OD/AD Integration Issues
I have managed to setup a "magic triangle" so that our Active Directory users can log on to our Mac systems. This was done by creating an Open Directory Master and then connecting it to Active Directory. Once this was done the client Macs were bound to both the OD and AD.
Now, I have a few issues. Users can log in fine. I added them to Workgroup Manager via Accounts > Members and then clicking on + to drag them in from Active Directory. Work Group Manager preference also work well. However, adding a computer in the same way to a Computer Group does not allow for Workgroup Manager preference to be applied. Does anyone know why this is? Am I adding the computers in the correct way? And is there a way to have a computer populate both AD and OD when it is added to the network?
Secondly, and a bigger issue, when a user log on to a client Mac and open finder they can see/navigate a number of servers (our AD server, the Mac OD server and an "All" option) under the "Shared" section of the sidebar. I have used a Plist file to hide the "Shared" section but they can still access these servers by going to "Go > Network". Is there a way of removing these servers from Finder? If so, how do I go about doing this? And if there isn't a way of removing the servers how do I stop users navigating deeper in to the server? All permissions are, as far as I know, correct.
Right, I have managed to get Workgroup Manager computer preferences working on the client Macs now. I needed to add the computer to the members group by clicking on the "..." instead of the "+".
Now I just need help on this Shared/Network problem. There must be something out there to stop navigation of the network, especially something as simple as hiding the Network option from the Go menu or even maybe having the items visable but stopping any further navigation... no?
You need to manage the Finder sidebar preference. However I think that the users can still get to this location by using a keyboard shortcut. The only way of resolving this issue is locking down shares with the correct permissions. If you are using 10.5 you can remove most mac clients by disabling bonjour. However, bonjour is part of 10.6 mdns daemon and so cannot be disabled. If you try to on 10.6 then you will also break dns resolutions.
The only real way to do this properly is through permissions.
The permissions are properly set, I also experimented with removing all permissions and the servers are still visable on the Mac.
I can't believe there isn't a simple Workgroup Manager preference for sorting this out. It's a massive flaw in an otherwise excellent and simple OS!
I was hoping there might even be some sort of startup script that I could use but searching the net has bought nothing.
There must be a way around this, it's the only issue stopping us from implementing this on our live network!
"It's a massive flaw in an otherwise excellent and simple OS!"
If this was an all mac environment - Open Directory - it's not even an issue. Apple - quite rightly - assume everyone wants an all Mac environment. In which case there's no flaw that needs fixing. It's only a 'flaw' from your perspective and if you see it as such you'll have to deal with it in the best way you can. From what I've seen at most sites I've been to it's not an issue, but at some (admittedly few) they see it the same way as you. Oddly and slightly irrationally - IMO - it's viewed as a problem the mac platform has generated. Whereas in fact the 'open nature' of the AD structure itself is really at fault and the platform has simply exposed it. Provided the permissions are defined correctly all that can happen is users can 'see' the other PCs and go no further. It's purely cosmetic and should present no further issues.
HodgeHi has already indicated how the SideBar can be controlled with an appropriate MCX. In 10.6 and AFAIK there is no way to remove the Network Selection from the Go Menu without breaking the OS in a major way. In 10.5 it was possible but had risks attached. To pre-empt what you might be thinking you can't install a version of the OS that is older than the OS version the hardware shipped with and that was pre-installed.
You could contact Apple and submit a Feature Request. If enough people want it perhaps Apple may build it into the next OS?
Apple - Mac OS X Server - Feedback
Antonio Rocco (ACSA)
I'm not only seeing the AD shares but also the Mac Server I have attached to the Network so I can't see how this relates to an Active Directory issue. Even with no permissions the users can still see the server. Yes, users can only "see" other servers but I'd rather not have that on my network.
I do still see it as a major flaw, even in an all OD environment, users will still have the ability to go to Finder's "Go > Network" option. And even having the option to control side bar settings isn't 100%, users can just enter the keyboard shortcut or just go to Finder > Preference and unhide these options.
So yes, it is a flaw with the way Apple have implemented Workgroup Manager preferences.
If you manage the side bar I don't think users can re-enable the setting. If it is set to always being managed then the settings are greyed out. Im my own testing though I don't think this worked. However, I have recently found that in 10.6.5 the Managedclient.app has more settings inside that may help to remedy this. To see these go to the details tab under preferences in WGM and then click the + button, navigate to system/library/coreservices/managedclient and then click choose. This will bring up a sizeable list which lets you manage much more than before.
You can also remove the go to network option (using Simple Finder). The Keyboard shortcut though I'm not so sure about. Just checking now to see if this can be resolved. I have tried setting my own keyboard shortcut to override the network one but it didn't seem to work. Not sure how else this can be done since the keyboard shortcut for the network is not in the list in system prefs. Maybe request the feature where the keyboard shortcut can be turned off as the other issues can be worked around.
Macs use this method to find other clients on it's network, using the bonjour method to find shared resources that you have access to. This is by design as far as I'm aware. Seeing servers in the same as being able to access them. Obscurity does not necessarily mean security. :)
"I do still see it as a major flaw, even in an all OD environment, users will still have the ability to go to Finder's "Go > Network" option"
Having done a fair number of these I can assure you in an all OD environment it really is not a 'flaw' or a problem. Create one for yourself and you'll soon see.
"but also the Mac Server I have attached to the Network so I can't see how this relates to an Active Directory issue. Even with no permissions the users can still see the server"
This is intentional and by design. Bonjour/Rendezvous is built-into every mac (Server or Client). It's how they announce themselves as well as discover other Bonjour-aware devices on a network. It's important to note the .local suffix has been reserved for Bonjour. None of this is a 'major flaw' as its all by design. Simply explained Bonjour allows non-technical users to connect multiple computers to a switch/hub and create an ad-hoc network that does not need a DHCP Server or anything else. This kind of of network is generally referred to as ZeroConfig or Link Local Addressing (LLA). It's where the self assigned IP addressing (169.224.x.x) reserved by the IANA for just this reason comes in. Bonjour is more than this and Apple provide an FAQ which explains things a little more:
Bonjour: Frequently asked questions (FAQ)
It's not advisable to turn Bonjour off as it's part of the DNS Resolution daemon mDNSResponder.
In an all mac environment Apple utilise Bonjour and build into their Server product Services that auto-announce themselves (if the server is configured in this way) and present Service information to workstations that will then auto-configure themselves based on that information.
As you'd expect this works very well.
However for some environments it can be seen as being totally useless and a 'problem'. You should also be aware that NetBIOS discovery is also built-into the daemon. That's why your PCs are displaying themselves in the Sidebar. The Sidebar is all about Bonjour and NetBIOS and has nothing much to do with DNS or TCP/IP. Prior to 10.5 the Sidebar had a problem with Single Sign On (SSO). From what I've seen this appears to be 'fixed' in 10.6. If all you're using OSX Server for is to provide MCX then simply seeing it in the Sidebar does not present a problem.
You can 'fix' this as HodgeHi suggests by applying the Simple Finder MCX. I think this level of control is fine for infant and some junior schools but for further education sites I find it too restrictive and can cause issues for users trying to browse to a share so their data can be saved. Again this depends to a certain degree on what you're trying to achieve.
With respect if you took a step back for a moment and approached the platform on its own merits rather than obscuring it with a Microsoft eye none of the 'problems' you're seeing need be seen as such.
Antonio Rocco (ACSA)
I've added the managedclient.app but what do I do next? Most of the items that are configurable don't have any keys to change. I have nothing appear when I click on the triangle to the left of "Once", "Often" and "Always".
Originally Posted by HodgeHi
Do I have to add the keys myself? If so, how do I find out what keys do what?
Simples... You need to select the option you are looking for. eg. Sidebar and right click and select new key. From here you will see a list of options that are configurable