During deployment, installation and join usually happen in a scripted fashion from the command line. It is still possible to configure home folder mounting without using the graphical join interface, either through modification of the vas.conf file or by setting the appropriate options in group polices that apply to your Mac OS X machines.
The two options that have bearing upon home directory mount behavior are nethome and nethome-mount-protocol. These options are set in the vas.conf policy.
The nethome is either the name of the user attribute where the UNC path is stored ("homeDirectory" or "profilePath"), or it is the server URL expression for all users (that is, cifs://servername/sharename/%c).
If the nethome is specified as an attribute name, you can specify whether the path is mounted by means of AFP or CIFS using the "nethome-mount-protocol" setting.
Setting either of these options has no effect on any Authentication Services platform other than Mac OS X, so you can safely set it on a domain-wide Unix settings policy. Creation or modification of group policies is accomplished using the Microsoft GPOE on any Windows administrative workstation.
For Authentication Services to resolve to a Windows SID to a Unix UID or GID, the user or group to whom that SID belongs must have had a UID or GID manually assigned to them. Or, in other words, you must Unix-enable the user or group on the Unix Account tab in Active Directory Users and Computers. If a group or user has not been Unix-enabled, the Mac OS X machine will still assign a UID or GID to the user or group, but the Authentication Services agent software will not be able to resolve the a UID or GID.
To log into an Mac OS X machine, all users must be Unix-enabled so this normally only causes problems when dealing with group permissions on SMB-mounted home directories. It is not uncommon for the group owner of a network home location to be a group WITHOUT a Unix GID assigned. When a user's ability to access this directory relies on correct group membership, problems can arise. It is, therefore, best practice to Unix-enable all groups that are used for SMB File level permissions on network mounted home directories.
To mount AFP shares, you must have an AFP file server that knows about all your Active Directory users and credentials. You can easily accomplish this using third-party software that shares files from a Windows machine joined to your domain.
Local Administrator rights for Authentication Services users
Grant Authentication Services accounts administrator rights
This section details two special Mac OS X features:
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy