Solved

OSX OpenDirectory Map Home Folders to SMB Share

Posted on 2011-09-20
21
975 Views
Last Modified: 2012-05-12
We have an OSX OpenDirectory server bound to a Windows Active Directory.  AD provides the logins, OD is supposed to supply the rest.

On the OSX server:
DNS is functioning perfectly with AD as the dns servers.
RDNS also checks out for the domain, servers, etc.
Logins work

The OSX server and clients can talk to the Windows SMB share using their AD credentials and can write new files to the share via Finder

However, when I go to "Create Home" in the workgroup manager I get the following error:
Unable to create home directory

Open in new window


Looking at the syslog I get a kNetworkError.

I tried enabling NFS on the windows server and using either mixed or anonymous authentication methods.  Both times I get "No principal configured for this user" errors in the syslog and the same "Unable to create home directory" error in the workgroup manager after a timeout.

Any suggestions on how to setup home directories using either smb:/ or nfs:/ would be greatly appreciated.  We require this functionality due to storage server and software limitations/restrictions.  Thank you!

Regards,
Robert
0
Comment
Question by:Robert Davis
  • 12
  • 6
21 Comments
 
LVL 13

Expert Comment

by:Govvy
Comment Utility
0
 
LVL 1

Author Comment

by:Robert Davis
Comment Utility
Govvy,
Yes, this setting is selected/set by default when binding to AD.  The users get a shortcut in the dock to the UNC share but their actual home folders/paths are not being mapped to the network share...they are begin stored locally under /Users on the machine and are not synced to the network share defined in AD, despite the settings defined in the article you linked to being set correctly (Use UNC...smb).

I cannot find any information on how to extend the Active Directory schema to include OD properties, this is the only option mentioned in the article that I was unable to double check.

Thanks,
Robert
0
 
LVL 11

Expert Comment

by:gmbaxter
Comment Utility
Check your AD plugin settings under directory utility, services, active directory. Ensure protocol is set to smb, remove force local home, but enable create mobile account on login. Enable derive home folder from AD.

Ensure the user in AD has a home folder path set in their profile tab, you dont need OD to set the home with AD user accounts, but you could create an OD group and nest your AD mac user group into it to apply managed preferences.
0
 
LVL 1

Author Comment

by:Robert Davis
Comment Utility
>Check your AD plugin settings under directory utility, services, active directory. Ensure protocol is set to smb,
cyberdog478:"despite the settings defined in the article you linked to being set correctly (Use UNC...smb)."

> remove force local home, Enable derive home folder from AD.
Also set.  These are default when you bind to an AD.

> but enable create mobile account on login.
Not currently set but wont this enable account mobility?  This is a pita of a system if this is apple mobility.

Thanks!
0
 
LVL 11

Expert Comment

by:gmbaxter
Comment Utility
Yes that will enable account mobility. Do you want mobile accounts where users sync like offline files, or true network homes where if the network/server malfunctions the clients crash?
0
 
LVL 1

Author Comment

by:Robert Davis
Comment Utility
#2 please, I do not want Apple Mobility.  The horrors it brings in it not worth it just to cover the off chance the server or network malfunctions (never happens to us statistically, and if it did we would have other concerns to deal with in the redundancy department).  Any suggestions would be greatly appreciated to make this happen.

Regards,
Robert
0
 
LVL 11

Expert Comment

by:gmbaxter
Comment Utility
Ok, for true network homes, you need:

Create mobile account at login - no
Force local home directory on startup disk - no
Use UNC path from Active Directory to derive network home location - yes
Network protocol to be used - smb in your case i think

Ensure that the user has a valid home folder path set in their profile tab in AD.

Remove the locally created users from the /Users folder

comment out /Network/Servers from the /etc/automaster file

ensure that the directory service search order is set for AD to be above OD.

That should sort you out.
0
 
LVL 1

Author Comment

by:Robert Davis
Comment Utility
>Remove the locally created users from the /Users folder
>comment out /Network/Servers from the /etc/automaster file


I'll try these on Monday, thank you.  The rest have already been set as described in the original post.  Should I be making the comment to the automaster file on all the clients?

Regards,
Robert
0
 
LVL 1

Author Comment

by:Robert Davis
Comment Utility
Actually I did already remove the /Users folder since DeepFreeze wipes these upon user logout...  So that leaves the automaster file.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 11

Expert Comment

by:gmbaxter
Comment Utility
Yes i'd make the change to the automaster file it should be:

 
#
# Automounter master map
#
+auto_master		# Use directory service
/net			-hosts		-nobrowse,hidefromfinder,nosuid
/home			auto_home	-nobrowse,hidefromfinder
#/Network/Servers	-fstab
/-			-static

Open in new window


Note the /Network/Servers entry commented out. Without this, you'll get "You are unable to login at this time" on the clients.
0
 
LVL 1

Author Comment

by:Robert Davis
Comment Utility
Okay, I tried your suggestion, although before commenting this out we had no "You are unable to login at this time" errors ever.

For other's reference I deployed this bash script:
cd /etc
mv auto_master auto_master.bak
sed '/Network/s%^%#%g' auto_master.bak > auto_master

Open in new window


Result is identical to your output above.  Rebooting workstations at lunch.  By the way, this still doesn't allow OD to create the home on the server, but we'll see if this gets around that at the client level...
0
 
LVL 1

Author Comment

by:Robert Davis
Comment Utility
No dice.  Still the same behavior, no network folder was created.

Regards,
Robert
0
 
LVL 11

Expert Comment

by:gmbaxter
Comment Utility
The network home should be created when you add the user in active directory. No need to use workgroup manager's "create home now" - that is for pure os x deployments without AD.

When i import the users into AD i import their home as "\\changeme" I then mass select all users and set the home folder location in the profile tab to \\server\\share\%username% this creates the home with appropriate ACLs. can you try updating one users home folder path to see if the home is created.

0
 
LVL 1

Author Comment

by:Robert Davis
Comment Utility
They are already setup that exact way with proper NTFS permissions.  I even took out the $ in the share name to make the OSX friendly.
0
 
LVL 1

Author Comment

by:Robert Davis
Comment Utility
As you can see, everything except for the /Network suggestion has been tried or is already in place by default...which is why this is so puzzling :-P.
0
 
LVL 11

Expert Comment

by:gmbaxter
Comment Utility
What permissions are on the home folder shares?
0
 
LVL 1

Author Comment

by:Robert Davis
Comment Utility
Everyone read/write for testing, everyone for smb perm, and everyone again for nfs.
0
 
LVL 1

Accepted Solution

by:
Robert Davis earned 0 total points
Comment Utility
Ended up getting a $5,000 Apple support contract.  They were able to solve it in minutes.

The trick was to create the dirs via Active Directory, and then in OD it should pull in the AD's home path information correctly.  Then on the workstation in Directory Utility under the AD settings you need to uncheck the "store home path locally" setting.  You do not need to click the "Create Home" in OD.
0
 
LVL 1

Author Closing Comment

by:Robert Davis
Comment Utility
Apple Support gave the solution.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now