Setting Up Network Users in Server 10.7

Similar Messages

• Setting up network users using OS X Server: Is there a usable guide somewhere that fully explains how?

  I have tried reading through what I can find in Apple’s documentation for OS X Server (as downloaded from the App Store, running on a new OS X 10.9 machine - not an upgrade). And I’ve tried digging through articles on the web and discussions in the forums here.
  I still cannot get a working setup for network users hosted on my OS X Server machine.
  So, I’m hoping there’s a decent guide somewhere that folks can point me to that covers the entire process, including:
  every step involved in setting OS X Server’s various configuration parts (DNS, File Sharing, OD, Users,…),
  how to set up the accounts and their file folders on the server,
  and every step involved in getting the client machines to use the network accounts to provide user logins.
  I’m totally okay with resorting to the command-line if needed.
  Ideally, I want:
  all of my users’ files (everything in their “home” directories) to be stored on the server.
  the users’ to be able to use different machines on our LAN to login.
  their names & pictures to show up in the login screen like local users.
  From what I’ve seen so far, I’m not optimistic on that last point being doable . However, even if I have to manually add each user in the network login settings on the client machines in order to have their name & picture show up in the login screen, that’s suboptimal, but better than nothing (I have <10 user accounts to worry about, so brute-force is a tolerable option).
  Thanks for any direction/tips on this!

  I've found apple's guides to be pretty elementary. 
  OSX Server Essentials, which you can get at amazon is a better basic guide and probably will get you started.
  To do anything more advanced, you'll find that apple really has not provided any documentation, but i've found the old series
  Enterprise Mac Administrator's Guide
  Enterprise Mac Managed Preferences
  and
  Enterprise Mac Security
  to be really useful.  I really wish these guys would keep writing books!  I'm not sure buying old copies of these texts will offer any encouragement to them, but boy do I hope it does because they have answered a TON of quesions.
  For online references, I like:
  http://krypted.com/guides/mavericks-server/
  This website is at least as good (I'd say twice as good) as the documentation apple provides, and much easier to follow.
  http://yesdevnull.net/2013/10/os-x-mavericks-server-open-directory-master/
  This website has been incredibly useful for solving all kinds of problems.  I can't remember who authors it, but I ought to carry a picture of them around so that I could hug them if I ever saw them on the street.  creepy, yes, but so so deserves it.
  https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts
  For user setup and scripting
  Anyway, hope that helps.
  I'd start with the krypted guide.  Read it twice, then have at it. 

• Adobe Acrobat 9.41 Pro+ on Snow Leopard 10.6.5 + Network users (Windows server 2008) = CRASH!

  Adobe Acrobat 9.41 Pro will work “great” on the admin account, however through the active directory log on of network users, every user gets the long crash report upon opening the application.
  Permissions are set so “everyone” can gain access, however the crash issue is not a decent setting on the Mac environment.
  Will welcome any thoughts..comments… and suggestions.
  Thank you-

  OS: Snow Leopard 10.6.5
  Active Directory Setup: Windows Server 2008 - Log in for network users
  Adobe Acrobat: version crash 9.3 and 9.4.1
  Admin of the Mac computer can log in and use the Adobe Acrobat Professional software, however when a network user
  Tries to log on the computer and open the Adobe Acrobat 9.3 or 9.4 the software hangs....for 7-8 seconds then displays a crash report, and options are send to apple.
  Permissions on every Adobe Acrobat folder on the computer are set to read/write for every user of the program.
  Software Type: Using the DVD purchase with the Education program, and the serial number does accept, and download the software from the Adobe web page.
  Emma McFaul

• Problem setting up Network User

  I am running Mac OS X 10.5 Server with clients running 10.5 also. Currently, there are several users on the server, but in Workgroup Manager, their home directory is set to null. The users have local accounts on certain 10.5 clients which are linked to their accounts on the server. So when they log in to the client, they are authenticated against their account on the server, and various settings (Mail, iCal) are picked up from the server.
  I now need to allow users to log in to any client machine without setting up a local account (and linking it to the server account) first. So I have gone through the procedures specified in the 'User Management v10.5' documentation, specifically the 'Administering Share Points' and 'Administering Home Folders -> Creating a Network Home Folder' sections. I have used the second set of procedures to create a network home folder for a single test user. I assume that this makes the test user a 'Network User', though how to create a 'Network User' is not explicitly specified anywhere.
  The problem is that on a client machine (that does not have a local account for the test user), the test user's network account is not listed on the login screen (though the login settings indicate it should be), and I also cannot log in as the test user by clicking on 'Other...' and supplying the requisite credentials. I should note that the client Mac is 'attached' to the server (eg. through Directory Utility).
  Can anyone provide advice as to what's going wrong? Is there some other (secret?!) step that is needed to create a Network User so that clients see the user and allow the user to login?
  Many, many thanks,
  Jolin

  Hi Leif,
  Many thanks for your reply.
  Leif Carlsson wrote:
  The only way of "linking" a "local" account on a computer to a OpenDirectory account that I know of is to create the "network" account homefolder on the local/client machine HD when the user is logging in to the OD server for the first time.
  Actually, it is possible to not have a network account or home folder, and link a local user to a user account on the server. When a client computer is bound to the OpenDirectory server, in the 'Accounts' preference pane of the client computer, there is a field called 'Server Account:' with a 'Set…' button. Clicking the 'Set…' button allows one to link the local account to the server account. Even though there is no home directory on the server, when the user logs in to the client Mac, the password and any managed preferences for that account are taken from the server account.
  The client machine has to be bound to OD first and the account should preferably be setup as a mobile account (so the account can be used even if the computer isn't connected to the network - logins are cached locally).
  I have bound the client machine to the OD server, but I have not yet set up the account as a mobile account. I plan to do this eventually, but wanted to get the 'basic' network user account working first.
  For a "true network home" folder residing only on a server volume/share, the OD account should use a share(point) setup in Server Admin for an automount AFP (or NFS) "User home folders" share.
  I have done this. The server has a sharepoint called 'Homes' which is set to automount over AFP, with the setting 'Use for: User home folders and group folders'. This seems to be working, because on the client Mac, the 'Homes' sharepoint automatically appears when browsing the available network volumes.
  Then in the OD the user should be setup to use the automatically created path (afp://<server FQDN>/<shared folder>) as it's homefolder path.
  I believe I've done this as well, using Workgroup Manager. When viewing the 'Basic' tab of the user, the 'Home:' is given as 'afp://<server FQDN>/Homes/jwarren'. That looks right to me, but I cannot login as the user 'jwarren' from the client Mac's login screen (Network Users are enabled on the client Mac). When I log in as a different user on the client Mac, I can browse the network, and the above afp path is automatically mounted.
  Is there some other setting needed so that the client Mac will 'see' the network user I have set up? As I say, the autmount sharepoint is set up, and the user is set up in OpenDirectory (on the server) to have a home folder on the automount. But when I'm at the login screen on the client Mac, the network user does not appear in the list, and if I try to login by typing the username and password manually, the login window just shakes as it does when one enters the incorrect password.
  Any further help much appreciated!

• Unable to create network users in Server App

  Hello.
  When trying to create a new user in Server Application I've come across this message:
  "existing connection is not authenticated: password change denied".
  Tried resolving it using the suggestions in the thread http://support.apple.com/kb/HT20001
     1. Quit Server.app.
     2. On the Open Directory Server, execute these Terminal commands:
        sudo touch /var/db/openldap/migration/.rekerberize
        sudo killall PasswordService
     3. Open Server.app.
  but the message I'm given in the terminal is No such file or directory.
  Does somebody know why I don't have the folder structure needed for this?

  Do this first, then try again:
  sudo mkdir /var/db/openldap/migration

• Can't set up networked users?

  Hello,
  I'm trying to make it so that my students have the ability to log onto our iMacs (all running Lion) through our Mac Mini Server (also Lion).  I recently had to go through drastic changes in order to simply create a directory administrator, in hopes that this would solve the problem, yet it still persists.
  The active directory isn't binded onto the server yet.  When I try to bind the my Active Directory with the Mac Mini, I get the following popup after logging in as the Directory Admin:
  I am honestly at a loss no; I have no clue what to do anymore. Please help!

  Sorry about that, it looks like their servers might be having trouble. How's this?

• Need help with network user accounts on Mac server App on Yosemite, any tips?

  I've been trying to set up a small network with the Server app on Yosemite. I don't want to do anything crazy with the server, I'd just like to know how I can set up network user accounts so that they can login from other Mac computers on the same network. I already have Open directory set up, the Macs that will be used on the network with the server have already been joined to the server under login options. I have created the network user account, I have also joined the user account to a group that I created. When I try to login to the network account from one of the Macs, it doesn't work. I'm pretty rookie with Mac server, can anyway give me any pointers of what I should be doing? Or if I am doing something wrong. Thanks guys.

  The most important step, once you've got Open Directory and DNS set up, with Local Network Users set up in Server.app, is to make sure that all client Macs are using the server's IP address as the primary DNS server in System Preferences > Network, and that they have joined the Network server in System Preferences > Users and Groups > Login Options.
  Having said all that, I have just spent hours setting this all up only to find out that Mail doesn't currently work with Network Homes in 10.10.3 / Server.app 4.1.
  I will be hoping that Apple recognise the bug, and put out a fix soon.

• How can I allow network users to use File Sharing on 10.8 Server?

  I am in the process of setting up a new OS X 10.8 Server. I have exported/imported the network users from my previous OS X 10.6.8 Server using Workspace Manager. I have re-entered the passwords of the users. I have existing clients running (stil logged in).
  I have set up the File Sharing service in Server.app. I have several mount points. I have made the Users mount point available for home directories over AFP.
  Now, the system administrator can connect to the server and get access to the file shares. So the basic file sharing system works.
  Also: the users on a client can get there password verified (e.g. when unlocking screen protection) by the server. It is just AFP they can't get access to, while the system administrator account (OD /Local on the server) can be used. So, the password in the server is OK too. It seems to be a matter of privileges.
  But no network user (OD user in directory /LDAPv3/127.0.0.1 on the server) can get access. Where can I give network users privileges for File Sharing on the server?
  I did try to add either the "Open Directory Users" group or a specific user that was imported into com.apple.access_afp. If I do that, there is partial success. I can connect to the server from the client with a user account other than system administrator from the server (but connecting is slow). But Mobile Home Sync does not work:
  1:: [13/04/05 16:11:10.379] Scheduling next sync of "HomeSync_Mirror" at 2013-04-05 14:11:20 +0000
  1:: [13/04/05 16:11:20.782] ==========================================================
  0:: [13/04/05 16:11:20.782] Starting automatic sync of "HomeSync_Mirror".
  1:: [13/04/05 16:11:20.786] Peer "network" reports changes since last sync.
  1:: [13/04/05 16:11:20.786] [0x7fd5a9224760/<SStore_FS:0x105db3420>] +[SStore_FS newStore_FSForPeer:alias:]: isRemote = NO
  1:: [13/04/05 16:11:20.786] [0x7fd5a9224760/<SStore_FS:0x105db3420>] +[SStore_FS newStore_FSForPeer:rootPath:rootAlias:rootRef:storePath:optionalStoreID:]: peer = <SPeer_FS:0x7fd5a5009520> = local, optionalStoreID = (null), peer.storeIDString = *
  1:: [13/04/05 16:11:20.786] [0x7fd5a9224760/<SStore_FS:0x105db3420>] +[SStore_FS newStore_FSForPeer:rootPath:rootAlias:rootRef:storePath:optionalStoreID:]: rootPath        = /Users/gerben
  1:: [13/04/05 16:11:20.786] [0x7fd5a9224760/<SStore_FS:0x105db3420>] +[SStore_FS newStore_FSForPeer:rootPath:rootAlias:rootRef:storePath:optionalStoreID:]: storePath       = /Users/gerben/.FileSync/store.filesyncstatetree
  1:: [13/04/05 16:11:20.787] [0x7fd5a9224760/<SStore_FS:0x105db3420>] +[SStore_FS newStore_FSForPeer:rootPath:rootAlias:rootRef:storePath:optionalStoreID:]: rootAlias       = {path='/Users/gerben', targetName='gerben', volumeName='Macintosh HD', type=DIR, volumeCreateDate=2010-08-10-12:58:16, targetCreateDate=2011-08-28-18:39:13, parentDirID=37638, nodeID=3003598, filesystemID=0000 ('0000'), signature=0x482b ('H+'), isBootVolume=YES, isAutomounted=NO, isEjectable=NO, hasPersistentFileIDs=YES, mounted=YES, url='file://localhost/'}
  0:: [13/04/05 16:11:20.789] -[SPeer_FS _mountServerCallbackShares:status:]: received error 64
  0:: [13/04/05 16:11:20.790] EXCEPTION: _mountServerCallbackShares:status: (Host is down) <-[SPeer_FS mountPeerVolumeWithURLString:] (Peer-FS.m:446): "'(-1)' error 64">
  0:: [13/04/05 16:11:20.790] USERINFO: {
  0:: [13/04/05 16:11:20.790]     NSLocalizedDescription = "Host is down";
  0:: [13/04/05 16:11:20.790] }
  0:: [13/04/05 16:11:20.790] BACKTRACE: {
  0:: [13/04/05 16:11:20.790] ? | 0x105cb79b7  
  0:: [13/04/05 16:11:20.790] ? | 0x105cbf0e5  
  0:: [13/04/05 16:11:20.790] ? | 0x105c2c866  
  0:: [13/04/05 16:11:20.790] ? | 0x105c2babd  
  0:: [13/04/05 16:11:20.790] ? | 0x105c2acb4  
  0:: [13/04/05 16:11:20.790] ? | 0x7fff858bb72a
  0:: [13/04/05 16:11:20.790] ? | 0x7fff858bb6a2
  0:: [13/04/05 16:11:20.790] ? | 0x7fff874cf8bf
  0:: [13/04/05 16:11:20.790] ? | 0x7fff874d2b75
  0:: [13/04/05 16:11:20.790] }
  1:: [13/04/05 16:11:20.790] Peer "network" is unable to sync. (-[SPeer_FS mountPeerVolumeWithURLString:] (Peer-FS.m:446): "'(-1)' error 64")
  0:: [13/04/05 16:11:20.790] Peer "network" is unable to sync. Not enough peers will be available to continue syncing.
  0:: [13/04/05 16:11:20.790] Aborting sync of "HomeSync_Mirror".
  1:: [13/04/05 16:11:20.790] -[SPeer abortSync] "local"
  1:: [13/04/05 16:11:20.797] -[SStore_FS setupWithAlias:andRef:] (Store-FS.m:447): unlink('/Users/gerben/.FileSync/.fstemp.QW1Gh-bhvgEhVwmG3.noindex')
  0:: [13/04/05 16:11:20.798] EXCEPTION: !IF <-[SPeer(protected) doPrepareForSyncWithResolvedConflicts:] (Peer.m:1149): "'(([self checkAbort]))'">
  0:: [13/04/05 16:11:20.798] BACKTRACE: {
  0:: [13/04/05 16:11:20.798] ? | 0x105c2bb66  
  0:: [13/04/05 16:11:20.798] ? | 0x105c2acb4  
  0:: [13/04/05 16:11:20.798] ? | 0x7fff858bb72a
  0:: [13/04/05 16:11:20.798] ? | 0x7fff858bb6a2
  0:: [13/04/05 16:11:20.798] ? | 0x7fff874cf8bf
  0:: [13/04/05 16:11:20.798] ? | 0x7fff874d2b75
  0:: [13/04/05 16:11:20.798] }
  1:: [13/04/05 16:11:20.798] -[SStore_FS deleteStateTreeTurdFile] (Store-FS.m:476): unlink('/Users/gerben/.FileSync/store.filesyncstatetree.statetree_dirty')
  1:: [13/04/05 16:11:20.798] Peer "local" is unable to sync. (-[SPeer(protected) doPrepareForSyncWithResolvedConflicts:] (Peer.m:1149): "'(([self checkAbort]))'")
  0:: [13/04/05 16:11:20.798] Peer "local" is unable to sync. Not enough peers will be available to continue syncing.
  1:: [13/04/05 16:11:20.798] EXCEPTION: SFAbortedException <-[SSyncEngine _waitForPeers:] (SyncEngine.m:1922): "'(_abort)'">
  1:: [13/04/05 16:11:20.798] -[SSyncEngine threadMain_SyncEngine_sync:]: sync failed with exception "-[SSyncEngine _waitForPeers:] (SyncEngine.m:1922): "'(_abort)'"".
  0:: [13/04/05 16:11:21.066] Sync of "HomeSync_Mirror" encountered errors. (_mountServerCallbackShares:status: (Host is down))
  0:: [13/04/05 16:11:21.067] Last successful sync completed at 2013-04-04 20:17:15 +0000.
  0:: [13/04/05 16:11:21.067] Finished sync of "HomeSync_Mirror".
  1:: [13/04/05 16:11:21.067] Scheduling next sync of "HomeSync_Mirror" at 2013-04-05 14:31:21 +0000
  1:: [13/04/05 16:11:21.284] 1-pass sync of "HomeSync_Mirror" took 0.02 seconds

  Hi Gerben,
  Try creating a brand new user, that's not imported and see if that works. Every user/group has a little gear in the Server.app/Users or Groups which allows specific access to specific services, perhaps filesharing is off in that section?
  Is your DNS setup properly? Can you verify that clients can see the FQDN of your server?
  After setting up the Users folder for mobilehomes, did you check whether the group and the separate users have access to filesharing? I am able to select the correct homefolder /Users and restrict the homefolder size.
  Goodluck!
  Jeffrey

• Mountain Lion Server: add network user to remote management

  Hi,
  So recently I have upgraded from Lion Server to ML Server. A little disappointing, but whatever, I've moved on and got everything almost back to where I had it with Lion.
  My last few issues I believe are related but can't quite figure it out. In Lion I have an admin profile and then a network user profile that I used on my MBP bound with AD. I'm at the stage where my nre network user can log in on the server machine but I can't log in as the network user via screen sharing. I can't add a network user to Remote Management, and with Remote Management enabled Screen Sharing is greyed out. I'd really like this to work.
  My second problem is that I can't bind my MBP to the server but even when bound the network user account can't log in.
  Any body have  any ideas?
  Thanks!

  I had this problem on a clean install.
  The solution was incredibly simple for me, but only  after I saw Ross.M's note about opening the Users & Groups settings panel (in the OS System Prefs, not in server) and rebinding to OD server under Login Options.
  That was not the solution for me, but under Login Options I discovered a previously unnoticed pref for "Allow network users to login at login window."  I had this option set (apparently by default) to "Only these network users:"  but with an empty list.  Adding my users to the list made it work perfectly.
  Talk about KISS

• Mac OSX Lion Server Network User Login Issue

  We have in the office a server running Mac OSX Lion, and several network users who've all been running happily for quite a will.
  About a month ago I was added to the system, and initially we had a few issues relating to the home directory, but we changed 'something' and it all worked.
  Fast forward to now, and we've added a new user - Hannah - to our system.
  I've added her in the Workgroup Manager, and set her up everywhere I can find on the server. Her home directory creates on the server fine.
  She appears in the Logon list on the client machines, and here's where the trouble starts...
  Every time she tries to log on, it fails. The logon box just bounces or wobbles as though the password is incorrect. We've tried changing the password, to no avail. We've tried adding new test users - same problem.
  We've tried sudo kinet on the Terminal as a local user, with variable results.
  I'm at my wits end, and really hoping someone here can help offer some suggestions or advice we can work through to get to the bottom of this.
  Thanks in advance!

  Your problems are likely occurring because you added her to the directory with Workgroup Manager.
  You should really start avoiding WGM when at all possible as Apple is clearly moving away from it. Because of this, things don't always work as expected when using 'legacy' tools like WGM.
  My guess as to what your problem is: When you create a new user in Server.app, two things happen for you automatically that WILL NOT HAPPEN if done from WGM.
  First the user is added to the default "Workgroup" group.
  More importantly (and the source of much confusion), the user is automatically added to SACLs.
  Check the SACL for the user in Server.app, I bet you'll notice that they aren't a member of the File Sharing group like they should be. To solve this problem, you can either delete the user and recreate them in Server.app, or manually add them to the appropriate SACL.
  I would opt for recreating them in Server.app if I were you, as I don't trust user accounts that originate in WGM on Lion Server.

• Error "kdc: Server not found in database" on attempted connections using Network User Credentials

  I am rebuilding my system after a recent debacle with Time Machine, which resulted in a complete wiping of my Open Directory contents. At this point, users can log into various computers on the network, when the hosts have been reconnected to the newly formed Open Directory and the trust certificate has been authorized.  However, when users attempt to connect to any file share, the Network User Account credentials fail to gain access.
  I am running Mac OS X 10.9.4 on all systems. Two mac-mini's are running OS X Server 3.1.2.  One of these servers (mavericks1.pediatricheartcenter.org) is the Open Directory.  While testing the system, I am using the console on "Mavericks1," so the following discussion involves communication between the two server hosts only.
  From Mavericks1, I open the console and attempt to connect to my file server, named fileserver.pediatricheartcenter.org.  I clear the console just prior to sending a "registered user" request to "FileServer" to gain access.  Careful examination of the console records shows the following:
  1. The Network User is authorized with a message "ENC-TS pre-authentication succeeded".
  2. Mavericks1 lists a console message that reads "kdc: Server not found in database: krbtgt/[email protected]:no such entry found in hdb"
  3. Mavericks1 lists a console message that reads "kdc: Server not found in database: cifs/[email protected]: no such entry found in hdb"
  4. The process registers what appears to be a final failure before trying again with "kdc: Failed building TGS-REP to 127.0.0.1:64390"
  FileStorage.local does not exist in the DNS, nor does it exist on FileStorage.pediatricheartcenter.org. That (local) host name was removed when the domain host name for filestorage.pediatricheartcenter.org was created.
  1. Why does the kerberos process reference a host name that does not exist?
  2. What might be causing the failed authentication exchange?
  3. What can be done to remedy the issue?

  I spent some time on the phone with Apple Support on Friday.  Thank you to Linc Davis for providing some insights into the issues.
  As a result of the conversation with Apple Support we learned the following, which I will report here for those who might find this page again:
  First, OpenDirectories are extremely fragile.  Once you have turned on your OpenDirectory, do not do any of the following:
  Do NOT change the host name.
  Do NOT change the IP address.
  If you are going to attempt either of these things, you should make a clone of your drive (not just a TimeMachine backup, a fully bootable clone, just in case).
  Performing these activities (particularly the changing of the host name) will "break" your open directory, and the only way to rebuild the open directory is first to fully destroy the original.  Several services are also destroyed when OpenDirectory is broken, the most notable is Profile Manager.
  DESTROYING OPEN DIRECTORY
  To fully destroy OpenDirectory, it is more complex than simply turning off the OpenDirectory and turning it back on again.  Perform the following steps:
  Install WorkGroup Manager (it is depricated, but Apple still has a version available for use with OS X Mavericks to handle functions that the Server App does not perform like exporting users and groups).
  Sign into WorkGroup Manager as the directory administrator (user name defaults to "diradmin" the password is defined on OpenDirectory creation).
  Export the Users, Groups, Computers and Computer Groups to the Desktop or another safe location.
  Close WorkGroup Manager
  Turn off the OpenDirectory in Server App.
  Delete the Server App from the Applications folder and put it in the Trash. (This will disable any active services that are marking various files as being currently in use. Don't worry, we will restore it from the Trash when we are done).
  In the terminal, run the following command: sudo slapconfig -destroyldapserver
  Make a backup of all website files (just in case)
  Navigate to the folder /Library/Server and delete the ProfileManager folder. (If you willing to do so, delete the whole Server folder).
  After deleting various folders in the /Library/Server directory, restore the Server.app from the Trash.
  Run the Server App.
  Set the computer's network connection and host name.
  Create a new OpenDirectory.
  Use WorkGroup Manager to import any exported files from Step 3.
  If you deleted the entire Server directory, use the website backup to retrieve the files that comprise your web site(s) and use the Server App to link the file directories to the Web site's domain name(s).
  Personal Note: These instructions got me farther than any other tips I had received previously. After following these instructions, I was able to rebuild my Open Directory. During the process of copying files from the old user home folders into the new user home folders, the computer froze and when it rebooted, all the users and groups I had created during the day had disappeared. Rather than trouble-shooting it again, I decided to do a fresh installation.
  A NOTE ON HOME FOLDERS
  PER APPLE SUPPORT: Do NOT use the default /Users directory for Network users. Apple Support wanted me to rebuild the home directory, but they noted I was not able to do this, because I had used /Users.  This folder ("/Users") is a critical component of the OS X system, and will cause additional problems if the folder is destroyed and rebuilt.  The directory id and permissions must remain unchanged from the original installation.
  For this reason, Server administrators (like yourself) should use File Sharing in the Server App to create a new anchor point for home directories.  Create a shared folder. Ensure that it is shared over the protocols that you will be using (AFP, SMB, WebDav), and then after selecting these values, check the box that allows the folder to be used as a home directory at the bottom of this list.  This box will be greyed out if the system is not already bound to an OpenDirectory. If you have activated OpenDirectory on the same machine, the machine will operate as if bound to itself, and this field will be active.  If the FileShare server is NOT an OpenDirectory master or replica, then bind the machine to an OpenDirectory via the "System Preferences > Users & Groups > Login Options".
  If the local area network has FileShares that are enabled for home directory use, the folders will appear in the User Profile editor under the Home Folder list (See image)
  In the screenshot above, I have selected a shared directory named "HomeFolders".  By using specially defined home folder directory, the server administrator has the option of deleting and modifying the home folder if necessary.  Creating a home folder directory in a location other than "/Users" is the recommended best practice by Apple Support.
  If you are inserting files into the home folders, you will need to change the owner and the group to the new owners names.  I copied files from the old user directories into the new user directories so that the users would have access to their old files.  When my OpenDirectory crashed, and all the users were recreated, they were recreated with different system level user id's.  The system therefore maintains a memory that the file was owned by the original owner, even though the system administrator has put it in the new user profile's folder.  To fix this, do the following:
  1. Prior to making the copy, run "ls -al" from the terminal on the new home directory root.  You are looking for the default folder owner and default folder group.  On my system it was the user name and a group named "staff".
  2. When making the copy, do not replace the user folder. Copy the files into the file folder, not over it.
  3. After you have moved files into the user's folders, you can use "sudo chown -R [owner]:[group] [homeFolderPath]/*" and "sudo chmod -R 700 [homeFolderPath]/*" (replace the [owner] and [group] portions of these commands with the owners and groups identified by the command in step 1, and replace [homeFolderPath] with a path to the user directory created for the specific user.
  For example:
  For the user johnnybgood, we might see the following:
  1. We run "ls -al" on the newly created home folder and find that the folder /Volumes/HomeFolders/johnnybgood is owned by johnnybgood and the group "staff".
  2. We copy or move files from the old locations using commands similar to the following:
         sudo mv /OldFolderLocation/johnnybgood/Documents/* /Volumes/HomeFolders/johnnybgood/Documents
         sudo mv /OldFolderLocation/johnnybgood/Desktop/* /Volumes/HomeFolders/johnnybgood/Desktop
         sudo mv /OldFolderLocation/johnnybgood/Music/* /Volumes/HomeFolders/johnnybgood/Music
         ....etc....
         (notice how we are not just moving the old johnnybgood folder to the new location.)
  3. Next, we change the ownership and file permissions:
         sudo chown -R johnnybgood:staff /Volumes/HomeFolders/johnnybgood/Documents
         sudo chown -R johnnybgood:staff /Volumes/HomeFolders/johnnybgood/Desktop
         sudo chown -R johnnybgood:staff /Volumes/HomeFolders/johnnybgood/Music
         ...etc...
         sudo chmod -R 700 /Volumes/HomeFolders/johnnybgood/Documents
         sudo chmod -R 700 /Volumes/HomeFolders/johnnybgood/Desktop
         sudo chmod -R 700 /Volumes/HomeFolders/johnnybgood/Music
         ...etc...
  4. Let the user log in and use the system normally.

• How to have the network users home folder on the server

  I have snow leopard server up and running and I want to have the network users home folder on the server, instead of it being located on the connected computers. This way the users can access their folders from other computers in the network

  In addition you have to make the sharepoint able to be automaticly mounted. The manual say this is very important.
  But you should really read the announced manual. All the manuals all filled with step-by-step instructions for modifiing many preferences... That´s my experience!
  Now I´ve got a question, too...
  My OD-Master is bound to AD. I try to use win-Accounts for workin on mac. It work pretty good, by using an group-account. In this group-account I cennect the win-accounts to instruct all the restrictions I´ve set for user-accounts.
  But this way I can´t create a homefolder on a share...
  The share(netusers) is on the same server(mac-server2) like OD-Master is running. I´ve set the path for creating homefolders in Mobility option on "//mac-server2/netusers" for the group-account the AD-user is member of.
  Is it the wrong way?

• OS X Server 3 new installation - network users can`t connect - what the h... am I doing wrong ?!?!

  Mac Server 3 drives me crazy ...
  I have a brand new MacMini here with Maverick on board, and two brandnew Macbook Air and 3 27"iMac that I want to set up as small office. The MacMini should act as Server (with two thunderbolt harddisks connected) for the rest. So far the theory, meanwhile I´m the reality of Server 3 ...
  Having years of experience with "normal network" solutions like filesharing etc. I had a look at Server 3 and thought it couldn`t be that complicated to set it up - but meanwhile I`m disillusioned.
  I`ve now completely reinstalled the MacMini and the Server the third time, connected directly to the Airport Extreme, started filesharing and started the Server app. afterwards. Then I just
  - opened the settings of the server, set up a local network (xxx.local)
  - activated push-notification and got a ceritficate
  - started the profile manager
  - started open directory
  - started started the DNS server
  - started file sharing (creating a new folder on the MacMini, offering user folders via SMB or AFP (tested both))
  - started the other services (calendar, contacts, etc.)
  - opened ports for the public services on the AirportExtreme
  - set up a testuser (network user), giving access to all services
  - gave the test user access to the network folder created
  On the Macbook Air i used for testing I registered the network account server (getting a green light afterwards), put the hook at "allow network users to sign on" (I even coot see the test users name there).
  But after switching to the login I only got normal users on the MacBook Air. Switching the "allow network users to sign on" sometimes resulted in a third user "other" where I could enter the Username and password - but : no result - just as explained several times in this thread ... :-( :-(
  The last three days I tried several setups, switch and renamed, issued certificates, tried out the profile manager and registered the MBA, set up the user folder via AFP and SMB, ...
  But : no access to the network user granted ...
  Just read the last lines of the Protokoll after my last attempts and could read "connection invalid" and "connection denied" several times in it ... does anyone have an idea what`s going wrong here ?!?!??!
  I really need to set up this server a.s.a. possible and am really frustrated about this really not Apple like behaviour of this software *eyesroll* ...
  Any help appreciated !

  Hi,
  sorry, but frustration continues ... here`s what I did :
  - complete did the forth reinstall of the MacMini, new Maverick, all updates. Then installed the server.app
  - delete all network connections except the Ethernet, gave it a static IP 10.0.1.201
  - started the server app, renamed the computername and the hostname
  Result :
  - This automatically started the DNS server - i just checked this and found a server.dizwo.private entry pointing at the 10.0.1.201. According to your proposal I entered a second entry with "dizwo.private" pointing at the same IP 10.0.1.201 (named "server") - as you didn´t respond to my request above the entries are only guesses
  - on the AirportExtreme I opened the ports for all necessary services
  - I created a public user folder with all necessary access types (using SMB for the user folder)
  - created network user pointing at this folder
  - checked whether it has access to all services (was already  preset) and gave him access read/write to the user folder
  - last but not least i started the OpenDirectory server showing availibility of the OD server at server.dizwo.private
  ... and then ?
  On the MacBook Air and on another iMac I first had a look whether I get access to the user folder on the server. I could see it in the finder windows and got access, okay - fine.
  Then I want to set up the OD server in the user settings on the clients - but in contrary to my earlier tries I didn`t got the OD server name, but simply a "server.local".
  Trying to enter the "server.dizwo.private" simply resulted in a "host not found" ??!?!
  You can imagine how frustrated I`m now about all this stuff - I`m Apple user since more than 20 years and haven`t seen such weird behaviour of an Apple software before - not user friendly in any matter ... .
  This server software is advertised and looking like to be an easy to use front end to create a server, even the "manuals" (not that I would tell them so ...) do so. But it looks like it`s really more a trial and error thing when you do the installation ...
  So : what I did I do wrong now ? Is there anything that I missed ? Is it a certificate thing (I didn`t set up a custom one but used the intermediate one preinstalled) ? Or another network issue ? The DNS server ? The OD server ? The naming of the server ?
  I really urgently need help - need to set up this server the next 2 weeks !!
  any help appreciated !!

• Network users cannot log in to server

  I have set up a new server from scratch on a new Macmini.  In the main, it works absolutely fine.  Users can log into the sever from client device as registered user and can share the screen with no problem.
  The users are set up as local network users and are in a local group and a network group. I set them up using Workgroup manager after setting up Open directory.  All users cn be seen from OD and WM.  However, they cannot log in to the server directly - only the server adminstrator can do that.  Home drives etc are all set up fine.
  Any help will be greatly appreciated.
  F

  Administrators always have access, you may have blocked Network Users from having access using Workgroup Manager 10.8.
  Open Workgroup Manager 10.8
  Authenticate to the local directory as an administrator.
  Go to the machines section and select the server where users cannot log in.
  Click the preferences icon to see the preferences for that computer set through WM 10.8
  From the overview choose Login.
  Choose the Access tab and set Manage: to Never.
  Message was edited by: Mark23

• Show Network Users (as List) not working consistently (10.5 server/client)

  I am running an Xserve with 10.5.5 Server as an Open Directory Master. When I go to the Computer Group the clients are listed in and set the preference to show network users as list on the loginwindow, the clients are not constantly displaying the list. Network Accounts are available on the client and typing the username in Other is also logging in.
  What I think is strange is that my custom heading always displays, so I know I'm getting at least some of the mcx settings on the client. This was not a problem with 10.5.4 client/server combo. If only local accounts are listed, you can restart and 50% of the time the network users show up in the list. You can also log in as a local user and log out, this will sometimes refresh the list to display network users. However, whether or not the users are displayed in the list, network accounts are always available and can login via Other.
  Does anybody know what I can do to fix the problem? It is an elementary school environment, so it is not feasible to have kindergarten students to type out their names every single time.
  One possible solution I came up with is to replace the 10.5.5 loginwindow on the client with the 10.5.4 version, but 10.5.5 supposedly fixes a lot of problems with it. Are there any negative consequences that could occur from doing this besides the fact that I lose the security fixes to the 10.5.5 version? I know that my 10.4.11 clients do not experience this problem, so I'm guessing that the 10.5.4 loginwindow might just work, but wanted to see if anyone knew of any issues in doing this.
  I have also written a program that manages our clients for automated naming, image OS version assignment with NetRestore, and generate import files that create computer and computer list records for Workgroup Manager. This information is stored in a MySQL database and the program I wrote generates files that are imported into Workgroup Manager for list assignment. The computer lists are generated by room number, and computers are assigned names with their corresponding room number and placed in the appropriate computer list. In 10.5, I see that there is a push for Computer Groups rather than Computer Lists. However my program assigns computers to lists using the computer record name rather than the generated uid of the computer record like the computer group expects. From what I understand, the only benefit to Computer Groups is that you can include other Computer Groups within Computer Groups. Does this create any issues for mcx management? I have tried both groups and lists and have the same problem with loginwindow network user lists on 10.5.5.
  Another question I have is how do you change the Cache settings now in WGM? In 10.4.11, there was a "Cache" tab where you could force clients to refresh the MCX cache after x amount of time, but the tab has been removed in 10.5. Can I add that mcx flag to Open Directory and have my 10.5 clients respect the policy, or has this been outdated in 10.5?
  Thanks,
  Chris Bethel
  Hamilton County Dept. of Education
  Chattanooga, TN
  [email protected]

  Thanks for your reply, it gave me an idea that seems to be working so far:
  This is not feasible for anything other than an elementary school with network homes. It is extremely insecure but when you need a working product, you pretty much gotta do what you gotta do. Here's what I've done:
  1. I created a local administrator user with the name "@ Refresh List" with short name "refreshlist" with no password.
  2. Launch Script Editor (in /Applications/AppleScript/Script Editor) and paste this code:
  do shell script "rm -Rf '/Library/Managed Preferences'" password "" with administrator privileges
  do shell script "killall loginwindow" password "" with administrator privileges
  3. Save with file format set to Application, check "Run Only" and uncheck all other boxes to somewhere the user home folder.
  4. In the Accounts pane of System Preferences, select the "@ Refresh List" user and go to the Login Items tab.
  5. Drag in the application you just saved.
  6. Quit System Preferences and log out.
  This is EXTREMELY bad for security, but since its elementary school students and network home folders, there's not much for them to mess up. It provides a 1-click process to updating the much needed list.
  Also -- I've tried swapping out loginwindow with 10.5.4 and experienced the exact same result.
  My fix is quick and dirty, but gets the job done.
  Does anyone else have any suggestions?
  Message was edited by: WollarinTJ