Authenticated AFP Mount at Login

Hi All,
   I posted this question on Apple's UNIX Discussion, Authenticated AFP Mount at Login, but I wanted to run it by the specialists here. Hopefully everything I'm going to tell you is in the other thread but I would like to make this post self-contained so that you don't have to read the other post if you don't wish to.
   I have client computers and an AFP server, all of which run 10.4.7. The AFP server is running the server version of OS X with an unlimited license and the clients are running the client version of OS X, all completely up-to-date. I haven't used Open DIrectory. They are all domain joined machines in our Active Directory domain and as such, they are configured as Kerberos clients of the Active Directory domain. All users except the administrator are users of this domain and they have Windoze home directories that are on an SMB share. I would also like them to have shared AFP Mac home directories.
   I like the way that OS X handles the Windoze home directories, putting them in the Dock. If I add a listing in AD for Mac home directories, will OS X still do the same thing with the users' Windoze home directories? I assumed that it wouldn't and so for my domain users, I checked the option to have local home directories created. Then I made /Users a symlink to the mount point of the AFP share. The problem is that I want the mount to be an authenticated mount, using Kerberos for authentication.
   I've tried mounting the share with a LaunchAgent and with a LoginHook. I don't remember whether I got an authenticated mount with the LaunchAgent but I am consistently able to get an authenticated mount with the LoginHook. However, neither of these are executed early enough in the login process. My experience has been that access to home directories is needed seconds before the LoginHook is run. In fact, I had a new home directory created for a user and then the AFP share was mounted on the directory containing the new home directory.
   The only way I could find to have the share available when home directories are first accessed is to automount it. However, I've been unable to make the automounter authenticate. I'm wondering if the Kerberos ticket is even available at the time the home directory is first accessed. Whatever the reason, every attempt to force authentication has simply resulted in a failure of the mount. Of course I was trying to force the issue on the server. If I could configure the client to insist on authentication, maybe the login process would wait until the Kerberos ticket is acquired. Does anyone know how to so configure the client?
   My current solution is a combination of the two methods above. It works surprising well but it's a kludge and I don't trust it to be stable. What I do is to configure the automount and /Users is a symlink to a mount point in /Network/Servers. Then, when the LoginHook runs, not only does it mount the same share (authenticated) in /Volumes, it deletes the /Users symlink and creates a new one that points to the authenticated mount point of the share in /Volumes. Naturally, processes that run early in the login obtain open file descriptors to user files in the unauthenticated mount. Mdimporter is one such process but I assume that such file descriptors are soon closed due to lack of permissions to read and write. After that, I've seen no other problems. When the user logs out, the symlink is restored to point into /Network/Servers and the authenticated share is dismounted.
   My question is whether there are better alternatives to this kludge. I'm loathe to change Active Directory because it would mean also changing our account creation scripts and applications. However, that is possible if that's the only way to do what I want reliably. Any thoughts would be appreciated.
Gary
~~~~
   <SilverStr> media ethics is an oxymoron, much
               like Jumbo Shrimp and Microsoft Works.
   <MonkAway> not to mention NT Security

Actually, there's a much simpler way to use your Mac OS X Server to host home directories for your AD users.
First of all, I would recommend configuring your Mac OS X system as an Open Directory Master then use Directory Access to bind it to Active Directory. Configure the server's authentication search path (policy) starting with /NetInfo/root (closest), then /LDAPv3/127.0.0.1 (Open Directory), then /Active Directory/All Domains.
Next, use Workgroup Manager to define a share point and create a dynamic mount for it (to /Network/Servers/servername/...path.../share) using the Network Mount tab in Workgroup Manager/Sharing. Define the permissions of this home directory share point such that all users can read only. I recommend root:staff, 755. Ensure that AFP Guest Access is enabled for the share and that AFP Guest Access is turned on for the AFP process in Server Admin. (This share point will be mounted dynamically and will be authenticated when doing so. You shouldn't have to allow guest access but it's often required because the dynamic automounter wants to create a mount point for the home directory share upon startup, where it acts as a static automount.)
Be absolutely certain that your server has a valid DNS hostname so that the /Network/Servers/servername field remains the same. Plus, you'll need that for Kerberos anyway.
Third, you'll need to figure out how to store the dsAttrTypeStandard:NFSHomeDirectory (home) and dsAttrTypeStandard:HomeDirectory (home_loc) attributes in user accounts in Active Directory. You can use Apple's schema (published in the User Management Admin Guide for Mac OS X 10.4) or you can repurpose existing unused attributes in user accounts already in AD. If you're repurposing, you'll need to use the AdsiEdit.msc snap-in to do so, and each attribute should have a single value of UTF-8 (Unicode) string.
If you're repurposing: On your server, you'll need to "tell" the systems about the repurposed attributes by manually editing the ActiveDirectory.plist file. In Property List Editor, open the file (change its permissions so that you can write first), expand the AD Attribute Mappings Table, then expand the dsRecTypeStandard:Users array. Look for items whose values are dsAttrTypeStandard:NFSHomeDirectory and dsAttrTypeStandard:HomeDirectory and change their names to the appropriate numeric ID of the AD attribute that you're using to store the respective information.
Either way, when populating the attributes for NFSHomeDirectory and HomeDirectory for each user account, use the following syntax:
NFSHomeDirectory is the path to the home from the client's point of view: /Network/Servers/homeserver.somewhere.com/Volumes/ServerHD2/Homes, for example.
HomeDirectory contains the AFP URL and path to the user's home like: <homedir><url>afp://homeserver.somewhere.com/Homes</url><path>joey</path></homedir>
Fourth, on your home directory server, you'll want to make sure that it's joined to the same Kerberos realm as the Active Directory domain controllers.
You can bind your clients to either the Open Directory domain, Active Directory Domain, or both. If you bind them to AD, you'll have to make the necessary edits to the ActiveDirectory.plist file if you're repurposing unused AD attributes.
--Gerrit

Similar Messages

  • Authenticated network Mount asking for password

    10.9.4 clients and server, and server version 3.1.2
    I'm using Profile Manager to try to mount a network share, by adding a Login Item to Authenticated Network Mounts, which as I understand it should pass through the users credentials.  However after login, the user is asked for their password again to mount the volume
    I have a golden triangle working properly - the AD credentials can be used to mount the volume manually, or if you enter the password when prompted.  But what I want is for this to happen invisibly the way the old Automounts used to work.
    The server was upgraded from Snow Leopard, clients are clean installed.
    Any idea how I can get this to work transparently?

    FYI for anyone looking here - DNS issue.  When I bound to the OD server by just using the hostname (eg mymacserver) it worked, but after a reboot it was losing the binding for some reason.  If I bound as the FQDN eg mymacserver.mydomain.local it works

  • User having all authentication but unable to login in planning why  ?

    user having all authentication but unable to login why in planning ?

    You might need to give some more details.
    For example, what kind of provisioning in shared services, under what groups if any, what kind of dimension level access in planning etc?

  • How do I get an encrypted dmg on a network share to automatically mount at login?

    I need to mount an encrypted dmg that is stored on an SMB share to automatically mount at login.  I've got the SMB share to mount at login as a "Login Item," but I can't get the encrypted dmg to mount.
    A related question:
    I've got a shell script that mounts my encrypted image, copies data using rsync, and then unmounts the encrypted image.  I tried automating this using a cronjob, but cronjobs are nut run as $USER.  Since the cronjob isn't run as $USER, the cronjob does not have access to the $USER's keychain and cannot authenticate to the encrypted dmg.  Any tips on getting either of these to work?

    I don't use SMB so I'm not sure whether this will work, but try it. Open a TextEdit window and type something like this:
    smb://user:password@server/path-to-file
    Make the obvious substitutions in the text, then select it and drag it to the Desktop. You should get a bookmark file. Double-click it to test. If it works, you can rename the file and put it anywhere you like. Add it to your login items.
    If the above doesn't work, try again with "cifs" in place of "smb".
    The "user:password@" part may not be necessary if the password is in your keychain.

  • InDesign CS4 (ver.6) can not package all images from afp mounted server

    I'm experiencing an issue on multiple Intel Mac's running OS 10.6.8 when packaging files some of the server based art does not collect.
    In some folers some of the art collects and in the same folder some other files don't.
    The missing files are generally .jpg or .eps and it's a combination of these files that are not being collected.
    Images are sometimes shared between users but the missing images do not appear to be open elsewhere.
    The docuemtns are stored across several AFP mounted server hosted on a Windows 2004 Server running ExtremeZIP to allow AFP cpnnection.
    Moving the files to different volumes on the server does not appear to resolve this issue.
    Any thoughts or questions? Apologies if this isn't clear.

    I just had this happen again with a new InDeslgin CS4 file, I took the missing images and relinked them to a new folder I just created on my desktop and it still does nt collect these files. So not only the server, but now my desktop, and it's not just my computer, I can reproduce on other macs in 10.6.8
    I convertd the files from .EPS (from Photoshop: they're flattned) to .PDF (from Apple Preview) and relinked them, and I was not able to package either.
    I did find the solution:
    I checked off "Include Fonts and Links Hidden and Non-Printing Content"
    even though these items were on visible layers and not on the pasteboard they were excluded before I checked it off.
    Thanks for your help!

  • Oracle ADF 11g – Authentication using Custom ADF Login Form Problem

    Hi Guys,
    I am trying to Authenticate my adf application using custom Login Form.
    following this..
    http://www.fireboxtraining.com/blog/2012/02/09/oracle-adf-11g-authentication-using-custom-adf-login-form/#respond
    But my Login Page is not Loading.I think its sending request in chain.my jdev version is 11.1.1.5.Any Idea.
    Thanks,
    Raul

    Hi Frank,
    I deleted bounded code and In another Unit Test I created a simple login.jspx page and applied form based authentication but still facing same problem means something wrong in starting.
    My login.jspx page is
    <?xml version='1.0' encoding='UTF-8'?>
    <jsp:root xmlns:jsp="http://java.sun.com/JSP/Page" version="2.1"
              xmlns:f="http://java.sun.com/jsf/core"
              xmlns:h="http://java.sun.com/jsf/html"
              xmlns:af="http://xmlns.oracle.com/adf/faces/rich">
      <jsp:directive.page contentType="text/html;charset=UTF-8"/>
      <f:view>
        <af:document id="d1" >
          <af:form id="f1" >
            <af:panelFormLayout id="pfl1">       
              <af:inputText label="USERNAME" id="it1"
                            />       
              <af:inputText label="PASSWORD" id="it2"
                              />
              <af:commandButton text="LOG IN" id="cb1" />
              <f:facet name="footer">       
              </f:facet>                 
            </af:panelFormLayout>
          </af:form>
        </af:document>
      </f:view>
    </jsp:root>
    Don't know wht real problem is

  • Searches within InDesign Have Stopped Working on AFP Mounted Volumes On OS X 10.9

    I have run into a new problem since using InDesign CC on a Mac running Mavericks, the search function has ceased working on AFP mounted volumes. For example, when placing an image, if I navigate to a pot of images on my server and then tap in part of the file name within the search field there is nothing found, even though the file name I am searching for is there.
    I have spoken to Adobe technical support who said "well I do apologize for your inconvenience however adobe does not support if the file is on the network. We would be happy to help you if there is any issue with Search if the files are located locally". Slightly frustrating answer!
    This issue looks to be related to the Mavericks operating system as I have Macs running OS X 10.8 which are fine, it is only the OS X 10.9 Macs that have this problem. Is anyone else having these issues?

    I have no problem on two Macs running Mac OS X 10.9.2 with InDesign CC 9.2.
    Have you started by restoring your preferences. Here's how:
    Trash, Replace, Reset, or Restore the application Preferences
    If you use the delete folder method, remember that in OS X 10.9, the <Home> library his hidden. In the Finder, hold down the Option key, and choose Go > Library to make it visible.

  • How do I remove an non-existent AFP mount from user's Home listing?

    Hello.
    I was testing setting up a user with a Network Home Folder and everything was working fine until the external drive that was housing the Share Point (automountable, set to be used for user home folders) went down and became corrupt. As this drive was just being used for testing purposes, there was no backup and it wasn't a big deal (or so I thought). My problem now though — I have a "ghost" entry in the Workgroup Manager/Accounts/User (any user)/Home listing for the afp network home mount. If I select it, the option to remove it is grayed out, so I have no way to remove it from the listing.
    Does anyone know how I can remove it from the listed? I've tried mounting a new drive, naming it the same as the old drive, and creating the Share Point again in the hopes that it would "relink". But, that didn't seem to work and I still can't remove it from the listing.
    I'm hoping there's something I can edit somewhere that'll make Workgroup Manager "forget" this afp mount?
    Any advice would be appreciated!
    Thanks,
    Kristin.

    OK, I sorted this out.
    First step is to recreate the folders and Share Points exactly as per the originals. Then, Instead of disabling auto-mount and unsharing all in one go, break it up into two steps as follow:
    - disbaled auto-mount and clicked save
    - unshared and clicked save
    Doing it as a single step (ie. disbaled auto-mount, unshare and save) doesn't work. You need to do it in two separate steps (disable auto-mount & save + unshare & save). I don't know if this is just something weird with my install or what, but it totally solved the problem, and now the AFP ghosts are all gone.
    Thanks,
    Kristin.

  • Finder + ACLs over AFP Mounted Remote Volume

    Hey Guys!
    My Finder is not able to display ACLs on files coming from an AFP mounted volume. The ACLs are there -- ``ls -lef'' displays them correctly. If there some obvious thing here that I'm missing?
    regards,
    P

    Yes, sort of. Whenever you're doing an "opportunistic mount" where the server and client are not joined to the same directory domain, permissions masking will take place. When masking is in effect, it maps access from the currently logged-in user (session owner) on the client to the server share point based on the name and password entered after choosing Go > Connect to Server.
    When dealing with masked permissions, this will be the case:
    * On the client-side, the Finder Info windows may or may not correctly show all ACLs and POSIX permissions of items on the share point. They may simply display effective access - e.g. "you can only read" - without further detail. This depends on the protocol. Typically AFP share points will show correct server-side ACLs and POSIX permissions.
    * On the client-side, listing (ls) the contents of the share point via Terminal will indicate that the session owner has full control and is the "POSIX owner" with others' access at zero (0700). These are the masked permissions, not the real ones.
    * On the server, permissions listed via ls in Terminal or Server Admin's File Sharing section will be the correct ones.
    --Gerrit

  • Mount AFP Sharepoint without login

    Hello
    Is it possible to get an AFP Sharepoint without logging in? I know its an oxymoron, that is why i did not use the word "mount".
    The sharepoint must be accessible to a Leopard Server, which I do not want to have him logged in all the time.
    Best regards
    K.

    Sure. Under Settings in AFP go to Access and click the Enable guest access box. Then go to Share Points and browse to the specific share point(s) you want to share, click on Share Point (next to the Permissions tab below), click on Protocol Options, and under the AFP tab click on the Allow AFP guest access.

  • Active Directory Authentication, AFP Home Folders in the wrong place!

    Hi,
    I've had this problem off and on... that is, it comes and goes, so I'm not really able to effectively troubleshoot it. My setup is this:
    -Xserve G5, Mac OS X Server 10.4.7
    -OD Master bound to AD for authentication
    -Hosts AFP and SMB shares, all stored on Xserve RAID
    On the RAID, I have a folder called Users (/Volumes/XserveRAID/Users) that is shared via AFP. The system Users folder (/Users) is not shared. In fact, nothing at all on the root drive is shared. All share points are on /Volumes/XserveRAID/. All Mac users' home directory profiles are pointed to \\servername\Users\username (in Active Directory Users and Computers application on our domain controller). Their home directories mount automatically when they log into their client machines (also bound to AD).
    The problem is this; at seemingly random times, a user's home folder will all of a sudden be created in /Users on the server, and it will not use the /Volumes/XserveRAID/Users/ folder. I will clean out /Users every now and again, but the errant home folders show back up. The only folder that should be in /Users is the local admin.
    Since /Users is not even shared, how is it doing this? Why is it that sometimes the /Volumes/XserveRAID/Users share is used (I know this because there are users' files in their folders in the proper place) and sometimes it's going to /Users? Any ideas? Thanks in advance!!
    Going slightly mad,
    Jason

    Hi there,
    Just wanted to share my make-due solution.
    I have setup the automount sharepoint at "/Data/Home".
    When I logged in or tried to use createhomedir in terminal, nothing happened but users could login (even though there was no home folder on the sharepoint for them).
    I have created the Home Folders manually "/Data/Home/username" and then logged in again. When I did this it created two folders in the home dir:
    -Desktop
    -Library
    The other icons related to the home dir on the Dock remain big "?" 's.
    So I manually added them and assigned them the propper rights.
    Now users can log in without any problems, network home folders are working.
    So essentially I got thing s to work, luckily I have only a hand full of Mac Users, Imagine having a user base in the hundreds !
    Thinking about this really makes me want to know how I can fix this problem, I have a make shift solution but this really isn't the way to go. When I use the createhomedir command, it says "creating homedir on servername.domain.net" and it seems to be busy for like 20 - 30 secs, but after that nothing has changed.
    I've checked all possible locations on the server (i thought maybe it might have made local accounts on server by accident, but it didn't.)
    If anyone has ANY idea, please share.
    Thx!!
    Have a nice day

  • AFP Mount Error -5002

    Something broke recently and I'm struggling to figure out what may have happened...
    When logging into client machines (that have been bound to the server) the server appears in the Finder sidebar under "Shared" as usual. But when clicking on the server's name to mount some sharepoints we are seeing "Connection Failed" errors.
    System.log notes:
    +Mar 28 15:55:01 mymac /System/Library/CoreServices/Finder.app/Contents/MacOS/Finder[178]: SharePointBrowser::handleOpenCallBack returned -5002+
    Strangely it's possible to use the menu item "Connect to Server..." to select the server then the sharepoint and no password is required as sharepoints mount as expected. I assume "Connect to Server..." is correctly using "single sign-on" whereas simply clicking on the server's icon in the Finder's sidebar is not?!?
    Kerberos is fine and running...and everything appears to be ok with OD.
    Anyone seen this or have some ideas what might be going on?
    Thanks!

    I have a similar issue, that started the day after I applied the latest Apple Security update 2008-002 on a client's Mac OS X 10.4.11 server. I have a mixed client base of Leopard and Tiger users, and they are all bound to the Apple OD Server, and access to all home directories on the server work just fine for all users, but these users connect to other share points on the server by going to the Finder's Go Menu and selecting Connect to server (actually they all have alias to this share points). Since the update none of these clients can access some of the departmental shares, they just don't appear in the Connect to Server window as an option. Leopard users on the other hand, can access these shares by using the sidebar option to connect to the server. I have reviewed all privileges and user groups on the server, and have found that some users were no longer listed in the group (they were before). After adding these user again, they still can not see those file server shares. I turned off and on AppleShare, I restarted the server, and I unshared the directories and shared them out again, but my problem continues.
    My users do not get an error message when they connect. My AFP authentication method was set to Any Method, and I changed it to Standard (No Kerberos) at which time they could access there shares again, but when I do this some (not all ) Leopard clients fail to login at all. Kerberos is running just fine, and it has been for years now.
    I have spent ours researching this issue, and have not found any other usres with this same problem. One user had a similar problem, but his user did get an error message that username or password are incorrect. He did spent a couple of hours on the phone with Apple Care, and they were unable to duplicate this issue.
    I was not using ACL's on this server, but this week I gave it a try, but my users can still not see their shares.

  • Kerberos & AFP fails to login via kerberos

    Hi,
    I am unable to login via afp using kerberos. When i used the kadmin.local -q listprincs comand to list the principals the afpserver is listed. When i change the authorization to kerberos. I revice a : "Connection Failed! The User Authentication Method required by this server can't be found." It was working under 10.4.3 is there any changes since.
    PowerMac G5 DP 2.0   Mac OS X (10.4.4)  

    You get this message:
    <blockquote>The server has rejected your login. Please verify that your user name and password are correct. Error Code: 800cccd1 </blockquote>
    And Thunderbird can successfully receive/send on the test account but not on your own account, with the same server/port/SSL settings?
    Other than the possibility that your password is incorrect...
    Does your server require or have you tried entering your login username in this format:
    domain\username
    I don't know whether the following is relevant to your mailbox (server-side issue): [http://support.microsoft.com/kb/949926 Error when you use an IMAP4 client or a POP3 client to log on to a delegate mailbox of Exchange Server 2007: "800cccd1"].

  • Afp mount suddenly doesn't work

    Hi All
    I have a Lacie Ethernet disk mini with assigned IP address 169.254.1.4. Been able to connect fine using 'Connect to Server' in Finder and in fact set to mount automatically from login. Suddenly, today, been unable to connect using this method. I get to the "connect as.." dialogue box with username and password, put those entries in, and get to the "EDmini, select the volumes to mount" screen, Share is selected. I click OK, then nothing happens. Looking in activity monitor, AFP Client has hung.
    I've tried deleting the keychain entry, deleting the .Globalpreferences.plist file, re-entering my username and password.
    However, connecting using the IP address of the ethernet disk in the browser works OK, ie, http://169.254.1.4/. From there I can select to connect via http or ftp. Using ftp will mount the disk. Even so, I can't write to the disk. It says zero K available. I've tried logging on to the admin section using the browser, but all my username and password is not being accepted.
    What is going on here and what do I need to do to sort it out?
    Michael
    iMac 20" Intel Core Duo 2GHz running 10.4.6 fully updated except QT 7.1.1 and Sec Update 003

    Hi Jason
    SMB is working after a reset. AFP is still no go. I have yet to get back to Lacie since they sent me instructions on how to reset the EDmini.
    I've used EXT3 format on the drive, and to truly back up my home directory I need to use AFP. I am unable to get any files with disallowed characters copied over using SMB, eg those with *, ?, / etc. I can't manually change them all because some are part of the Tiger system, and others are things like emails within the Entourage database.
    I will contact Lacie again.
    BTW if you look in the system log of the EDmini (via the browser admin feature), you'll see the count for the number of AFP users go up each time you try to connect. I told Lacie this, but they didn't respond to this fact.

  • AD Bound Network Account Fails AFP Mount

    Here's my situation. When I came in as the Apple Desktop Administrator I found that all the Mac's had local accounts set up for every user even though we use Active Directory. I was able to convert each local account over to a network account after binding the machines. No problems while doing that. I did this so each user could use SSO without having to authenticate when connecting to a network share. That works as well. Every user can connect to network shares they have permissions to.
    Here's where I run into problems. We have a script that we run that will auto map them to a certain network share when they boot up the computer. We also have an application that they can click on that calls that script if they lose connection to that network share that will then map it back to their computer. After converting them to a network account we now get the following error AFPMountURL returned error -5023, errno is -5023. This happens even when you run the mount_afp command in terminal. Does anyone know why this doesn't work with network accounts?
    Thanks!

    Are you getting a TGT from AD on login?  Use klist on the client or use Ticket Viewer (although the app is bugged on some 10.8.x deployments)
    Are you able to mount the AFP share through the Connect to Server dialog?  When you do, do you get a service ticket from the AFP server?  Use klist again.
    Is your server properly configured to have Kerberized services linked to the AD domain?  On the server use sudo ktutil list
    Do you see the principles for the AFP service?  You should see the service (afpserver), the fully qualified host name of the Mac server (macserve.yourdomain.com), and the AD Kerberos realm name (YOURDOMAIN.COM).
    1  aes256-cts-hmac-sha1-96  afpserver/[email protected]                                                                 
      1  aes128-cts-hmac-sha1-96  afpserver/[email protected]                                                                  
      1  des3-cbc-sha1            afpserver/[email protected]
    And finally, what is the syntax you are using in the script? 

Maybe you are looking for