Author Topic: book really helped - looking forward to the 2nd one  (Read 2533 times)

illitrate

  • Newbie
  • *
  • Posts: 5
    • View Profile
book really helped - looking forward to the 2nd one
« on: March 02, 2014, 03:27:30 PM »
Hi,
Just wanted to say thanks for the Foundation Services book.
I'd previously set up Server with Lion, upgraded it to Mountain Lion, and while i got it serving my websites, it never seemed like it was exactly working correctly. Of course, having read your book now, i see that it was probably because i dived right in and set up user and websites and wikis before users, and before open directory and in particular, i don't think i ever checked DNS, let alone set it up correctly.

Fortunately, i had a hard drive failure, so i'm taking the opportunity to build everything from scratch with Mavericks. Following your book, it's been easy and straight forward. So am now eagerly awaiting the next book. Are you still aiming to include the web and wiki sections? IF not, can you advise, is there any danger with my proceeding to mess around and try and set them up myself? Or is there a similar pitfall, like in this book was making sure DNS is sound first, that i should wait for the second book for?

anyway, thanks again, great book, really helpful, really easy to follow.
cheers!
jai

Reid Bundonis

  • Administrator
  • Full Member
  • *****
  • Posts: 107
    • View Profile
Re: book really helped - looking forward to the 2nd one
« Reply #1 on: March 02, 2014, 11:49:55 PM »
Thank you for the kind words.  I am very happy that the book is helping you and that you have found the information to be clear and easy to follow.

I also appreciate the vote of confidence for the next book. :D  It is coming along but based on Apple's rate of review, I am estimating that it is likely 6 weeks away.  So I don't want to hold you up too much.

The foundation is key.  On top of it you can build most everything else with relative ease.  That being said, the web and wiki components are relatively easy to configure and get started, especially the web stuff.  Now the wikis need some thought regarding your users and groups and I would strongly encourage an SSL certificate if you plan on using this externally.  I know we all think that we can not be targets, but...  better safe than sorry.

When you create your users, I would suggest creating them all as None - Services Only accounts.  When you do this, the account will be missing an NFSHomeFolder and Shell attribute and no home folder will be created for the user.  If you are not planning on doing mobile accounts on your workstations, then the NFSHomeFolder path is not needed.  If you don't plan on using the accounts for remote shell (ssh) or FTP access, then the Shell attribute is not needed.

Other than that, use strong passwords and make sure you are backing up your data.  More to come on users.

And yes, the Web/Wiki and Profile Manager chapters are planned for the second book.  With all the new stuff on device management that Apple released last week I think I will delay the Profile Manager chapter to the 1.1 version of the book.  Apple is change so quick it is hard to keep up.

urban420

  • Newbie
  • *
  • Posts: 11
    • View Profile
Re: book really helped - looking forward to the 2nd one
« Reply #2 on: March 09, 2014, 08:44:06 PM »
Awesome info as usual and the book has been extremely helpful for me as well. You were not kidding when you stressed the importance of DNS and I am glad you had it well broken down.

You mentioned something interesting in your post:

When you create your users, I would suggest creating them all as None - Services Only accounts.  When you do this, the account will be missing an NFSHomeFolder and Shell attribute and no home folder will be created for the user.  If you are not planning on doing mobile accounts on your workstations, then the NFSHomeFolder path is not needed.  If you don't plan on using the accounts for remote shell (ssh) or FTP access, then the Shell attribute is not needed.

I have been testing user setup in the past week and there is some weird stuff happening. I decided I did not want to set up networked home folders as it seems like it could lead to trouble down the road. So after doing some research I chose the option when setting up a user to allow the users to only have local home folders - I think it is "Local Only". I assumed this would restrict the user to only having a home folder on the machine they logged in to, and this is what I want since each machine is dedicated to a user.

But when I set the users up I noticed that the server app created a home folder in the user folder on the server. Keep in mind the users never actually logged in to the server, so I found this strange. When I logged into one of the workstations with network user it does in fact create a home folder. But I noticed the home folders on the server are actually available as a shared folder to the users even though they are not listed in file sharing in the server app.

To me the whole thing is a bit strange and I originally thought about using the "None - Service Accounts Only" option but then could not figure out how to create a home folder for the users on the clients.

Anyhow, your tip about the user setup was interesting to me and I am definitely awaiting your second book.

Reid Bundonis

  • Administrator
  • Full Member
  • *****
  • Posts: 107
    • View Profile
Re: book really helped - looking forward to the 2nd one
« Reply #3 on: March 10, 2014, 08:36:52 AM »
Yep.  The Local Only option does not sit well with me.  I dislike the fact that the user ends up with a valid home folder on the server's boot volume.  This is why I tend to start with None - Services only and then add the required attributes should I need to support mobile homes.

Server provides three basic account types.  There is the None - Services only, mobile accounts, and network home accounts.  (There are a number of variations but for simplicity, we will start with three). 

The None - Services only is intended to be used for accounts that access the server but may not be tied into it.  An example might be customer FTP accounts or environments in which you are not supporting single sign on.  The user account on the Mac may not match the user account on the server.  Example might be John Smith has a Mac and he is the only account on the Mac.  His short name on the Mac is johnsmith but on the server it is jsmith.

Mobile accounts are intended to allow a bound Mac to find authentication information in a directory domain.  This works very similar for AD and OD.  The idea is that you bind your Mac to the domain so you have access to the users on the system.  Then, as long as the account is defined as a mobile account (can be done in Workgroup Manager or through Profile Manager) and the account has a valid home folder path, the user will be able to log into a Mac using Domain credentials.  A home folder is created on the local Mac and the associating with the domain is for authentication and management.

Network home folders are a variant of mobile in many ways.  The difference is that the home folder is on a network volume.  This provides great flexibility in schools where resource sharing is occurring.  i.e. a cart of Mac Books is shared across 6 classes.  Students grab any device and login to her network home.  Next time she comes to class it does not matter which device she uses.

I made good progress this weekend on the users and groups section :)  Thinking about releasing the book incomplete and adding chapters as I go.

Francesco DellaPorta

  • Newbie
  • *
  • Posts: 14
    • View Profile
Hi everyone

Please let me try to add something more to this post (just renamed).

Server.app provides three Home Folder options when creating network accounts: none, local-only, user-folder. Let me detail.
 
None - Services Only: As perfectly explained by Reid, this option is intended for network accounts that wish to use services offerd by the OS X Server. Those users need to authenticated with valid credentials (user, password) in order to be authorized to access the offered services (Calendar, Contacts, etc). By choosing this option no user home folder will be created.

Local Only: This default option creates (and eventually share) a home folder on the server. As misleading as it may seem, Local Only means local to the server, not the the Mac client. Authentication and authorization is given and mandatory.

User home folder: Provided that a shared folder has been enabled, this option allows to assign a user a home folder via the server. The user can log in to the Mac client using the credentials stored on the server. The user’s home folder may be on the server as with the Local Only option, however, more often it is intended for another drive or network location.

Reference: Server.app > Help > Server Help > Choose a user’s home folder location

anog

  • Newbie
  • *
  • Posts: 6
    • View Profile
Re: book really helped - looking forward to the 2nd one
« Reply #5 on: March 24, 2014, 01:45:52 PM »
If the outcome of this is that Apple did a VERY poor job of explaining this, I completely agree.  But it gets worse and saying there are JUST these options glosses over things.  For example, in some cases, if a user HAS an account on the server, but NOT an account on the Mac client connected to that server, and the user attempts to log on to that Mac client without their account, an account will be created, at least for that session. It also may delete when the user logs out, if setup that way.

Then there are "mobile" users.  I guess the idea was to provide duplicate accounts on the server and client, and when the client is in contact with the server it will "sync," otherwise the client will run stand-alone.  I guess great idea in concept, and VERY BAD in reality.  Apple is really to blame here because they give you the impression that this works. It doesn't.  In fact, I feel with many of these login scenarios, Apple just created these things, but never bothered to actually test them in real situations. 

I CAN tell you mobile sync is BAD and it doesn't take long before messed up syncs cause things to go out-of-sync, and your hosed.  And the Local Home Folder without sync isn't much better. Many applications WON'T write to a network drive, even if Apple makes it "look" like a local drive. Many times, settings just don't "stick." 

I always have to laugh when I read how Apple is aiming OS X Server at the "small business user"  when I see these features that no small business in their right-mind is ever going to take the time to figure out, and no enterprise is going to use, because Apple has such a poor track record of getting these features to work correctly.