atoss

Q: Can't set Home Folder for Users from Active Directory through Server app

Hello Community!

 

I'm still somewhat learning the ropes with OS X in an Active Directory environment in a school setting, but I'm usually pretty good at figuring out how to get everything to work.  However, I'm a bit stumped by this particular issue:

 

I've got a Mac mini server running 10.10.5 with Server 5.0.15 running Open Directory and also bound to Active Directory.  The client Macs to participate in the "magic triangle" and everything seems to work well.  However, we've recently started to take a look at Home Folder syncing for some of our younger students.  In OS X Server app, we can't set the Home Folders setting for users on the domain.  When attempting to save the Home Folder setting in a user account, this prompt appears and asks for credentials for the Directory Node:

diradmin creds.png

But our Directory Admin account for Active Directory doesn't authenticate the change.  A dropdown says that the user is not an administrator on the node:

dircreds fail.png

 

Local Network Accounts, of course, work normally and accept changes to the Home Folder setting.  The issue is not present, however, when using Directory Utility's Directory Editor.   The same Directory Admin account that doesn't work in Server.app does work to authenticate in the editor.  Any changes that are made to Users through Directory Editor are saved immediately in Active Directory, including the HomeDirectory, SMBHome fields and the Path field in the user's properties in AD.

 

Considering that Directory Utility is making the same change in AD, using the same credentials, why won't Server.app also change the Home Directory option?  Is there some particular way that the Server needs to be configured to allow this the same way that Directory Utility does?

 

Any and all guidance on this topic would be greatly appreciated!

Mac mini, OS X Server, OS X 10.10 with Server 5.0

Posted on Dec 8, 2015 7:12 AM

Close

Q: Can't set Home Folder for Users from Active Directory through Server app

  • All replies
  • Helpful answers

  • by cdhw,

    cdhw cdhw Dec 9, 2015 2:55 AM in response to atoss
    Level 4 (2,623 points)
    Servers Enterprise
    Dec 9, 2015 2:55 AM in response to atoss

    I may have the wrong end of the stick here, but I think the dialog is asking for your Open Directory admin credentials not your Active Directory ones. A magic triangle setup stores the Mac-specific settings Open Directory and doesn't mess with anything in Active Directory.

     

    AFAIK, magic triangle setups are no longer the recommended way to manage this sort of stuff anyway - consider using Profile Manager for the Mac-specific settings that AD doesn't handle naturally.

     

    C.

  • by atoss,

    atoss atoss Dec 9, 2015 6:10 AM in response to cdhw
    Level 1 (12 points)
    Dec 9, 2015 6:10 AM in response to cdhw

    Thank you for your response, but I think you're right about the wrong end of the stick.  

     

    Specifically, Home Folder syncing on a Mac directly checks Active Directory to find the Home Folder network path specified in the User's properties.  Profile Manager is actually used for this purpose, to enable Mobility settings and configure the computer for an account to be a mobile account.  Furthermore, the authentication login window described above, which specifically specifies the Active Directory node that you're logging into, won't accept credentials from Open Directory, admins or otherwise.  It just shakes the window when attempting to enter anything other than accounts from AD.  However, all accounts from AD (even the highest level admin account we have) get the "user is not an administrator on this node" rejection dialog.  This clearly demonstrates that's it's checking AD itself in this process.  The very presence of this type of dialog implicitly indicates that there is means for the settings to be saved which would not produce this dialog.  These would seem to be the same means that allow Directory Utility's Directory Editor to save changes to AD without error.

     

    So, what I'm looking for is a method or correct configuration for applying Network Home Folder locations for mobile accounts from within the Server.app itself.  Currently, the only way to make this work is by going into AD and changing the Home Folder network paths in the User properties (or doing it through Directory Editor).

     

    But, thanks again for your input.  It's kind of a convoluted problem to discuss, so anything to keep the conversation moving forward is appreciated.

  • by cdhw,

    cdhw cdhw Dec 9, 2015 7:24 AM in response to atoss
    Level 4 (2,623 points)
    Servers Enterprise
    Dec 9, 2015 7:24 AM in response to atoss

    Ah, I get it. As far as I'm aware the only non-obvious and relevant thing in Server.app that you don't explicitly mention trying is selecting a user, then 'ctrl-mousedown' (right-click) and a contextual menu including 'advanced options' appears. The panel that opens allows you to enter paths, servers and home directory names.

     

    Assuming that your AD admin password doesn't contain bizarre characters that could be mangled by OS X and AD using different encoding schemes (or even if it does) I suspect you have found a bug. Have a look at the logs (Console.app) to see if there are any further clues and if not report the bug here:

     

         https://bugreport.apple.com/

     

    You need to register as a developer, which is free, to submit a bug.

     

    C.

  • by atoss,

    atoss atoss Dec 9, 2015 8:12 AM in response to cdhw
    Level 1 (12 points)
    Dec 9, 2015 8:12 AM in response to cdhw

    Thank you for your further input.  That's a good notion to check the Advanced Options for the user.  However, I previously failed to mention that I have attempted this as well.  Any function that requires directory authentication requires the credentials to proceed (i.e. Advanced Options, Change Password, Home Folder, etc.).  And anything I try fails to authenticate.

     

    This seems like it would be a pretty big bug if it is one, so I think I still suspect it's something to do with our configuration.  Particularly on the AD side of things.  I don't particularly trust our Active Directory configuration as we have a host of other random 'oddities' even with managing PCs on the domain.  But I don't really have faith in our current network administrator either.  We've had very broken communication about problems with the directory.  I don't have access to it, so if I want changes made, I have to be very specific about what needs to change and why.  I don't really know what Server.app is looking for when it's failing to authenticate on the node, so I don't know how to say what needs to be changed on the network.  Additionally, all the same changes can be made through Directory Editor, so it must be specific to Server.app.

     

    I think I will go ahead and submit a bug report though.  Perhaps if it's not a bug, they can give me guidance on what needs to be changed.

     

    Thanks again!

  • by Dave Hauss,

    Dave Hauss Dave Hauss Jul 5, 2016 12:59 PM in response to atoss
    Level 1 (83 points)
    iPhone
    Jul 5, 2016 12:59 PM in response to atoss

    Have ou found a solution to this? I have the same issue.  I am trying to setup a brand new OSX server so a user logs in and not only gets their AD home folder but also gets a OS X server home directory.  Is this possible?

  • by John Lockwood,

    John Lockwood John Lockwood Jul 6, 2016 3:48 AM in response to atoss
    Level 6 (9,240 points)
    Servers Enterprise
    Jul 6, 2016 3:48 AM in response to atoss

    You should really only edit Active Directory information using Microsoft's own tools to edit/administer Active Directory. The Network Home Directory for a Mac client will use the standard Active Directory 'Home Folder' field. You would therefore edit this in AD via Microsoft's AD tools.

     

    The following is an older Microsoft article but the principles should still apply. See https://support.microsoft.com/en-gb/kb/816313

     

    Note: This should be defined in usual Windows UNC format i.e. \\serveraddress\share this also means you need to use SMB as the chosen network protocol on a Mac client since as standard Windows servers do not do AFP.

     

    By ticking the option on a Mac client to 'use UNC path from Active Directory to derive network home location' when you bind to AD (or editing it afterwards) you can tell the Mac client to automatically translate a Windows UNC file path to a Mac format network file path.