Author Topic: Making single sign in work  (Read 1014 times)

david gordon

  • Newbie
  • *
  • Posts: 2
    • View Profile
Making single sign in work
« on: November 12, 2015, 07:03:15 AM »
I'm stuck...

I thought it would be nice to make single sign in work. As I understand it, once logged in I can just 'Connect to Server..." and not have to put my Server username and password. I can make this work, but only for a User who has a Network Home Folder (the kind the book dissuades but its only a test user). For a "None - Services Only" user I can't get to the Shared Folders without logging in at "Connect to Server..."

I've asked over on the Apple Discussions but no solution as yet. https://discussions.apple.com/thread/7332654

I'm sure I have everything, DNS, Certificate, Binding in place. I've now also edited my User so as their Home Directory is /Users/<myusername> but I'm obviously still missing something, somewhere.

Which page am I not paying enough attention to?

Reid Bundonis

  • Administrator
  • Full Member
  • *****
  • Posts: 107
    • View Profile
Re: Making single sign in work
« Reply #1 on: November 12, 2015, 02:05:15 PM »
No problem.  So, here is a deeper explanation. 

1:  You are correct in the local user can not participate in single sign on.  The reason is that even though the local workstation user is UID 501 and that local admin may share the same name as the server 501 local admin, the accounts are different.  They have different GUIDs.  In addition, the local account on the server is not "seen" by the shared domain "Open Directory."  This is why when you log into a workstation with a locally created account you must then auth to file services.  While the device is trusted by the domain due to the bind, the user is unknown and thus is prompted to authenticate.

2:  Network Home Folders users (users with home folders on the server) only require binding to the domain.  A simple bind will allow the user to login because the network home folder path is part of the user ID.  It is that attribute that directs the machine to mount the net home share and grant access to the home folder.  Now, since the account is a domain account, access to other resources is transparent because of the Kerberos infrastructure.

3:  Mobile accounts.  I think I know what you are missing.  Mobile accounts need a bit more.  First, let's take the user account.
a:  If you create the account as Local Only, the proper home path will be created in the user account.  For this example, let's use the user John Doe with short name of jdoe.  If you make his account using Local User as the Home folder popup, then a folder is created on the server's /Users folder.  I hate this and thus is why I suggest creating the account as None - Services Only and then editing the account to define a valid home path. In this case, /Users/jdoe. 
b:  Technically, that is all that is needed of the user account.  Ah, now for device trust.  This is binding.  If you are manually binding to the OD domain you are using System Preferences > Accounts or, as I prefer, Directory Utility.  This creates a machine record in OD and forms a trust between the workstation and the server.  By having device trust, we assume things like DNS and time match or are within tolerance. 
c:  Ah, but as you are discovering, setting a valid home folder path and binding to OD is not enough...  In the old days it way.  You would then use OD to define MCX for the mobility payload.  This is not enough to allow a user to created content on the workstation.  You need to set the mobility settings allowing mobile accounts.  Aha you say!  How do I do that?

So you have two methods to make this happen.  Both involve enabling Profile Manager.  Now, you don't need to enroll your devices into profile manager (although in the long run it is easier).  You can enable Profile Manager, create or manage an OD group and define the Mobility setting.  Once you have it defined, you can download the profile and manually install it on your workstation.  But that is a lot of work.

If you want to go the full experience, you will enable device enrollment, enroll your workstation into profile manager, and then deliver the Mobility profile to the machine.  At minimum, you simply need to check the box to allow mobile accounts.  (oh, take a look at the second tab and uncheck the highly annoying auto-logout feature...).

These steps are covered extensively in El Capitan Server - Control & Collaboration.  That is the second book.  The pages you want to look at are:

Profile Manager chapter starting on page 10
Enabling Device Management on page 20
Enrolling Devices on page 33
Setting policy on page 44 - Jump to My First Policy on page 42 for exactly what you are trying to do

Then there is the Users and Groups chapter that tries to cover the myriad of account types in OS X.  And then the Putting is all Together chapter has a complete walk through in the John Q Public - Managed Mobile User section.

Let me know if this helps!  I missed the discussion on the forum.  Sorry about that.  I tried to help the community when I can. 

Hope the book(s) are helping.  Sorry if there is confusion.  If you have suggestions, corrections, or just feedback I will gladly take it.  Also, if you like the books please post a review in the iBooks store.  This world is all about likes and up-votes :)

Let me know if you get unstuck or if you need more help.

Reid







david gordon

  • Newbie
  • *
  • Posts: 2
    • View Profile
Re: Making single sign in work
« Reply #2 on: November 14, 2015, 02:33:13 PM »
Many, many thanks I think its finally sinking in!

Naturally I will now have more questions surrounding Network and Portable Home Directories ...

So yes, I now understand only Network Home and Managed Mobile Users are able to access their Shared Folders without further authentication. I’ve gone back and read a few pages over again and have successfully made myself a Portable Home User. Naturally, that didn’t go a smoothly as it might but I got there in the end!

These are really good and useful books. I’m sorry I didn’t come across them until the latest editions. The other OS X Server books I’ve bought have only really been about the basics. You’re showing me I can do things in a small office I thought were only for enterprise users. Things like single sign on may appear small but create a much simpler system for people to use.

Obviously I’m keen to try things out and maybe I’m trying to run before I can walk. Or I’m just not reading closely enough! Perhaps also I’m getting into trouble as I want to convert users: I have Users already set up but a lot of the book is about creating a new server setup. So sometimes I may skip and miss a bit because I think “I’ve done that already”!

Thanks again, and don’t worry, I will have more questions…

David

PS Yes, I am going to write a review and everything to encourage you to keep publishing :-)

Reid Bundonis

  • Administrator
  • Full Member
  • *****
  • Posts: 107
    • View Profile
Re: Making single sign in work
« Reply #3 on: November 14, 2015, 07:40:30 PM »
Questions lead to answers and answers lead to understanding.  Before you know it this will all be old hat to you.

"You’re showing me I can do things in a small office I thought were only for enterprise users. Things like single sign on may appear small but create a much simpler system for people to use."

OS X Server is enterprise capable.  Granted, I would not try to make it the core of a 10,000 person business but a 100 person business is still an enterprise.  The scale may be different but the needs remain the same.

"Or I’m just not reading closely enough! Perhaps also I’m getting into trouble as I want to convert users: I have Users already set up but a lot of the book is about creating a new server setup. So sometimes I may skip and miss a bit because I think “I’ve done that already”!"

See page 118 through 122 for Account Migration.  If it is your first time, do it with a test account so you get the process down.  But I commonly go into companies and do the migration from local to domain and I can do a machine every 5 minutes.  No data copies.

And thanks for any and all reviews.  I've been working on the Advances Services book earlier today.  I am trying to have it released by the end of the month.