Tiger and Active Directory

[yellow]

Quote: Originally Posted by yellow If you cache a login locally, you cannot specify that the user change their password. You also cannot change the password locally. This is a pain in the ass. For a user to change their password, they have to come and change it on the AD plug-in for XP, and then I have to log in as root, move /Users/foo to the Desktop, delete the (cached) user account from Account prefpane, get the user to log in with their new password, log them out after it's created, log back in as root, move their stuff to the new /Users/foo directory, make sure to chown/chmod the old stuff to their new UID/GID (just in case). Pain in the ass. Still looking for a better solution.

This is no longer an issue with 10.4.2. Just had my first moment to test and now, if I check the "user must change password at next login" box in the User's profile on the Active Directory Users & Computers plug-in, the next time they login, they will be prompted to change their password. Hot diggity!

[Raven]

Thanks for the information... It is nice to know that some features at least got fixed... Now lets hope 10.4.3 fixes some other ones such as the cached account issue, or at least make it less random !

[yellow]

I've really only had it happen on 1 Mac so far of the many, many, many I've moved into AD. Still not sure why it happened, but no matter how hard I tried to fix it, there ended up being nothing I could do besides a complete reinstall.

[Raven]

Sam I heard. I've only become aware of this issue in the forums here as I never ran into it myself... Still haven't been able to find a reason why some times it doesn't work. Personnaly I'm mostly stuck with restricting user login to the machines, idealy without having to have an OS X server. The senior engeneers seem to have some ideas on this (I think I posted this in an earlier post in this thread) but I'm waiting for some info back from them before I can complete the steps.

[xom]

Finally! I have found folks in a similar position. This is a good thread.
Here is my situation:
We share out user home dirs from a solaris server via samba. On a windows machine I can change file permissions to files in my samba home dir. From OS X 10.4.2 all the files are at 700 and chmod does nothing to them. From the GUI, get info just says that I can read and write. The smb.conf on the sun server has the following entries under the [home] section:
browseable = no
read only = no
create mode = 0700
directory mode = 0700
wide links = no
hide dot files = yes

any help would be appreciated. I have also bound the mac to the windows domain and it logs me on and auto connects the samba home dir fine, I just can't change file permissions.
Thanks,
xom

[PaulM]

I have been very fortunate to get several machines running Tiger to integrate with Widows (sorry, Windows) 2000 Server AD first time My users logon and get access to their user areas with no problem. However, I would like them to automatically have access to a share called resources on the Windows server. Currently they have to go and connect to it themselves. Can anyone point me in the right direction for connecting automatically?

Excellent thread btw!

PaulM

[yellow]

Tiger will automagically mount the shares from a Win2k3 server, I know that.. as long as they are properly specified in the user's profile.

[Raven]

A little note on that. Indeed the "home folder path" from the user's profile in AD will automount. However, if DFS is being used on the AD server, it will mount but that network drive will not be browsable as the version of Samba on OS X can't properly read the DFS format.
The solution to this is to specific in the user's profile the real path instead of the DFS path and it will then work as its usual samba over to FAT32 or NTFS.

[PaulM]

Thanks Yellow, but how do I specify this in a profile that everyone will pick up. I've experience of using profiles (mandatory and roaming) on PCs but not on MacOS. Is there a MacOS equivalent of a mandatory profile that will make sure that every user who logs on can access the additional resources share on the server?

Cheers

PaulM

[Raven]

This folder path needs to be specified on the AD server in the User profile's Profile tab.

[PaulM]

but ... the User profile's Profile tab has the path to the mandatory profile used by PCs. The home folder path has the path to the user's home folder and they can access that on the Mac. I want them to have access to a another share called resources on the server automatically - preferably with the icon on the desktop. I think I want the MacOS equivalent of a PC mandatory profile but I don't know how! And I can't find anything on the Net!

PaulM

[Raven]

What you could do is write up a small applescript for this. Take a look at post numebr 9 in this thread where I had writen down the whole instructions to do so.
In your case though, since you want the same mount to happen for all users (Is it the same shared directory that all users should access with the same access level ?), you could always drop that applet once your sure it works properly in the /Library/StartupItems folder. If the folder doesn't exist, you can create it with the exact folder name I wrote here and it will be recognized as the proper folder. Since the applet will be in a startup folder that gets checked when ever any user logs in to the local machine, it will automount the shared drive for any user that logs in.

[PaulM]

Many thanks Raven. I suppose I should have had a good look through the other thread as well but I hadn't spotted it. This all looks promising and I will apply it as soon as I get back into work.

Many thanks again

[lancepr]

How should the home folder link be formated?
\\server\share\user
or
\\server.domain.loc\share\user

[Raven]

Here we have the profile tabs set as \\files.domain.com\staff\username . The address normally depedns on how the setup was done for the file servers though. If they are using DFS in your case, for Mac users I suggest you put in the real path to the share instead of the DFS one. Otherwise the share will mount but no files will be accessible to your Mac users.

[lukeman550]

I'm new to the MAC world but was able to get 30 of my machines connected to our AD with home drives mapped. We currently use a product in Windows called Script Logic to manage individual network drive preferences when people log in. Nay ideas for the best way to handle this with MACs connecting to AD?

[Raven]

Which version of OS are the machines running ? Also, is it that you want users to all mount one general shared folder ? Each other personnal shares ? Shared for only a small group of users ?

[dv64villa]

Hello,
Great thread, you guys. I'm having a problem when binding in Directory Access. Here's what happens, I highlight Active Directory version 1.5.2 plugin and click on Configure button. There i have the dialog box where i am asked to enter ad forest, ad domain and computer id. Problem is, the ad forest field reads -Automatic- and it's grayed out. I can't delete it. the field is locked. the ad domain field is blank, so i enter my domain name and the computer id field has a default name which i don't like so i've changed it (which i don't think should make a diff) but I've also tried leaving the generated name, it doesn't change the outcome. When i click on bind i enter a username and password of a windows account with rights to join computers to the domain, but i get the error message: Invalid Domain an invalid Domain and Forest combination was specified. you should enter a fully qualified DNS name for the domain and forest.

can someone clue me in to what i may be missing, doing wrong. THanks.

sincerely,

utterly confused

[Raven]

Well can't help you select the proper full domain address, such as my.company.com. You can check this easily in the AD Users and Computers admin tool on a PC. The name of the domain should be the top name in the tree.
The forest in which your computer will be bound will be automatically detected from your domain controler when you bind.

Also for the name of the machine, its best to create the Computer Object in AD first, them match your local Computer name to that.
Also, when you try to bind, you need to use AD credentials that have access to the Computer object that was created for your machine.

[dave621]

Good thread has anyone ever seen this I have run into a problem with Mobile Accounts and 10.4.2 using Active Directory authenication to log in. What I get when a user logs into the Mac and creates a Mobile account it creates the Mobile Account, but only puts the Desktop Folder and the Library folder in their local users folder. Their server space is mounted that is specified from Active Directory, but in their server space is a Library/Preferences folder with com.apple.dock.plist com.apple.HomeSync.plist and com.apple.MCX.plist this is a problem because it provides a incorrect dock that Workgroup Manager is providing to the client. This problem occurs whether the client is being managed by WGM or not being managed by WGM. I have checked the dsconfigad settings and they all seem to be correct. Does anyone have any ideas what would cause this?