Link to home
Start Free TrialLog in
Avatar of Robert Davis
Robert Davis

asked on

OSX OpenDirectory Map Home Folders to SMB Share

We have an OSX OpenDirectory server bound to a Windows Active Directory.  AD provides the logins, OD is supposed to supply the rest.

On the OSX server:
DNS is functioning perfectly with AD as the dns servers.
RDNS also checks out for the domain, servers, etc.
Logins work

The OSX server and clients can talk to the Windows SMB share using their AD credentials and can write new files to the share via Finder

However, when I go to "Create Home" in the workgroup manager I get the following error:
Unable to create home directory

Open in new window


Looking at the syslog I get a kNetworkError.

I tried enabling NFS on the windows server and using either mixed or anonymous authentication methods.  Both times I get "No principal configured for this user" errors in the syslog and the same "Unable to create home directory" error in the workgroup manager after a timeout.

Any suggestions on how to setup home directories using either smb:/ or nfs:/ would be greatly appreciated.  We require this functionality due to storage server and software limitations/restrictions.  Thank you!

Regards,
Robert
Avatar of Govvy
Govvy
Flag of United States of America image

Avatar of Robert Davis
Robert Davis

ASKER

Govvy,
Yes, this setting is selected/set by default when binding to AD.  The users get a shortcut in the dock to the UNC share but their actual home folders/paths are not being mapped to the network share...they are begin stored locally under /Users on the machine and are not synced to the network share defined in AD, despite the settings defined in the article you linked to being set correctly (Use UNC...smb).

I cannot find any information on how to extend the Active Directory schema to include OD properties, this is the only option mentioned in the article that I was unable to double check.

Thanks,
Robert
Check your AD plugin settings under directory utility, services, active directory. Ensure protocol is set to smb, remove force local home, but enable create mobile account on login. Enable derive home folder from AD.

Ensure the user in AD has a home folder path set in their profile tab, you dont need OD to set the home with AD user accounts, but you could create an OD group and nest your AD mac user group into it to apply managed preferences.
>Check your AD plugin settings under directory utility, services, active directory. Ensure protocol is set to smb,
cyberdog478:"despite the settings defined in the article you linked to being set correctly (Use UNC...smb)."

> remove force local home, Enable derive home folder from AD.
Also set.  These are default when you bind to an AD.

> but enable create mobile account on login.
Not currently set but wont this enable account mobility?  This is a pita of a system if this is apple mobility.

Thanks!
Yes that will enable account mobility. Do you want mobile accounts where users sync like offline files, or true network homes where if the network/server malfunctions the clients crash?
#2 please, I do not want Apple Mobility.  The horrors it brings in it not worth it just to cover the off chance the server or network malfunctions (never happens to us statistically, and if it did we would have other concerns to deal with in the redundancy department).  Any suggestions would be greatly appreciated to make this happen.

Regards,
Robert
Ok, for true network homes, you need:

Create mobile account at login - no
Force local home directory on startup disk - no
Use UNC path from Active Directory to derive network home location - yes
Network protocol to be used - smb in your case i think

Ensure that the user has a valid home folder path set in their profile tab in AD.

Remove the locally created users from the /Users folder

comment out /Network/Servers from the /etc/automaster file

ensure that the directory service search order is set for AD to be above OD.

That should sort you out.
>Remove the locally created users from the /Users folder
>comment out /Network/Servers from the /etc/automaster file


I'll try these on Monday, thank you.  The rest have already been set as described in the original post.  Should I be making the comment to the automaster file on all the clients?

Regards,
Robert
Actually I did already remove the /Users folder since DeepFreeze wipes these upon user logout...  So that leaves the automaster file.
Yes i'd make the change to the automaster file it should be:

 
#
# Automounter master map
#
+auto_master		# Use directory service
/net			-hosts		-nobrowse,hidefromfinder,nosuid
/home			auto_home	-nobrowse,hidefromfinder
#/Network/Servers	-fstab
/-			-static

Open in new window


Note the /Network/Servers entry commented out. Without this, you'll get "You are unable to login at this time" on the clients.
Okay, I tried your suggestion, although before commenting this out we had no "You are unable to login at this time" errors ever.

For other's reference I deployed this bash script:
cd /etc
mv auto_master auto_master.bak
sed '/Network/s%^%#%g' auto_master.bak > auto_master

Open in new window


Result is identical to your output above.  Rebooting workstations at lunch.  By the way, this still doesn't allow OD to create the home on the server, but we'll see if this gets around that at the client level...
No dice.  Still the same behavior, no network folder was created.

Regards,
Robert
The network home should be created when you add the user in active directory. No need to use workgroup manager's "create home now" - that is for pure os x deployments without AD.

When i import the users into AD i import their home as "\\changeme" I then mass select all users and set the home folder location in the profile tab to \\server\\share\%username% this creates the home with appropriate ACLs. can you try updating one users home folder path to see if the home is created.

They are already setup that exact way with proper NTFS permissions.  I even took out the $ in the share name to make the OSX friendly.
As you can see, everything except for the /Network suggestion has been tried or is already in place by default...which is why this is so puzzling :-P.
What permissions are on the home folder shares?
Everyone read/write for testing, everyone for smb perm, and everyone again for nfs.
ASKER CERTIFIED SOLUTION
Avatar of Robert Davis
Robert Davis

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Apple Support gave the solution.