- Jamf Nation Community
- Products
- Jamf Pro
- Mobile homes, open directory, and MCX via Casper
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Mobile homes, open directory, and MCX via Casper
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-15-2011 09:28 AM
Greetings.
I work in an almost all-mac school division, and we use Open Directory to
authenticate our clients. We have a dozen schools, and, after our
experiment using a Master Open Directory with a dozen replicas caused us a
lot of grief, we are using a dozen open-directory masters. The settings we
push our via MCX (such as showing users at the login window, or making it so
that Office doesn't prompt for user credentials on the first run) apply to
many different labs at different schools (which have computers that move
around as they go for repairs), and it would be nice to keep them easily
consistent -- thus, I would like to use the MCX settings management
capabilities provided by Casper. Lastly, many of the computers used by
students are laptops, and we've found that mobile home folders, without
syncing, seems to work best (but I'm open to other suggestions).
The only problem with this is that, as is clearly stated in the
administrator's guide, Casper can not apply MCX settings to mobile accounts
that are bound to Open Directory. (Active Directory integration and mobile
accounts must work differently, as Casper can apply MCX settings there).
Does anyone have an ideas for a work around, or advice on a more workable
setup? I've heard it is possible to just use Open Directory for
authentication, and not for managed settings, but haven't seen how to do
that. I do have a few more things to try and research, but would sure
appreciate any tips or suggestions.
Cheers,
Clinton Blackmore
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-15-2011 09:57 AM
If you look at the mailing list archive I posted a method of creating a master MCX file via dscl mcxexport and mcximport and applying it to user accounts via a script. I am currently using this method by putting my whole MCX plist file on the CasperShare, then post image creating a local account and then applying the MCX via a script. However, this can be easily migrated to a log in hook and applied to users based on group membership or what not, and you can have multiple MCX files.
The email I previously sent should sum it up, but if you got any questions feel free to ask.
-Tom
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-19-2011 09:49 AM
First, I'd like to thank you, Thomas. I do normally search better before
posting, and I have looked through your past e-mails -- I'm not certain that
I found the specific one you were referring to, but I understand the
approach.
As an aside, if there anyone reading this who has clients using some sort of
mobile/roaming account bound to Active Directory, who would be willing to
send me the output of 'mcxquery -format xml'? There may yet be some
settings I could play with to achieve my aim.
While I've had no luck in using any sort of mobile account with Casper, I
have found an interesting alternative -- it is possible to specify in a
user's settings that the user's account resides on the local computer.
(Details below). This is most intriguing, as it does allow me to manage
the preferences through Casper. There are three downsides to this approach
that I see, as compared to mobile accounts without syncing. 1) The user
needs network connectivity to log in. 2) The user has a "local network
account" on all computers (instead of a network account on desktops, and a
mobile account without syncing on laptops) and must always use the same
computer to use their work or store the data elsewhere. 3) The user will
not automatically have a home folder on the server that they can connect to.
The upsides of being able to use casper to manage the preferences and not
having to make sure the directory server knows about the computer mean that
this is something I'll look into.
---
Now then, how to use "local network accounts" (via Workgroup Manager, but
the principals apply to user creation via scripts).
- in WGM, choose WGM -> Preferences from the menu, and be sure "Show 'All
Records' tab and inspector" is turned on.
- when creating a new user, don't set a server path for the home folder.
- go to the user in the inspector, and change 'NFSHomeDirectory' from '99'
(which means it is unset) to '/Users/testuser' (changing that as
appropriate).
- Your done -- the user can now log in and their home folder resides on the
local computer.
To modify an existing user:
- change the 'NFSHomeDirectory' (from something like
/Network/Servers/myserver/Users/myuser to /Users/myuser)
- find the 'HomeDirectory' attribute (something like
'<home_dir><url>afp://myserver</url><path>/Users/foo</path></home_dir>') and
delete it (by highlighting it and hitting the backspace key)
I haven't tested yet to see if the home folder is initially copied from the
server or from the local computer.
Cheers,
Clinton Blackmore
