www.emmes-world.de

MacOS X with central home directories on a Linux server

If you work on a productive system, backup your config files and your LDAP database in case something screws up!

Prerequisites

You should have already set up your LDAP server, and user authentication should work. (HowTos and Tips can be found on the net)

Our Linux server with Netatalk and OpenLDAP runs Ubuntu Linux 5.10. Our Mac Minis run MacOS X 10.4.4.

User home directories on a linux file server

All linux hosts already use LDAP, and mount the home directories via NFS. To make the Macs mount the home directories via AFP without disturbing the linux boxen was IMHO not easy. Here we go:

1. Teach OpenLDAP the `apple.schema`

Get the files apple.schema and netinfo.schema from your MacOS X installation, and place it in your OpenLDAP schema directory (usually /etc/ldap/schema/. Insert these lines into your slapd.conf:

include /etc/ldap/schema/samba.schema include /etc/ldap/schema/apple.schema include /etc/ldap/schema/netinfo.schema schemacheck on

If you restart slapd now, it probably complains about an attribute "authAuthority". I had to change several files. As I do not know how the Apple schemas are licensed, I tell you only how to change them:

apple.schema:

Uncomment the definitions for authAuthority, apple-user-homeDirectory and apple-acl-entry.
Move the definition of authAuthority above its first usage, as an attribute has to be defined before it is used.
Extend the object class apple-user with the attribute apple-user-homeDirectory (insert $ apple-user-homeDirectory somewhere in the object class definitions MAY clause)

samba.schema:

Uncomment the attributes acctFlags, pwdLastSet, logonTime, logoffTime, kickoffTime, homeDrive, scriptPath, profilePath, userWorkstations, smbHome, rid and primaryGroupID, as they are used in the apple-user definition.

2. Add the apple-user attributes to a user account

For each user working on the Macs, you have to add some information into their LDAP entry:

Add apple-user-homeurl
apple-user-homeurl: <home_dir><url>afp://linuxfileserver.example.com/NetUsers</url><path>username</path></home_dir>
Add apple-user-homeDirectory
apple-user-homeDirectory: /Network/Servers/linuxfileserver.example.com/NetUsers/username

This little script generates the necessary LDIF for ldapmodify

While inserting these attributes, I got the error message "no structuralObjectClass operational attribute". This means that the entry of my test user did not have this internal attribute. As we had schemacheck off until now, smbldap-useradd could create this entry undisturbed. A quick fix is to turn schemacheck off again. As soon as I will get to it, I'll repair the database (shut it down, slapcat to a backup file, insert the structuralObjectClass to every account where it is missing, and insert it into the database again using slapadd).

Make the Macs mount the home directories

Insert an entry into your mounts subtree:

dn: cn=linuxfileserver.example.com:/NetUsers,ou=mounts,dc=myldap,dc=example,dc=com objectClass: mount cn: linuxfileserver.example.com:/NetUsers mountDirectory: /Network/Servers/ mountOption: net mountOption: url==afp://;AUTH=NO%20USER%20AUTHENT@linuxfileserver.example.com/NetUsers/ mountType: url

If mounts does not exist yet, add it with
dn: ou=mounts,dc=myldap,dc=example,dc=com objectClass: organizationalUnit ou: mounts
Tell the Mac not to look for the home location in homeDirectory or NFSHomeDirectory (these are for the Linux hosts), but in the apple-user-* equivalents:
Note: The button labels referred to here are translated from the german MacOS X version, and might not be accurate. I hope you find your way though nevertheless...
- As a user with administrative rights, start Finder->Tools->Directory Services
- Click on the little lock, if necessary enter your password
- Select LDAPv3 and Configure...
- Select your LDAP server's entry, click on Edit
- in the Search & Paths tab, select Users on the left side, and select (Add... if its not there) the attribute HomeDirectory. On the right side, redirect to apple-user-homeurl.
- On the left side, select (Add... if its not there) the attribute NFSHomeDirectory. Set the redirection to apple-user-homeDirectory.If there is another entry, delete it, and add it again (making it move down to the second line).

Set up NetAtalk on the linux file server

We run Ubuntu Linux 5.10, installing netatalk is as easy as apt-get install netatalk.

Insert the line exporting the home directories in /etc/netatalk/AppleVolumes.default:
/home NetUsers

Try it out

Now try to log in on a Mac. The first login might take some time, as the Mac clutters your $HOME with all its Library, Documents and so on.

I do not know how secure AFP is, so you better a) use this in a safe environment or b) know exactly what you do.

I would like to thank Andreas Noback for giving me essential tips on how to set this up!

Home - 2006 by Martin Emrich