Skip to main content
Question

Heads up for 10.7.2

  • November 10, 2011
  • 12 replies
  • 26 views
T
Forum|alt.badge.img+21

Hi guys

Just to let you know there is a serious bug but network home directories, doesn't matter if your using open directory or AD.

Ever since Apple brought out 10.7.2 and changed LDAP the whole share mounts and your user will see everyones home share! Apple have designed shares to mount the whole share point and have over looked this problem.

With home paths set in AD in my environment the users share would be serverpersonal$user

Problem is personal is mounted and because users don't have permission to others home folder set via NTFS permissions, when the user tries to open personal they get permission errors.

There is also a serious bug with kerberos and ADmitMac 6.0.1 Logging in gives a user a 5 minute ticket only! Not sure if Apples AD plugin is ok but thought you guys should know.

A work around is to open Ticket Viewer app found in /System/CoreServices/ and you can renew your ticket.

I create a symbolic link as part of my FirstRun script

#!/bin/bash

# create a symbolic link for the Ticket Viewer to Utilities

ln -sf /System/Library/CoreServices/Ticket Viewer.app /Applications/Utilities/Ticket Viewer.app

I also do this for Directory Utility, Apple Updater app etc

Thursby have a development build to fix it which reportedly gives a correct 10 hour ticket.

    12 replies

    bentoms
    Forum|alt.badge.img+35
    • bentoms
    • Hall of Fame
    • November 10, 2011

    For folder shares see: http://support.apple.com/kb/HT4829

    Regards,

    Ben.

    T
    Forum|alt.badge.img+21
    • tkimpton
    • Author
    • Honored Contributor
    • November 10, 2011

    Complicated...NetApp filer, Apple screw ups get worse all the time, WGM to implement mcx without modifying schema or setting up golden triangle with an OD, GPO ADM templates controlling removable media (a must for banking clients) plus many many more reasons. Sorry been a long day.

    T
    Forum|alt.badge.img+21
    • tkimpton
    • Author
    • Honored Contributor
    • November 10, 2011

    Thanks Ben that's it. Again Massive problem for network home directories :( Apple are getting worse with no proper UAT.

    They are getting too big headed and get people like us to test this stuff and and report it for free. Sad thing is we do it!

    ImAMacGuy
    Forum|alt.badge.img+23
    • ImAMacGuy
    • Esteemed Contributor
    • November 10, 2011

    Oh, was just curious, we're moving away from thursby. The DFS was the last bastion they had here.

    John Wojda
    Lead System Engineer, DEI & Mobility
    3333 Beverly Rd.  B2-338B
    Hoffman Estates, IL 60179
    Phone:  (847)286-7855
    Page:  (224)532.3447
    Team Lead DEI: Matt Beiriger
    Team Lead Mobility: Chris Sta Ana
                       Mac Tip/Tricks/Self Service & Support

    “Any time you choose to be inflexible in your approach to an unpredictable project you are already building failure into your plan”

    bentoms
    Forum|alt.badge.img+35
    • bentoms
    • Hall of Fame
    • November 10, 2011

    Tbh, it all depends on what you consider "Best Practice" we used both profile folder methods here with profilesusername$ being seem as better then profiles$user

    Anyways, do you need I mount the profiles at login as they hold the users profile or just a personal share?

    Regards,

    Ben.

    T
    Forum|alt.badge.img+21
    • tkimpton
    • Author
    • Honored Contributor
    • November 10, 2011

    The most important for me is the removable media control GPO.

    I can put my self in and AD security goup say DenyRemovableMedia

    When I do this I cannot mount any removable media.

    I have a lauch daemon running a script every hour to do a thursby gp update. This is useful as I can add a user to AllowRemovableMedia or ReadOnlyRemovableMedia and know later in the day I can add the user back to the deny group and its secure.

    Also I don't have the golden triangle with open directory and its only me looking after the Macs and my colleagues have no interest or willing to learn :(

    Sorry got to go now its 10pm here and my wife is getting quite sh*tty with me again for working all the time.

    N
    Forum|alt.badge.img+19
    • nkalister
    • Contributor
    • November 10, 2011

    There's also a mount network share script in the resource kit that can be
    used to mount home directories. I just tell the AD plugin not to map the
    drive and then use the script from the resource kit instead as a login
    policy. Works great on lion for me- mounts the user's actual share, and
    grabs the path from AD.

    nick
    -- Nick Kalister
    Desktop Engineering

    Hitachi Data Systems
    Office: 408.970.4316

    750 Central Expressway
    Building 32 : M/S 3240
    Santa Clara, CA 95050

    bentoms
    Forum|alt.badge.img+35
    • bentoms
    • Hall of Fame
    • November 11, 2011

    I spoke to Tim off list.

    I use: http://macmule.com/2011/09/08/how-to-map-drives-printers-based-on-ad-group-membership-on-osx/

    Works for me :)

    Regards,

    Ben.

    T
    Forum|alt.badge.img+21
    • tkimpton
    • Author
    • Honored Contributor
    • November 11, 2011

    Doesn't work for me. I think it is because I am using ADmitMac and not the
    built in AD plugin

    Tim Kimpton
    Systems Engineer
    E: Tim.Kimpton at rufusleonard.com
    D: +44 (0)20 7956 3014
    W: http://www.rufusleonard.com
    F: facebook.com/rufusleonarduk
    T: twitter.com/rufusleonard

    Rufus Leonard limited is a company registered in England and Wales with
    company number 3348509. Vat number: 691308528

    ![external image link](attachments/eeb8c195762741a8aa1a34d4d1ce05e0)

    N
    Forum|alt.badge.img+19
    • nkalister
    • Contributor
    • November 11, 2011

    That looks interesting, ben- the ability to kick off the mappings at the
    user's request is something I've been thinking of offering. Thanks for
    the link!
    nick
    -- Nick Kalister
    Desktop Engineering

    Hitachi Data Systems
    Office: 408.970.4316

    750 Central Expressway
    Building 32 : M/S 3240
    Santa Clara, CA 95050

    talkingmoose
    Forum|alt.badge.img+36
    • talkingmoose
    • Community Manager
    • November 11, 2011

    FYI, you can prevent access to external drives using Managed Preferences
    On 11/10/11 3:54 PM, "Tim Kimpton" <tim.kimpton at rufusleonard.com> wrote:
    in the JSS as well as deny access to burn optical media. Optionally, you
    can allow admins access to these items or deny access completely.

    --

    William Smith
    Technical Analyst
    Merrill Communications LLC
    (651) 632-1492

    A
    • Anonymous
    • November 14, 2011

    Is there a way to set removable media to read only? i see in the removable media access MCX preference description that you can set to eject and alert. just curious to see if you can set permissions to read only.

    Michael Barrett
    Audio/Visual Specialist
    Technology – Infrastructure & Services
    19001 Crescent Springs Drive | Kingwood, TX 77339
    Office: 281-312-3594 | Cell: 713-409-6320

    ![external image link](attachments/fcd3297eaf024dd28fcf3dd52903ad74)

    Terms & ConditionsCookie settingsAccessibility statement