AD and Xserve
Well the xserve has arrived now, but struggling to get it setup how we like as we dont know much knowledge about mac. Basically i want the mac clients to authenticate against active directory, but not recieve their home directories from AD. We would prefer each Active directory account that logs onto a mac to have a "home directory" on the xserve which will be used for saving their large video files.
It would be much appreciated if someone can help. Many Thanks
Take a look at the Sticky AD-OD at the top of the Mac forum. Follow that guide to get AD authentication up and running. But instead of placing the Home Dirs on the Windows Servers, keep them on the OD Server. You will need to create the Home Dirs manually i think for the AD USers. I can't remember now. But this means you have a better chance of locking down the users home dir preferences. You take a temp user and then log on with that user and configure apps and finder. Run each app once and configure the prefs. This will remove any pop up questions/windows that will appear.
Once this is done, log off as that user and log back on as an admin user. Then copy this user's home dir and overwrite the default template, or just copy it onto the desktop. I then used the DSCL util (terminal Command) to export the users into a txt file and then list the users as a variable into a script to create their home dirs automatically. The only thing I couldn't do is add the ACLs to the home dirs properly. I used POSIX permissions, but ACLs are much better to use.
Sorry. Got a bit off-topic there. Once the home dirs are in place then test to make sure there are no problems logging in. Set the home dir to either AFP or SMB. Your Choice. I prefer AFP. This is done through Directory Utility. If 10.6 on clients this can be found in Users section in System Preferences or /System/Library/Core Services/, otherwise in the Utilities folder in the Applications folder.
Now, for your AD users. What i did was have the users home dirs stored on our XRAID and then re-directed the Documents folder to the Home dir on the XRAID. This kept the users documents all in one location. The only downside to this is having 2 pictures, music and movies folders. But this I'm working on this.
Anyway hope this helps.
PS. Don't forget that to have Windows users accessing the Home Dirs on the X-Serve, you will need to have both AFP and SMB services running, and also have the Home Dirs shared using both AFP and SMB. This is the case for all shares you wish to access from Windows.
First off, you need to bind / join your client Mac to Active Directory so it can authenticate. Check this first (this doesn't require an Xserve so forget that for the moment). If you are on 10.6, go in to System Prefs > Accounts, click Login Options, then next to "Network Account Server" click Edit...
Then click "Open Directory Utility". Authenticate and go in to the Active Directory plugin by double clicking. Type in your AD Domain, and your compuoter host name and click Bind. You bind with your AD admin credentials.
If you restart for good measure, you should be able to login.
Next, home folders. Just for info, are you aware that you can put your homes on a Windows box? You technically don't need and Xserve for your Macs.....anyway, you need to bind/join your XServe to AD in the same way as a client. Then you need to open Terminal and type "dsconfigad -enableSSO" this uses directory services config and enables Single Sign On for your home folders. In Server Admin you now need to click File Sharing and define a share point for your home folders, with appropriate permissions, and enter this path in to the home folder path in AD.
If you are using 10.4 on the client, Directory Utility is inside Applications > Utilities.
Depending on your network, you may find it better to save video work locally on each Mac, this is what we do so save clogging servers and backups with 13GB/hour DV files. I also wouldn't try capturing to a server on anything less than a gigabit network.
A rushed reply, but let me know how you get on.
Thank you for your replies. Well at the moment i cant do much as im rebuilding the raid array on the xserve. I have had a play before we began to redbuild the raid array and i can get the mac client and xserve to bidn with ad no problem, i can also get the client to see the users home folders on the windows box, however we want them to store on the xserve, so how do we get a home directory on the xserve for each ad user that uses the Mac
You haven't said what OS your server is, but these instructions are based on my 10.5 XServe -
Open Server Admin, from the top menu go to File Sharing. Click Volumes (you want to list your drives). Find the folder / volume you wish to make a share point. Click Share.
In the permissions box, set your pemissions. You have POSIX for user/group/everyone, plus an ACL (Access Control List) for more granular settings. ACLs override POSIX.
Click Save to commit your changes. Depending on your needs, you can also propagate permissions by clicking the cog icon under the POSIX box.
If you now to go Share Points, your share should be listed. If you click the "Share Point" tab 1/2 way down the screen, you can click 'Protocol Options' to say if you want to share the item with AFP (Apple File Protocol) or SMB (Windows sharing) or NFS etc. It depends on what is set on the client in the Active Directory plug in depending on what it mounts the home folder with - by default its AFP, but you could switch to SMB - your choice. Like others have said, if Windows users will connect, you need SMB running as Winodws can only connect with SMB.
Test you can see your share. From a client do Finder > Go > connect to server. In the box type
smb://server/share to check SMB works
afp://server/share to check AFP
Once it's all fine, go in to your Active Directory Users & Computers, and change the users' home path to that of your XServe.
it is 10.5 were running i think (Snow Leopard) With the setup you have talked about about changing the user home path means when the log onto a windows machine they wont get their windows hoem directory is there any way to have both? ie when they are on a windows machine they just get windows Hoem directory and then when they log onto a mac they get their mac home directory.
10.5 = Leopard
10.6 = Snow Leopard
OK, so to split this up, either make another batch of users in Active Directory which students log on to the Macs with for example:
Joe Bloggs could be jbloggs, getting a Windows Home
Joe Bloggs has a second log on of jbloggs2, which points to a Mac home.
...or, set up the XServe as an Open Directory Master and create the users on there so that they log on to the Mac server (Open Directory is the same kinda thing as AD) and pull their home off that.
Is there a reason why you need to have separate systems? There's no reason why the home folders can't sit on either the Mac or the Windows server - either OS can host home folders for either client....
Hmm. Seems my post has been over-looked. What i mention in my post is how to go about getting the users' home dirs integrated. I think for everyone this is the best solution. As iSteve says, if you want 2 separate systems then 2 separate AD and OD systems is the way to go. Personally having 2 separate systems is a management headache and also can be problematic for end-users. Confusion sets in if passwords start being changed. It's bad enough with OS X password changes and Keychain logins not being updated, without having to remember what AD password is still set to. Remember, that if you have 2 separate systems you need to manage 2 separate lists of users.
I have tried numerous setups with our AD and OD systems. I have tried 2 kerberised systems with the users having to choose which system to use on the Windows side, an AD-OD integrated system with 2 different kerberised realms (in my newbie days. I know now why that can't be done), 2 independent directory systems, and finally rested on the AD-OD integrated system.
It seems to be the best of both worlds without the headache from the management point of view. You can have one RAID array where all of your re-directed shares are kept. Start menu for pupils, start menu for staff, shared desktop, home dirs, resource shares etc.
The GPO redirects still work from a different server even if the shares are residing on an OS X Server. Windows doesn't care. You just need the permissions set correctly. The only shares i didn't put on my OS X Server were the profile shares.
The only thing to mention is that the OS X SMB service doesn't like $ shares. Well, mine didn't anyway.
Unless I'm missing something ;)
On re-reading your post LukeC i noticed that you want to create home dirs on the OS X Server for AD Users. Now, IIRC WGM won't create the home dirs for AD users using the create home now button. This is the reason I had to create a script to export the users into a txt file and then read them into a variable and create their home dir like that. It's relatively easy. I think i posted the script online here. I just need to tweak it to add the ACLs instead of POSIX.
Luke - why do you want users that logon to a mac to have a different home dir than when they logon to pc - surely this will cause confusion in the long term?
The users above are correct, you would have to have to seperate ad accounts.
What you COULD do is when a ad user logs onto a mac - their home directory is their standard windows directory, but you could place a shortcut on the mac desktop that links of to an area on the xserve that users could save to.
If you need any more info just let us know.
well the reason why we have an xserve was down to the media department wanting us to purchase as they kept losing vital pieces of course work saved locally on the mac. therefore i was hoping they could log onto the mac n pull their videos off the xserve and then resave them on the xserve after editing.
I get the fact that you dont want to locally save - and I agree. However, why cant users just save to the same place they would save to as when logging onto a pc?
@mbrunt Some people also separate the type of materials saved on the servers ... as well as the server. Trying not to get into the sucking eggs position here, but a lot of schools save locally when dealing with large files due the the sheer length of time it takes to move files back and forwards, or trying to access large files across the network. A server connected more locally might not improve the speed from client to server but can remove the impact it puts on the network that interferes with other users. Also, the likelihood of using the same files on the window side of things can be small in some schools.
Personally, I see little point in having separate file servers too ... but have seen where it can work better. Then again ... why not have the Xserve also host the storage for the windows side too?
What you could do is have the Home dirs stored on the Windows servers and then have a storage solution for the OS X Server to provide a video storage location for the video files. You also need to take into account that if they are copying the files down and then saving them back up when complete you have the wait time of copying files backwards and forwards as GrumbleDook mentioned. Also take into account that if these files are going to be large then times that by each user doing the same. Eg, Each pupil would be logging on at the same time, locating their files and downloading them all at the same time to work on. This will increase the time each user will have to wait.
One option could be Final cut server, if Final cut is the software you are looking at using. The guys at our local CLC have started to use this as it does exactly this for them. Pupils work off the files stored on the server but Final Cut downloads a low-res version onto the client for working on. Once all edits are made and saved the XML file is then sent back to the Final cut server where the high-res version is updated with the changes. I think that's right :D
You could TRY this. Not sure if it would work though. Have the users log in from the Windows server for their profile but have a login re-direct for the Movies folder to the X-Serve. Not sure if this would work though. Would be interesting to try ;)