. Gave that user read and write access.
    Then set on the client under directory utility>services>active directory>advanced 'Network protocol to be use' to AFP and unticked 'Force local home directory on startup disk'

    Changed the home directory path in AD

    But now I cant log in with that test user (or any user). I just get the message 'You are unable to log in to the user account 'student' at this time. Logging in to the account failed because an error occurred'

    What could I have done wrong? What is the OSX equivelent of event viewer so I could see exactly whats causing the error?
    The test user has the path to the AFP home folder set in AD? Also it's case sensitive and won't map to more than one level deep (Sharepoint\Folder)

    EDIT: So you have!

  8. #7
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,505
    Thank Post
    10
    Thanked 508 Times in 445 Posts
    Rep Power
    116
    What permissions do you have set on the sharepoint and folder?

  9. #8

    Join Date
    Jul 2006
    Location
    London
    Posts
    2,963
    Thank Post
    160
    Thanked 153 Times in 117 Posts
    Rep Power
    50
    OK sorted it...it was my own stupidity
    Our Mac server is called KS-MACSRV, and we have another server called KS-APPSRV - guess which one I had put in the home drive path.....

    So it all works now. But it doesnt half take a long time to log in. Probably about 40 seconds stuck with the logon box greyed out before it finally starts loading the desktop. Is that normal?

    So permission wise Ive got the student group with read access on the share point, and then the individual user has full control on their own folder, same as I do on my Windows network.

    So the main thing I need to do now, is be able to redirect Windows clients back to their My Documents when on a PC

    Thankyou for the help btw DmMcCoy

  10. #9
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,505
    Thank Post
    10
    Thanked 508 Times in 445 Posts
    Rep Power
    116
    I use a script below modified for each users OU as that was quickest at the time

    My Documents is redirected to the same location, windows then maps the mac drive when the user logs on.




    Code:
    ' MNDUserName.vbs
    ' VBScript to map a network drive to the UserName.
    ' Author Guy Thomas http://computerperformance.co.uk/
    ' Version 1.3 - April 24th 2005
    ' -----------------------------------------------------------------' 
    Option Explicit
    Dim objNetwork, objShell 
    Dim strDriveLetter, strRemotePath, strUserName
    strDriveLetter = "H:" 
    strRemotePath = "\\morpheus\students$\06"
    
    On Error Resume Next
    
    ' Purpose of script to create a network object. (objNetwork)
    ' Then to apply the MapNetworkDrive method. Result J: drive
    Set objNetwork = WScript.CreateObject("WScript.Network") 
    ' Here is where we extract the UserName
    strUserName = objNetwork.UserName 
    objNetwork.MapNetworkDrive strDriveLetter, strRemotePath _
    & "\" & strUserName
    
    ' Extra code just to add a message box
    'WScript.Echo " Launch Explorer, check: "& strDriveLetter
    'WScript.Quit
    
    Set objShell = CreateObject("Shell.Application")
    objShell.NameSpace("H:\").Self.Name = "Windows Home Drive"
    objShell.NameSpace("N:\").Self.Name = "Apple Home Drive"
    objShell.NameSpace("M:\").Self.Name = "Media Share"
    objShell.NameSpace("I:\").Self.Name = "Lessons Share"
    Set objShell = Nothing
    
    
    ' End of MapNetworkDrive Example logon script.

  11. Thanks to DMcCoy from:

    sidewinder (15th July 2008)

  12. #10

    Join Date
    Jul 2006
    Location
    London
    Posts
    2,963
    Thank Post
    160
    Thanked 153 Times in 117 Posts
    Rep Power
    50
    Excellent, cheers

    lol I had to email that to myself since I browse the forum on an external VM to get round filtering, and Ive spent a good half hour having to keep logging on and seeing which bit the bloody webmail had decided to insert random formatting in!
    But is now working nicely.

    Will have to make a bit of a change over summer, as currently My Docs is redirected to the students home drive path, but thats easy enough to sort.

    Couple more things:

    Have you got the script to create the home folders and set permissions on the Mac server? I used to use a program called Passenger but I dont think it was free and Ill be buggered if I can find the setup for it anymore

    Lastly, not a big problem, but im interested: how come I cant browse to the Mac shares from Windows? I cant do it when Im logged on, I cant do it with a logon script, nothing. Even though the sharepoint is set up with SMB as well as AFP.
    Surely I should just be able to put \\ks-macsrv\homes and browse to it from XP assuming permissions are correct?

  13. #11
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,505
    Thank Post
    10
    Thanked 508 Times in 445 Posts
    Rep Power
    116
    You need to make sure that kerberos is working on the file server correctly try with kinit to see if it can get a ticket. Is smb turned on, as the windows sharing needs to be started *and* enabled on the share points.

    I run the script as "script.sh 06 tempfile"

    It's still really for looping through a list of usernames in a temporary file. Not pretty, but it's bash

    Code:
    #!/bin/sh
    if [ $USER = root ]; then
    for i in $(tr "[:upper:]" "[:lower:]" <$2)
    do
    	echo -n "Creating user $i's home folder:"
    	if test -d /Volumes/RAIDA/Users/Students/$1/$i/
    	then
    		echo -n ".Folder exists!."
    	else
    		echo -n "."
    		mkdir /Volumes/RAIDA/Users/Students/$1/$i
    	fi
    	chmod -R +a "MEDINA\\$i allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit" /Volumes/RAIDA/Users/Students/$1/$i
    	echo -n "A"
    	cp -r /System/Library/User\ Template//English.lproj/ /Volumes/RAIDA/Users/Students/$1/$i/
    	echo -n "T"
    	chown -R $i:admin /Volumes/RAIDA/Users/Students/$1/$i/
    	chmod -R ug+rwx /Volumes/RAIDA/Users/Students/$1/$i/
    	chmod -R o-rwx /Volumes/RAIDA/Users/Students/$1/$i/
    	echo -n "P"
    	echo "."
    done
    else
    echo "User is not root! Use sudo"
    fi

  14. #12

    Join Date
    Jul 2006
    Location
    London
    Posts
    2,963
    Thank Post
    160
    Thanked 153 Times in 117 Posts
    Rep Power
    50
    Aha...its probably not started, will check in the morning

    Thanks for the script!

  15. #13

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,192
    Thank Post
    300
    Thanked 215 Times in 185 Posts
    Rep Power
    57
    Quote Originally Posted by DMcCoy View Post
    You need to make sure that kerberos is working on the file server correctly try with kinit to see if it can get a ticket. Is smb turned on, as the windows sharing needs to be started *and* enabled on the share points.

    I run the script as "script.sh 06 tempfile"

    It's still really for looping through a list of usernames in a temporary file. Not pretty, but it's bash

    Code:
    #!/bin/sh
    if [ $USER = root ]; then
    for i in $(tr "[:upper:]" "[:lower:]" <$2)
    do
    	echo -n "Creating user $i's home folder:"
    	if test -d /Volumes/RAIDA/Users/Students/$1/$i/
    	then
    		echo -n ".Folder exists!."
    	else
    		echo -n "."
    		mkdir /Volumes/RAIDA/Users/Students/$1/$i
    	fi
    	chmod -R +a "MEDINA\\$i allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit" /Volumes/RAIDA/Users/Students/$1/$i
    	echo -n "A"
    	cp -r /System/Library/User\ Template//English.lproj/ /Volumes/RAIDA/Users/Students/$1/$i/
    	echo -n "T"
    	chown -R $i:admin /Volumes/RAIDA/Users/Students/$1/$i/
    	chmod -R ug+rwx /Volumes/RAIDA/Users/Students/$1/$i/
    	chmod -R o-rwx /Volumes/RAIDA/Users/Students/$1/$i/
    	echo -n "P"
    	echo "."
    done
    else
    echo "User is not root! Use sudo"
    fi
    I like the look of this script but unsure as to how to pass usernames into the script itself. I am looking for a script that will create the home dirs for the users in the AD and then set the permissions on the folders. How would i be able to do this? I have already created a profile template and copied it into place. But when i try to create the users profiles using WGM it fails.

    TIA for any help you can shed.

  16. #14

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,373
    Thank Post
    906
    Thanked 1,811 Times in 1,559 Posts
    Blog Entries
    12
    Rep Power
    468
    Hi

    Can i just but in with a quick question.

    Does the mac get joined to AD or OD?
    Can you manage both the user policies and the computer polices?

    Thanks

    Z

  17. #15

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,192
    Thank Post
    300
    Thanked 215 Times in 185 Posts
    Rep Power
    57
    The OD server gets joined to the AD first (to join the ADs kerberos realm) and then promoted to an OD master. This enables you to create user groups in the workgroup manager and add the AD users to that group. You can then manage the preferences for that group. The mac clients also get bound to both AD and OD. This is so that users can authenticate against the AD server and pick up the managed prefs for the machines and groups from the OD.
    Last edited by HodgeHi; 12th August 2008 at 12:48 AM. Reason: Correcting spelling. Original post was on iPhone during a car journey. Not easy!

  18. Thanks to HodgeHi from:

    FN-GM (11th August 2008)



SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Connecting a Windows network to an RM managed Network
    By Scruff in forum Wireless Networks
    Replies: 4
    Last Post: 9th February 2010, 12:53 AM
  2. Comptia Network+ 2005 or Network+ 2007
    By atfnet in forum Courses and Training
    Replies: 5
    Last Post: 20th August 2009, 12:45 PM
  3. Replies: 2
    Last Post: 15th February 2008, 05:22 PM
  4. Map network drives on wireless network
    By woody in forum Windows
    Replies: 24
    Last Post: 1st December 2007, 07:27 PM
  5. terminating CAT5E network cables in network cabinets
    By broc in forum Network and Classroom Management
    Replies: 7
    Last Post: 10th July 2007, 12:54 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •