Lion Server Setup (Network Login/Mobile Account and more...)

Well, after futzing around I can login as a Network User, but The Profile manager payload to make those members of the department group who login, to create a mobile profile, doesn't seem to work. I say this because I never get a request to create a mobile account and the system prefs report the current account as a networked user, not a mobile one. How can I consistently check that the profile with the correct settings is in use?

Yes the device is apart of a device group and the members of the group with the payload does contain the user I am logging in as. And I can confirm that the payload according to the profile manager was successfully deployed.

So where am I now?

Well, for me Profile manager was a BUST. Yea I could get it to work a little bit, but it was flakey and things were drastically inconsistent possibly a PEBCAK error. So I threw in the towel and gave up on that for the time being. I don't have many iPads or iPhones that I need to configure at this point so I think its not worth my time, as computers as devices seem to be the "bump" under the carpet at the moment.

Better success with Workgroup manager atm, the current problem I'm struggling with seems to be File Sharing in 10.7.4 Server. I think I figured some piece of it out, but I simply couldn't make headway using the GUI.

Basically it so far has come down to a couple of questions I'ld like to ask the universe, and if it cares to respond, great.

So my success so far with fileshareing stems from a couple of assumptions.

1. Guest access is disabled

2. This is the kicker, Permissions are chown root and chgrp admin, and chmod 776. (bad mojo, imo)

3. I use chmod to set access control list (acl) which seems a bit tedious, and that is how I am controlling access to the files. I'm still not exactly sure about how to make the inherit feature work, I just read something about file_inherit and directory_inherit and maybe that is what I was missing. It's not entirely clear to me yet when its working. This is a work in progress and I'm just speaking out loud.

It seems that the posix permisions are kind of like big blocks and when you need finer granularity in your access permissions you use ACL, but that's the dummy talking. I could have tightned the permissions on the file by making a change to the primary group from the admin group to the group I want to control the folder, but then I have navigation problems when I am admin. I tried to add the admin to the group, but that didn't seem to fix it, which might have something to do with the fact my admin is in the local db and the group is in my ldap db, but it did let me add him, I'm just not sure I worked out why it didn't alter his access privleges to correct the problem of not being able to read the directories.

for my directories I type

ls -led <directory name>

and that shoots back to me the posix permisions and a listing of what the acl limits.

I'm not sure about the order yet either, it doens't seem like I have much control over which rule is evaluated first, but I may have not been paying attention.

the way I add a "limitation"

is...

sudo chmod +a "<group> deny delete_child" <directory I want to create this permission for>

One thing I was trying to do was only allow one group to access a directory. So I tried to use the order (fail) and first say who could read,write, delete etc. and then I told it to deny everyone the delete ability. Well that didn't work, I got it wrong, as you are probably laughing right now. There is another command that is scratching the back of my mind right now, and before I make a complete fool of myself (too late), I will go read about umask or whatever it's called.

As far as Profile manager was concerned, I'll say this.

When it worked, it was nice.

Successes.

1. Enrolling (barring the fact that I could delete the certificates at the client side don't do that, bad mojo, always de-enroll from server side.)

2. I think the best try I did was...

a. create a trust profile.

b. create enrollment profile.

Once I did that and went to the machine, web browser and http:\\<dns for server>\mydevices

logged in as a default enrollment user, I would

a. install trust profile

b. install enrollment profile

c. enroll device aka computer.

Because of my payload, I didn't even have to go to System Preferences this time to join the Open Directory Master, it did it automatically.

The Login screen would change , Volumes would automount, Printers were configured and available.

For experiment sake I even did a remote wipe and lock out. It happened so fast my head almost spun, also not something you toy with.

Reloading the machine was super easy (command+r baby!!!), probably the ONE thing that has kept me pressing all the buttons and working heuristically to get this thing to work (well that and I LOVE target disk mode, well in all honesty, there's a list, but let's let apple THINK their reputation is hanging by a thread and maybe they'll throw some love our way.).

Continuing my thread, I would go on the server, and because I didn't want anyone set as a device owner (maybe this was my mistake) I would remove the owner and leave the device unassigned to one.

Failures

Then I would assign that device to a device group which had a payload. Update the payload to push to devices, and shortly thereafter it would say succeeded. Most of the time to see it I would have to login and logout as a local admin, but I would simply restart most of the time to see if it took. This is where things were inconsistent.

How so?

Well, the most obvious was I think I already mentioned, was the login screen. The message usually was there and the login was set to a department I am doing the config for and the only fields you should see are login and password. But sure enough if you did login and then inconsistently on log out, poof, it reverted to listing available users, my department message was gone, and I NEVER ever saw the Name payload ever work, if I even understand what that option is in the login screen payload. I think I even tried IP instead one time to see if that did anything, but I don't think it did. The only hint that I didn't try might be in how I built the machine, at one point I read something about creating a build image and placing the certificates in a /var/db/setup directory that would be installed on first boot. I confess I haven't played around alot with disk util and shadowcopy etc. or whatever its called. I'm not that slick yet. I'm the get it all installed and working, image it, and done, type tech, and there's probably a few tech's cringing at my naivite´ or however you say it.

I also never ever consitently, got home syncing to work. I think apple is treating this like a hot potato, but that's an opinion. I'm really a windows force-to-be and a mac-wanna-be, and roaming profiles where something I reeeally like, and I am loathe to not use.

I'll just keep talking to the universe later and let you know how it goes. Good night for now.

Ok, Some Good news and clearer understanding to disseminate in this post I hope it helps

"the Universe" so I am posting it here in my "ever-the-noob" blog on apple forums.

Problem

What do you do when you get an error when logging into a mobile account setup?

One symptom would be the error message below...

"You are unable to log in to the user account "<%short_name%>" at this time.

Logging in using >console You get the message…

"No home directory: <path to home directory>"

or

"You are unable to log in to the user account "<%short_name%>" at this time.

Logging in using >console tells me this No home directory: <path to home directory>

Solution

Do the check list…

Short Version

1. Sever Admin.app > Access (Key Component)
2. Check Permissions on directories for your file shares.
   (The reason stuff doesn't work especially when you're rebuilding/recovering a server)
3. File sharing setup (Turned ON, Home sharing Enabled)
4. Directory Utility > Directory Editor or dscl
   (Do not underestimate the importance of this part!!!!
   Use white-gloves when you're handling it though!!!)
5. Workgroup Manager
   (You're poopy "main" interface that really is a "window", not a "door", but maybe Apple likes to do things "Dukes of Hazard" style?)

Long Version

1. Check Sever Admin.app > Access
   Make sure that your user has the "Proper" access. For me I created a test user from Server.app and saw what access he had as a way to "check myself for a properly created users" and because I think one is kind of on his/her own using WGM and duplicated the same access. (I was a little neater, though and did it with a group, not individual users, that would have been a mess!)
   Server Admin.app > Access
   Click the "+" sign, sort by UID and Add the imported users to the following Services…
   (You can use a group, but understand when Server.app creates users they get added
   individually to each of these groups.)
   Address Book
   AFP
   iCal
   iChat
   Mail
   Profile Manager
   SMB
   VPN
2. Check Permissions on directories for your file shares.

(That's an understatement) I could go in depth about all the crap I had to read about, I still

know I am missing a chunk of tech brain when it comes to the particulars. Basically, I boil

it down to this…

Permissions require thinking about things first with regards to POSIX permissions... good

ole ls, chmod, chgrp, chown to the rescue with ugo permissions or the old 755, 600 etc

stuff.

Apple's file-sharing access uses this as a starting point to see what the user is allowed to

access.

I also needed to use chflags once to unhide a file that I mucked around with using xattr.

I still haven't figured out why folders can lose their triangles, but I didn't find out if you cp or

move them from terminal, the triangles come back in the moved or copied directory. For a

minute I thought it was because cp alone doesn't preserve flag attributes, but mv actually

works by doing a cp that preserves the flags, unless it's a bug. I dunno.

This helped me get my file visible again...

chflags hidden path_to_file

chflags nohidden path_to_file

Read up on those manuals, if you're not a terminal type go to apples website

http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/

or download...

http://www.bruji.com/bwana/ I thought that was cool.

or if you prefer to read the manual in pdf try…

man -t sharing | pstopdf -i -o ./Desktop/Sharing\ Manual.pdf

man -t chown | pstopdf -i -o ./Desktop/CHOWN\ Manual.pdf

man -t chmod | pstopdf -i -o ./Desktop/CHMOD\ Manual.pdf

man -t chgrp | pstopdf -i -o ./Desktop/CHGRP\ Manual.pdf

My basic guideline was avoid using ACLs if at all possible, if you try to use them, things

can get crazy complicated, take notes and plan, baby. If you read above, opening up

permissions wide is wrong though. You would restrict permissions tightly to begin with and

then place ACE (Access Control Entries) to specifically target the rights you want to enable.

Here's one that's obviously a novice attempt to do this, but since the novice is the only one

speaking…. here it is, Universe… >:P

sudo chmod -R +ai "admin allow read,write,delete,file_inherit,directory_inherit,search,list" Department/

That allowed my admin to do all the things a normal user could do so far… It fixed things for

my admin, which made me happy. I really hate having to authenticate or sudo just to see

the contents of a nested directory. I could explain it, and even give a few notes on why its

probably overkill, but I will attempt to look less stupid till "poked".

There's another command line utility I STILL haven't read, which may bear mentioning

because…well I haven't read it. umask (seewikipediaorunix.com)…I worked past my

problems without going into it so far, but obviously it's there, and it serves a purpose.

I also found this article helpful…and educational. :O

http://www.bresink.de/osx/300321023/Docs-en/pgs/ACL.html

( Its enlightening to hear the air whistling between a developer/coder's ears, still it's

apparent he has a clear idea what's going on.

Ever wonder why when you use get info to check or assign permissions it kind of

flakes out and doesn't take? Read this article! )

Second, if you can't obtain the "specific" permissions you need with POSIX, chmod also

can set the 2nd category of permissions, which windows users may be familiar with

Access Control Lists (ACLs) and here you get some really fine granularity...messy stuff.

All in all, if I felt I could guide you through these murky waters, I would, but I think I'll let

the professionals weigh in on that one and cut my wall-of-text to ribbons.

To heuristically check I would connect from a client as one or two of my users and see what

folders I could mount as a share, armored with an understanding of what ls -le@O * showed

me in Terminal.

3.) File sharing setup (Turned ON, Home sharing Enabled)

Here is an example of using command line sharingutility where each share is properly

labeled (that took a bit for me to figure out) still this share only enables the AFP share as

you can see from my flags.

sudo sharing -a /Volumes/Hard\ Drive/Department/Database -A Database-afp -F Database-ftp -S Database-smb -n Database -s 100 -g 000 -i 10

Then you do a sudo sharing -l and get back what you just did…

List of Share Points

name: Database

path: /Volumes/Hard Drive/Department/Database

afp: {

name: Database-afp

shared: 1

guest access: 0

inherit perms: 1

}

ftp: {

name: Database-ftp

shared: 0

guest access: 0

}

smb: {

name: Database-smb

shared: 0

guest access: 0

}

If you mess up the sharing command, you may not be paying attention (I wasn't) but there

are a lot of defaults that Apple will just assume you meant to do anyway and it won't read

any of your flags, you have to get it right or the flags will be defaulted.

( Basically I could tell I was bombing it for one, I explicitly only wanted afp working, but

the default was afp and smb. So each time I ran sudo sharing -l after I shot my sharing

command…back would come smb shared: 1 and I knew that wasn't right. Also my

custom names were defaulting to the name of the directory not the name I had

specified. )

I like to know what protocol my share is over so when it doesn't work, I know which protocol's

are connecting. It's not full-proof, but it's a bookmark. I wish the network browser would

identify the protocol that its available listed shares are using, because small visual queues

like that help when you're trying to see what works. Maybe that's something I should

investigate via the command line?

As a note about reading forums, I discovered using command line that "\" is kind of like a

way of going to next line neatly with long commands…."\ " is a way to insert a space. As you

can see above where I have a volume with a space in it.

Removing shares was a little trickier though, sharing -r Share\ With-space didn't work….I

had to enclose it in quotes and do "Share With-space" instead. So nooby beware!

( *nix users are now rolling their eyes at this tip. )

I wasn't sure how you enabled a share for home directories from the command line, maybe its

in the manual, but I was up to my eyeballs in manuals already so I haven't gone back to

revisit this question since my work around was to go to Server.app and verify that what I set

up in the sharing in terminal was being reflected in the gui…sort of my own MVC

(model-view-controller) check.

4.) Directory Utility > Directory Editor or dscl

Make sure what you see in WGM and Server.app are reflected here….to that question let's

take a journey where I did some exploring about that.

Ever really wonder "WHY CAN"T I REMOVE AN OLD HOME DIRECTORY SHARE?!!!"

Ah, then you will  - LOVE -  this tip…

( Provided my testing or yours, later, doesn't prove that in my ignorance I've broken

Open Directory. Remember, WHITEGLOVES!!!! but here we get a little dirty. I think of

OD as Apple's Registry, but that's not what it is at all. However, you as the user do have

to "****" around in it from time to time. )

I scoured the forums and everyone was saying things like "You have to change your server

role" etc. which seemed a little bit dumb to me (dumb because you're pushing views around

not "controlling"), and well, yea, that share that I couldn't modify or delete was REALLY

bugging me.

Now hmm… Before you do ANYTHING, how do you try to not hurt yourself…in Windows you

can make a Registry Backup….(yea bad analogy) In Server Admin.app you can go to your Open

Directory Service > Archive and Choose a place to Archive your information. (Figure this out by

yourself, this is getting long…sheesh! It's easy. Restoring is just as easy and painless.)

Before we can remove the entry we "SEE" in WGM we should make sure no

one has it selected so as not to "corrupt" the OD db, so in WGM first before going to Directory

Utility set the Home directory to "None". (We need to remember to set this to a correct share

later….Mental Note!!!)

Now Open Directory Utility

Method 1

System Preferences > Users & Groups > Login Options

Click the Lock to make changes…

Authenticate -> click "OK" (do I REALLY have to step-by-step this?)

Network Account Sever: • Local Server - click "Edit" button here.

Open Directory Utility > Directory Editor

( Wow, did Apple hire someone from Microsoft? You'ld think with all their research in to

Human Interface Design that's WAY too many clicks to get to something you need. )

or

Method 2 (It's good to know about this directory, neat-o speed-o app's hidden here.)

Use "Go to Folder" Under Finder > Go > Go to Folder...

⇧⌘G /System/Library/CoreServices/

Click "OK"

and Double click Directory Utility.app

or

Method 3

Terminal

open /System/Library/CoreServices/Directory\ Utility.app/

Now From the Directory Editor Pane you will see a Pop-up menu Labeled "Viewing"

You should glance through this and get to know it. You should use it to see what

information is really being stored about your Users, Groups, Mounts…

We are interested in Mounts, which is where we want to go…and there is the pesky

mount that you will see reflected in WGM.

Authenticate, and delete the bugger.

Quit WGM and restart it. Voila, bad share is GONE!!!!!

a.) First select all my users

b.) Then I clicked on the "+" and added the correct share

( Remember, I only showed you the first one we created, this is another and

for THIS one you HAVE to go into Server.app and verify that it is set to be

available for Home Directories in this case for AFP. )

For the home directory entry you do this...

afp://computer.domain.com/Accounts-afp

%short_name%

/Network/Servers/computer.domain.com/Volumes/Hard\ Drive/Department/Accounts/%short_name%

%short_name% is a wild card for the short name there are other wild cards check out Apple's

Documentation on them. I lost the link 😟 sorry \<shrug\>

Interesting dscl commands…(check it out in command line form and compare side by side with

what you see in the GUI Directory Utility)

dscl . list /users

dscl . list /groups

If you want to output information about each user, though, use readall:

dscl . readall /users

dscl . readall /groups

And if you need to programatically parse said information, use -plist to make your life easier:

dscl -plist . readall /users

dscl -plist . readall /groups

This made a little more direct sense to me, language wise…but fyi "." is kind of a wild card I think so the first

commands I think look in ALL directories local, Search, LDAP whatever you have. The command here

corresponds to the Entry from the Pop-up menu "…in node > Blah…" see GUI of Directory Utility to confirm.

dscl /LDAPv3/127.0.0.1 -list /Users

dscl /Local/Default -list /Users

5.) Workgroup Manager

Remember this is a utility that is not long for this world. Apple's Mountain Lion is rumored to fully

replace it, why? Yea, Apple's making a go at MDM (Mobile Device Management) and somehow

desktop computers are being pulled/dragged along for the ride. I have plenty of issues with

Profile Manager, but I'll likely revisit it in a couple of months and see where we stand.

Anyway, treat this baby like the bottom rung, because, well it is built like you start your

foundation here, but it's just a viewer with controlling "tweaks". Use the other areas to get a solid

grasp of what is actually going on. Server.app is where you should create accounts you can

feel are safe. When you create accounts in WGM, you are responsible for making sure they

have the appropriate EVERYTHING.

This list is by no means complete, but these are the areas this noob is or was prepared to talk about.

Good night for now. Enjoy climbing my wall of text, and yea sorry about that. :O Run for you lives!!!!

- Signed Shadowwraith

Sorry about the messed up format, I tried to fix it, but the 14 min window eluded me. I'll repost if asked, but its huge as it is, not pretty like it looked in text edit.

Oops

Ok, so as clever as all this is, I'm slowly becoming aware of a larger question. Why?

My gut instinct here is ok I can do all this juggling...and maybe you really do have to do this because I just don't know any better. Noob, remember? Isn't the point of choosing a server, that you're choosing a thoroughly vetted system? Now perhaps I'm wrong, but it's looking like the turkey is stuffed, chalk pack full, and now with no more bread and crackers, we're just keep cramming more with no regard for how it can handle it.

So is the reason I'm having problems because I lack the intellegence, or because the system is buggy and even if I did know the right way to do things, I've got to go with a push cart to each problem the OS doesn't manage, and keep it going. That's just nutz.

I guess I hope that once I do all this juggling once...the system stays working. I'm rethinking the remote client thing again...I got it all to work, but now I get intermittent files that need tweaking as far as home syncing is concerned and my one solid reason for trying to get mobile clients to work isn't working. I need them to be able to login to the workstations when the server is down. I'm beginning to think Apple just thinks computers stay up 100% of the time, which is just not what you plan for. You plan for the worst, and when the poop hits the fan, at least the worst isn't all that bad, just inconvenient.

I was also hoping to understand from anyone else who tinkers, if they have gotten Samba to work as a Domain controller with roaming profiles and smb shares to work inside of a 10.7 install, reliably? I'm probably just going to work with Windows server, but it would be handy to know if it can be done stabley for Windows 7 clients.

If that works, I'm wondering several things...

1. Could you install Samba on a Mac server locally or in a VM possibly with Linux, Failing a local mac install.
2. Can VM's operate as services (i.e. not require that a computer be logged in and running for other computers to use the services they are offering to connect. I think Parallels offers such a product. Server for mac mini.
3. Could you get aforementioned Samba to integrate with Open Directory and would that work more consistently to get mobile profiles to connect and use AD to cache credentials?
4. Do you like reading things in bullet form or numbered form, and aren't sandwiches awesome?
5. Does anyone use Samba as a Domain controller for windows 7 clients in a production environment or do u know, universe, where I can find more information....Google u say...wimp. >:(