Technology Operations
HistoryEdited Apr 30, 2010 2:00 PM by Thomas Wiedenbein

Augmented Network Home Directories with PHDs

Comments

/groups/techops/search/index.rss?sort=modifiedDate&sortDirection=reverse&tag=unresolvedlist/groups/techops/search/?sort=modifiedDate&sortDirection=reverse&tag=unresolvedKnown IssuesCustomTagSidebarCustomTagSidebar?sort=modifiedDate&sortDirection=reverse&tag=unresolved0/groups/techops/sidebar/CustomTagSidebarmodifiedDate5CustomTagSidebarreverseunresolvedKnown Issuescustom/groups/techops/search/index.rss?tag=hotlist/groups/techops/search/?tag=hotWhat’s HotHotListHot!?tag=hot21/groups/techops/sidebar/HotListsknightShawn Knight2013-03-25 12:47:23+00:002013-03-25 12:47:23updated20Repairing bad index entryengel1ewEric Engel2010-06-28 23:58:25+00:002010-06-28 23:58:25updated19engel1ewEric Engel2009-10-08 18:46:00+00:002009-10-08 18:46:00updated18riley3mjMatthew Riley2009-02-06 19:18:01+00:002009-02-06 19:18:01updated17riley3mjMatthew Riley2009-02-06 19:17:48+00:002009-02-06 19:17:48updated16riley3mjMatthew Riley2009-02-06 19:17:32+00:002009-02-06 19:17:32updated15Added tag - hotwiede1tThomas Wiedenbein2009-01-26 15:34:28+00:002009-01-26 15:34:28addTag14wiede1tThomas Wiedenbein2008-09-25 14:32:39+00:002008-09-25 14:32:39updated13wiede1tThomas Wiedenbein2008-09-25 14:32:24+00:002008-09-25 14:32:24updated12wiede1tThomas Wiedenbein2008-09-25 13:44:04+00:002008-09-25 13:44:04updated11Corrected LaserJet 4050 - should be supported for nowpurre1glGabriel Purrenhage2008-09-25 13:16:51+00:002008-09-25 13:16:51updated10Initial listing for supported/retiredpurre1glGabriel Purrenhage2008-09-25 13:14:13+00:002008-09-25 13:14:13updated9Changed "Featured" to "Recommended"purre1glGabriel Purrenhage2008-09-22 17:30:03+00:002008-09-22 17:30:03updated8Added tag - printerwilso4jmJeffrey Wilson2008-09-15 21:40:00+00:002008-09-15 21:40:00addTag7Added tag - policywilso4jmJeffrey Wilson2008-09-15 21:39:56+00:002008-09-15 21:39:56addTag6Added tag - supportedwilso4jmJeffrey Wilson2008-09-15 21:39:54+00:002008-09-15 21:39:54addTag5Added tag - printerswilso4jmJeffrey Wilson2008-09-15 21:39:53+00:002008-09-15 21:39:53addTag4wilso4jmJeffrey Wilson2008-09-15 21:39:29+00:002008-09-15 21:39:29updated3Initial list created.wilso4jmJeffrey Wilson2008-09-15 21:39:10+00:002008-09-15 21:39:10updated2First additionwilso4jmJeffrey Wilson2008-09-15 21:31:12+00:002008-09-15 21:31:12created1wiki2013-03-25T12:47:23+00:00groups/techops/wiki/de6dcFalseTechOps Recommended/Supported/Retired Printers/groups/techops/wiki/de6dc/TechOps_RecommendedSupportedRetired_Printers.htmlShawn Knight20 updatesTechOps Recommended/Supported/Retired Printers In order to facilitate printer purchases, the following list of printers are recommended to be referenced on printing purchases Recommende...Falsesknight2013-03-25T12:47:23+00:00sknightShawn Knight2013-02-28 14:50:51+00:002013-02-28 14:50:51updated10Changed title, first sentencetrievesTyler Rieves2013-02-27 20:00:31+00:002013-02-27 20:00:31updated9Created the pagetrievesTyler Rieves2013-02-27 19:33:27+00:002013-02-27 19:33:27updated8Added tag - bridgedtrievesTyler Rieves2013-02-27 19:33:15+00:002013-02-27 19:33:15addTag7Added tag - nattrievesTyler Rieves2013-02-27 19:33:14+00:002013-02-27 19:33:14addTag6Added tag - vmtrievesTyler Rieves2013-02-27 19:33:11+00:002013-02-27 19:33:11addTag5Removed tag - vm network nat bridgedtrievesTyler Rieves2013-02-27 19:33:09+00:002013-02-27 19:33:09removeTag4Added tag - vm network nat bridgedtrievesTyler Rieves2013-02-27 19:33:04+00:002013-02-27 19:33:04addTag3Added tag - hottrievesTyler Rieves2013-02-27 19:32:48+00:002013-02-27 19:32:48addTag2First createdtrievesTyler Rieves2013-02-27 18:42:20+00:002013-02-27 18:42:20created1wiki2013-02-28T14:50:51+00:00groups/techops/wiki/f797bFalseNetwork Connectivity Update for VMs/groups/techops/wiki/f797b/Network_Connectivity_Update_for_VMs.htmlShawn Knight10 updatesNetwork Connectivity Update for VMs Friends of TechOps, Many of you experienced issues with your VM on Wednesday 2/27. Some of you had settings changed. Please read below to ...Falsesknight2013-02-28T14:50:51+00:00Added tag - hottrievesTyler Rieves2013-02-27 18:37:40+00:002013-02-27 18:37:40addTag2First createdtrievesTyler Rieves2013-02-27 18:36:43+00:002013-02-27 18:36:43created1wiki2013-02-27T18:36:43+00:00groups/techops/wiki/b4066FalseNetwork Connectivity Fix on VMs/groups/techops/wiki/b4066/Network_Connectivity_Fix_on_VMs.htmlTyler Rieves2 updatesNetwork Connectivity Fix on VMs This is placeholder text for your new wiki page. Replace it with your own. Falsetrieves2013-02-27T18:36:43+00:00sknightShawn Knight2012-08-19 21:50:03+00:002012-08-19 21:50:03updated57Restored previous version ##20110713T175754ZbcookBarry Cook2011-07-13 18:19:51+00:002011-07-13 18:19:51updated56bcookBarry Cook2011-07-13 18:19:03+00:002011-07-13 18:19:03updated55bcookBarry Cook2011-07-13 17:57:54+00:002011-07-13 17:57:54updated54bcookBarry Cook2011-07-13 17:57:06+00:002011-07-13 17:57:06updated53sknightShawn Knight2011-06-28 12:37:12+00:002011-06-28 12:37:12updated52Repairing bad index entryriley3mjMatthew Riley2010-06-28 17:33:07+00:002010-06-28 17:33:07updated51riley3mjMatthew Riley2010-02-19 20:46:25+00:002010-02-19 20:46:25updated50Added tag - hotbradl1rrRyan Bradley2010-01-29 14:28:06+00:002010-01-29 14:28:06addTag49bradl1rrRyan Bradley2010-01-14 15:12:36+00:002010-01-14 15:12:36updated48bradl1rrRyan Bradley2010-01-14 15:12:31+00:002010-01-14 15:12:31updated47bradl1rrRyan Bradley2010-01-14 15:12:11+00:002010-01-14 15:12:11updated46bradl1rrRyan Bradley2010-01-14 15:11:45+00:002010-01-14 15:11:45updated45rezni1msMatthew Reznik2009-10-20 18:17:17+00:002009-10-20 18:17:17updated44rezni1msMatthew Reznik2009-10-20 18:10:37+00:002009-10-20 18:10:37updated43rezni1msMatthew Reznik2009-10-20 18:08:31+00:002009-10-20 18:08:31updated42Deleted "wiki wiki" at the top of the pagebradl1rrRyan Bradley2009-10-15 14:04:28+00:002009-10-15 14:04:28updated41added iphone infowilso4jmJeffrey Wilson2009-10-15 13:48:27+00:002009-10-15 13:48:27updated40wiede1tThomas Wiedenbein2009-10-15 13:33:58+00:002009-10-15 13:33:58updated39Restored previous version ##20090714T172845ZgpurrenhageGabriel Purrenhage2009-10-03 05:09:56+00:002009-10-03 05:09:56updated38Restored previous version ##20090603T203828ZgpurrenhageGabriel Purrenhage2009-10-03 05:09:49+00:002009-10-03 05:09:49updated37riley3mjMatthew Riley2009-07-14 17:28:45+00:002009-07-14 17:28:45updated36Removed 'known issues' linkpurre1glGabriel Purrenhage2009-06-03 20:38:28+00:002009-06-03 20:38:28updated35techopsraTech Ops SR Administrator2009-05-12 19:34:46+00:002009-05-12 19:34:46updated34Added link to wish list pagewilso4jmJeffrey Wilson2009-03-20 14:10:07+00:002009-03-20 14:10:07updated33techopsraTech Ops SR Administrator2009-01-26 15:34:17+00:002009-01-26 15:34:17updated32techopsraTech Ops SR Administrator2009-01-26 15:33:45+00:002009-01-26 15:33:45updated31Removed "New look, same great taste!" because the look isn't new anymoredaum1kcKevin Daum2008-09-15 18:24:32+00:002008-09-15 18:24:32updated30Updated link to point to search for 'unresolved'gpurrenhageGabriel Purrenhage2008-08-08 12:31:54+00:002008-08-08 12:31:54updated29wilso4jmJeffrey Wilson2008-08-07 17:26:33+00:002008-08-07 17:26:33updated28kdaumKevin Daum2008-08-05 15:55:56+00:002008-08-05 15:55:56updated27Added cute marketing tagline about the new lookkdaumKevin Daum2008-08-05 15:55:40+00:002008-08-05 15:55:40updated26Removed redundant titlekdaumKevin Daum2008-08-05 15:55:12+00:002008-08-05 15:55:12updated25Restored previous version ##20080619T175726Zwilso4jmJeffrey Wilson2008-07-27 17:27:57+00:002008-07-27 17:27:57updated24wilso4jmJeffrey Wilson2008-07-27 17:27:25+00:002008-07-27 17:27:25updated23wilso4jmJeffrey Wilson2008-06-19 17:57:26+00:002008-06-19 17:57:26updated22wilso4jmJeffrey Wilson2008-06-19 17:57:09+00:002008-06-19 17:57:09updated21phill1mfMichael Phillips2007-11-30 18:45:34+00:002007-11-30 18:45:34updated20chant1slStephanie Chantiny2007-11-08 16:23:34+00:002007-11-08 16:23:34updated19chant1slStephanie Chantiny2007-11-08 16:22:36+00:002007-11-08 16:22:36updated18chant1slStephanie Chantiny2007-11-08 16:21:46+00:002007-11-08 16:21:46updated17chant1slStephanie Chantiny2007-11-08 16:20:09+00:002007-11-08 16:20:09updated16chant1slStephanie Chantiny2007-11-08 16:11:35+00:002007-11-08 16:11:35updated15chant1slStephanie Chantiny2007-11-08 16:07:20+00:002007-11-08 16:07:20updated14chant1slStephanie Chantiny2007-11-08 16:05:02+00:002007-11-08 16:05:02updated13chant1slStephanie Chantiny2007-11-06 14:39:33+00:002007-11-06 14:39:33updated12unauthenticatedUnauthenticated User2007-10-24 14:13:30+00:002007-10-24 14:13:30updated11unauthenticatedUnauthenticated User2007-09-25 16:33:11+00:002007-09-25 16:33:11updated10unauthenticatedUnauthenticated User2007-09-21 13:01:33+00:002007-09-21 13:01:33updated9unauthenticatedUnauthenticated User2007-09-20 14:13:21+00:002007-09-20 14:13:21updated8unauthenticatedUnauthenticated User2007-09-20 14:08:36+00:002007-09-20 14:08:36updated7unauthenticatedUnauthenticated User2007-09-20 13:29:49+00:002007-09-20 13:29:49updated6unauthenticatedUnauthenticated User2007-09-20 13:28:36+00:002007-09-20 13:28:36updated5purre1glGabriel Purrenhage2007-09-18 12:40:13+00:002007-09-18 12:40:13updated4SpellingunauthenticatedUnauthenticated User2007-09-18 12:31:46+00:002007-09-18 12:31:46updated3Posted general welcome messageunauthenticatedUnauthenticated User2007-09-17 23:26:15+00:002007-09-17 23:26:15updated2First additionnonenone2007-09-07 21:45:38+00:002007-09-07 21:45:38created1wiki2012-08-19T21:50:04+00:00groups/techops/wiki/welcomeFalseWelcome to the Technology Operations Wiki/groups/techops/wiki/welcome/Welcome_to_the_Technology_Operations_Wiki.htmlShawn Knight57 updatesWelcome to the Technology Operations Wiki This wiki is for documentation of known errors and issues as well as a repository for new issues that need to be resolved that have pending resolu...Falsesknight2012-08-19T21:50:04+00:00sknightShawn Knight2012-01-04 16:22:29+00:002012-01-04 16:22:29updated11sknightShawn Knight2012-01-04 16:13:07+00:002012-01-04 16:13:07updated10Added tag - errorsknightShawn Knight2012-01-04 16:13:04+00:002012-01-04 16:13:04addTag9Removed tag - secritysknightShawn Knight2012-01-04 16:13:01+00:002012-01-04 16:13:01removeTag8Added tag - securitysknightShawn Knight2012-01-04 16:12:57+00:002012-01-04 16:12:57addTag7Added tag - secritysknightShawn Knight2012-01-04 16:12:54+00:002012-01-04 16:12:54addTag6Added tag - zcrmd017sknightShawn Knight2012-01-04 16:12:47+00:002012-01-04 16:12:47addTag5Added tag - hotsknightShawn Knight2012-01-04 16:12:38+00:002012-01-04 16:12:38addTag4Added tag - student lifesknightShawn Knight2012-01-04 16:12:37+00:002012-01-04 16:12:37addTag3Added tag - sapsknightShawn Knight2012-01-04 16:12:35+00:002012-01-04 16:12:35addTag2First createdsknightShawn Knight2012-01-04 16:04:16+00:002012-01-04 16:04:16created1wiki2012-01-04T16:22:29+00:00groups/techops/wiki/8bc26FalseSteps to Run SAP Report ZCRMD017/groups/techops/wiki/8bc26/Steps_to_Run_SAP_Report_ZCRMD017.htmlShawn Knight11 updatesSteps to Run SAP Report ZCRMD017 The Office of Student Life, more specifically Tom Idema, runs SAP report ZCRMD017 at the end of every semester. For the past two attempts, it has...Falsesknight2012-01-04T16:22:29+00:00hot/groups/techops/search/index.rss?sort=modifiedDate&kind=all&sortDirection=reverse&excludePages=wiki/welcomelist/groups/techops/search/?sort=modifiedDate&kind=all&sortDirection=reverse&excludePages=wiki/welcomeRecent ChangesRecentChangesListUpdates?sort=modifiedDate&kind=all&sortDirection=reverse&excludePages=wiki/welcome0/groups/techops/sidebar/RecentChangesListmodifiedDateallRecent ChangesRecentChangesListUpdateswiki/welcomeNo recent changes.reverse5searchlist/groups/techops/calendar/Upcoming EventsUpcomingEventsListEvents1Getting events…

Preface

We first started using Network Home Directories provided by AD attributes about four years ago, when we started our Mac deployment project. It wasn't really good for us; we had a lot of pinwheeling issues due to lag and general network instability, and it caused a lot of sadness on the part of the end-user. We then were able to switch users en-masse to Portable Home Directories, and that worked a lot better, and we've been using that successfully up until now. However, we found out a few months ago that we would no longer be able to utilize AD attributes to provide PHDs or NHDs, so we had to figure out another option. Enter augmented records.

Augmented records are designed to provide attributes from both Open Directory and Active Directory at the same time, and they were first made available in 10.5. It didn't really work too hot in 10.5 - you couldn't do much else than integrate the iCal attribute for users. 10.6 improved augments quite a bit, and augmenting home directory attributes was finally truly possible. Augmenting records isn't strictly necessary for PHDs with AD users - you could just use the Synchronization URL option, but we like to provide the fallback capability of NHDs in case something goes wrong with syncing, so we developed this process in order to make the whole shebang work.

Requirements

You'll need three main components in order to do this: a working Open Directory implementation (for MCX management and record augmentation), an external directory source for user accounts (Active Directory is generally the most common for this), and a Mac that is bound to both directories. This specific setup describes a Golden Triangle, and if you need more details about that, an excellent guide is available through Mike Bombich's website, located here. We also assume that you have a working knowledge of Active Directory, Open Directory, and DirectoryServices in general :)

Implementation

Step-by-step:

1.) Verify your Active Directory plugin settings. "Force local home directories on startup disk" and "Use UNC Path from Active Directory" must be disabled, as shown in the screenshot below.


adplugin

2.) Verify that no additional home folder mapping settings are being received from Active Directory. You can see an example of the extra attributes below - if you're receiving both of these attributes, I've written a script located here that will remove the mappings from the AD plugin. The script will have to be executed on both the client and the fileserver, and there's never a guarantee that Apple won't patch out this behavior later on. Caveat emptor.

attribmaps

3.) Now that those attributes are gone (or they never existed in the first place), we can actually start setting up the configuration on the Open Directory server to allow for home folder augments. By default, it only allows the ServicesLocator augment, but we're going to modify that.

a. Go to the Workgroup Manager menu bar item, and select Preferences. Check the "Show All Records tab and Inspector" item as shown in the screenshot below.

wgmprefs
b. Click on the little target icon at the top-right of the left pane in Workgroup Manager. From the dropdown box, select the Config option. Then, click on the "augmentconfiguration" item in the pane. You should end up with something like the below:

augmentconfiguration

c. Now we're at the fun stuff. Double-click on the "dsAttrTypeStandard:XMLPlist" attribute to edit it. You'll notice that there's one array in there with a ServicesLocator string already in it. We're going to add two more of our own - copy and paste the two strings below into that array. Make sure you get the indentation lined up with the ServicesLocator string!

<string>dsAttrTypeStandard:HomeDirectory</string>
<string>dsAttrTypeStandard:NFSHomeDirectory</string>

You should now have something almost exactly like the below. While you're in there, you should also verify that the Augmented Directory Node Name matches the appearance of the node name on your clients; whether it be /Active Directory/All Domains, or something more specific as shown below.

xmplist

d. Go ahead and click OK, and then save the record. Your ODM is now set up for augmenting home directories! Don't quit Workgroup Manager; we're going to continue to need it for a little bit.

4.) Now, we have to set up our first augmented user, and augment them with a home directory attribute. Just like the last step, we'll go through this step-by-step so it's simple to follow.

a. Go back to the user records tab in the left pane by clicking on the user icon. Then, pop open the Server menu, and select New Augmented User Records from the list. A little window like the below should pop up - go ahead and type your user's name into the search box and then click on their record once it appears. Finally, hit the Create button.

newaugmenteduser

b. You'll see on the left-hand side pane that the user you just created popped up and has a special little icon on top of the normal user icon - this blue dot denotes an augmented record.

augmentedrecord

Go ahead and select the user you just created, and click the Inspector tab in the right-hand pane. You'll see a bunch of attributes for this augment; we're going to focus on one that's already there, and one that we're going to add.

c. Let's go ahead and modify the first record attribute now. First, click on the dsAttrTypeStandard:NFSHomeDirectory attribute in the right-hand pane, and click the Edit button. A window much like the one we were working with earlier when we modified the ODM to allow augments pops up, and it should say something like "/var/empty" in the text pane. We're going to change that to our network path. This will be different for everyone, but for us, it's like the below:

NFSHomeDirectory
/Network/Servers will be in everyone's implementation. This is just the location on the client machine where the server share gets mounted.
aux-aluminum.central.cmich.local is the server DNS name in this case.

/Volumes/PodcastProducer/ is the volume the home directory is located at - since the home directory isn't located on the root volume of the server, we have to explicitly state what volume this is. For many people, it'll just be "/".

/Personal/wiede1t is where my home directory is actually located at, with /Personal/ being the specific folder where all home directories are stored, and /wiede1t/ being my own personal home directory.

Once you're all set editing the attribute and you've verified that it's correct (again, this will be different for everyone, you just have to know the specifics of your setup), click the OK button to save the attribute.


d. Now, we've got to add the extra attribute, so let's click the New Attribute... button in the right-hand pane. Another record editing window will pop up, but we've got a little extra to do this time. First, change the Attribute Name at the top of the window to be "HomeDirectory". This will actually translate to dsAttrTypeStandard:HomeDirectory, if you're curious. Then, you've got to add the network home directory path, as I've done so below:

HomeDirectory

HomeDirectory attributes have a bit of weird formatting, as you can see above. The part in between the <url></url> tags is actually the network sharepoint path - in our case,
aux-aluminum.central.cmich.local/Personal is where the sharepoint exists. Note that is different from the NFSHomeDirectory attribute - the NFSHomeDirectory attribute was the location on the server itself, whereas HomeDirectory is the location of the published sharepoint.

The <path></path> tags just include any extra pathing that you might need to reach the home directory. Since my home folder is stored at the root of the sharepoint, I don't need anything extra in the <path></path> tags, but some people may.

Once you've got that all set up, cIick OK to save the record. You've successfully created your first augment! When you're doing this in production, you'll probably want to script it, because it's a lot of steps and it needs to happen for each user. Keep Workgroup Manager open for our next steps.


5.) This is only about half the story, though. We've got an augment set up now, but the only thing that's going to let us do is have a network home directory. If that's all you wanted, that's great - you're all set. However, we're trying to get Portable Home Directories, so we've still got a little more to do.

a. We're going to set up the Portable Home Directory only for one user for now - (you can translate it to groups/computer groups/computers later if you wish, in our production environment we apply it to a computer group), so let's go ahead and select the augment record that we created earlier. Then, click on the Preferences button on the top menubar. A bunch of icons should appear in the left-hand pane; select the Mobility icon. Select the "Always" button from the Manage heading, and then check the Create Mobile Account When User Logs Into Network Account checkbox as I have it set below.

mobilityprefsThis sets us up for a basic mobile account. Now, if you'd like, you can go through and set more detailed synchronization options (inclusions/exclusions, FileVault, quotaing), but we're going to skip that. Click the Apply Now button to save the changes.

b. Now, click on the Preferences button on the top menubar again. Then, select the Details tab. There should be some nonsensical stuff in there, but we're going to fix that. Click the + button on the bottom of the pane, and a file selection dialog box should pop up. Navigate the selection dialog box to the path
"Macintosh HD:System:Library:CoreServices:ManagedClient" and click the Add button. You should now see something like the below:
manifests

c. Scroll down to Mobile Account & Other Options. You will notice that a little mouse icon is next to it; that denotes a managed preference. Go ahead and double-click it. In the window that pops up, expand the Always item, and click on the Always item to select it. Then, hit the New Key button at the top of the window. A key labelled New Item will appear in the list; click the little dropdown next to it and select Synchronization URL from the list. In the value section, type in your sharepoint's URI followed by its path. Do not put the username in there - instead, put "%@" without the quotes. This is a special value that will insert any username. You should now have something like the below:

synchronizationurl
As you can see, this is essentially the same path we put in the HomeDirectory attribute from earlier, just without the tags and with a "%@" instead of a username. Click Apply Now to save the changes.

6. Go ahead and try it out! Make sure your client machine is bound to both directories, and then log in as whatever user you're working with. It should login and sync as your AD user!