Solved

OSX OpenDirectory Map Home Folders to SMB Share

Posted on 2011-09-20
21
999 Views
Last Modified: 2012-05-12
We have an OSX OpenDirectory server bound to a Windows Active Directory.  AD provides the logins, OD is supposed to supply the rest.

On the OSX server:
DNS is functioning perfectly with AD as the dns servers.
RDNS also checks out for the domain, servers, etc.
Logins work

The OSX server and clients can talk to the Windows SMB share using their AD credentials and can write new files to the share via Finder

However, when I go to "Create Home" in the workgroup manager I get the following error:
Unable to create home directory

Open in new window


Looking at the syslog I get a kNetworkError.

I tried enabling NFS on the windows server and using either mixed or anonymous authentication methods.  Both times I get "No principal configured for this user" errors in the syslog and the same "Unable to create home directory" error in the workgroup manager after a timeout.

Any suggestions on how to setup home directories using either smb:/ or nfs:/ would be greatly appreciated.  We require this functionality due to storage server and software limitations/restrictions.  Thank you!

Regards,
Robert
0
Comment
Question by:Robert Davis
  • 12
  • 6
21 Comments
 
LVL 13

Expert Comment

by:Govvy
ID: 36568679
0
 
LVL 1

Author Comment

by:Robert Davis
ID: 36570343
Govvy,
Yes, this setting is selected/set by default when binding to AD.  The users get a shortcut in the dock to the UNC share but their actual home folders/paths are not being mapped to the network share...they are begin stored locally under /Users on the machine and are not synced to the network share defined in AD, despite the settings defined in the article you linked to being set correctly (Use UNC...smb).

I cannot find any information on how to extend the Active Directory schema to include OD properties, this is the only option mentioned in the article that I was unable to double check.

Thanks,
Robert
0
 
LVL 11

Expert Comment

by:gmbaxter
ID: 36570551
Check your AD plugin settings under directory utility, services, active directory. Ensure protocol is set to smb, remove force local home, but enable create mobile account on login. Enable derive home folder from AD.

Ensure the user in AD has a home folder path set in their profile tab, you dont need OD to set the home with AD user accounts, but you could create an OD group and nest your AD mac user group into it to apply managed preferences.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 1

Author Comment

by:Robert Davis
ID: 36570586
>Check your AD plugin settings under directory utility, services, active directory. Ensure protocol is set to smb,
cyberdog478:"despite the settings defined in the article you linked to being set correctly (Use UNC...smb)."

> remove force local home, Enable derive home folder from AD.
Also set.  These are default when you bind to an AD.

> but enable create mobile account on login.
Not currently set but wont this enable account mobility?  This is a pita of a system if this is apple mobility.

Thanks!
0
 
LVL 11

Expert Comment

by:gmbaxter
ID: 36570632
Yes that will enable account mobility. Do you want mobile accounts where users sync like offline files, or true network homes where if the network/server malfunctions the clients crash?
0
 
LVL 1

Author Comment

by:Robert Davis
ID: 36570651
#2 please, I do not want Apple Mobility.  The horrors it brings in it not worth it just to cover the off chance the server or network malfunctions (never happens to us statistically, and if it did we would have other concerns to deal with in the redundancy department).  Any suggestions would be greatly appreciated to make this happen.

Regards,
Robert
0
 
LVL 11

Expert Comment

by:gmbaxter
ID: 36572999
Ok, for true network homes, you need:

Create mobile account at login - no
Force local home directory on startup disk - no
Use UNC path from Active Directory to derive network home location - yes
Network protocol to be used - smb in your case i think

Ensure that the user has a valid home folder path set in their profile tab in AD.

Remove the locally created users from the /Users folder

comment out /Network/Servers from the /etc/automaster file

ensure that the directory service search order is set for AD to be above OD.

That should sort you out.
0
 
LVL 1

Author Comment

by:Robert Davis
ID: 36594016
>Remove the locally created users from the /Users folder
>comment out /Network/Servers from the /etc/automaster file


I'll try these on Monday, thank you.  The rest have already been set as described in the original post.  Should I be making the comment to the automaster file on all the clients?

Regards,
Robert
0
 
LVL 1

Author Comment

by:Robert Davis
ID: 36594018
Actually I did already remove the /Users folder since DeepFreeze wipes these upon user logout...  So that leaves the automaster file.
0
 
LVL 11

Expert Comment

by:gmbaxter
ID: 36595287
Yes i'd make the change to the automaster file it should be:

 
#
# Automounter master map
#
+auto_master		# Use directory service
/net			-hosts		-nobrowse,hidefromfinder,nosuid
/home			auto_home	-nobrowse,hidefromfinder
#/Network/Servers	-fstab
/-			-static

Open in new window


Note the /Network/Servers entry commented out. Without this, you'll get "You are unable to login at this time" on the clients.
0
 
LVL 1

Author Comment

by:Robert Davis
ID: 36712109
Okay, I tried your suggestion, although before commenting this out we had no "You are unable to login at this time" errors ever.

For other's reference I deployed this bash script:
cd /etc
mv auto_master auto_master.bak
sed '/Network/s%^%#%g' auto_master.bak > auto_master

Open in new window


Result is identical to your output above.  Rebooting workstations at lunch.  By the way, this still doesn't allow OD to create the home on the server, but we'll see if this gets around that at the client level...
0
 
LVL 1

Author Comment

by:Robert Davis
ID: 36712961
No dice.  Still the same behavior, no network folder was created.

Regards,
Robert
0
 
LVL 11

Expert Comment

by:gmbaxter
ID: 36713281
The network home should be created when you add the user in active directory. No need to use workgroup manager's "create home now" - that is for pure os x deployments without AD.

When i import the users into AD i import their home as "\\changeme" I then mass select all users and set the home folder location in the profile tab to \\server\\share\%username% this creates the home with appropriate ACLs. can you try updating one users home folder path to see if the home is created.

0
 
LVL 1

Author Comment

by:Robert Davis
ID: 36713348
They are already setup that exact way with proper NTFS permissions.  I even took out the $ in the share name to make the OSX friendly.
0
 
LVL 1

Author Comment

by:Robert Davis
ID: 36713352
As you can see, everything except for the /Network suggestion has been tried or is already in place by default...which is why this is so puzzling :-P.
0
 
LVL 11

Expert Comment

by:gmbaxter
ID: 36912604
What permissions are on the home folder shares?
0
 
LVL 1

Author Comment

by:Robert Davis
ID: 36913340
Everyone read/write for testing, everyone for smb perm, and everyone again for nfs.
0
 
LVL 1

Accepted Solution

by:
Robert Davis earned 0 total points
ID: 37605415
Ended up getting a $5,000 Apple support contract.  They were able to solve it in minutes.

The trick was to create the dirs via Active Directory, and then in OD it should pull in the AD's home path information correctly.  Then on the workstation in Directory Utility under the AD settings you need to uncheck the "store home path locally" setting.  You do not need to click the "Create Home" in OD.
0
 
LVL 1

Author Closing Comment

by:Robert Davis
ID: 37622950
Apple Support gave the solution.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question