Setting Up Home Folders and Share Points for Windows Accounts

Previous page
Table of content
Next page

Once the user accounts are set up and the Windows pane is filled out accordingly, you'll want to set up share points for Windows users to access. Before doing so, you should examine exactly what is involved in setting up a share point for Windows access.

Identifying Windows vs. Macintosh User Account Requirements

When dealing with Windows users, the requirements for a user experience similar to that of Mac OS X are varied. This is because each operating system handles restrictions and permissions in slightly different fashions. It is important to understand that Mac OS X does not contain all of the same attributes as Active Directory. You cannot expect Windows users to have the same user experience with an account that resides on Mac OS X Server compared to an account that resides on Microsoft Active Directory.

For example, Mac OS X Server uses a generated unique ID to identify every user, and Microsoft uses what is known as a Secure ID (SID). Mac OS X uses MCX information to control the user experience, while Microsoft controls the user experience differently. The basic requirements for both users are as follows:

  • Long name

  • Short name

  • Password location and type

  • Home directory location

  • Home directory local mount point

  • Unique value (UUID and SID)

Enabling SMB Services on Mac OS X Server

In order to plan and create share points that Windows users can access, you must use Server Admin to start the Windows SMB service and then use Workgroup Manager to enable the share points.

Before starting the Windows service, you should be aware of the ways in which Mac OS X Server can provide Windows services. Mac OS X Server can be a

  • Standalone server, which just allows for file and print services.

  • Domain member, which allows for file and print services and also permits the hosting of profiles and home directories. It does not provide authentication but defers that to another server. The Mac OS X Server must know about a PDC prior to becoming a domain member.

  • PDC, which allows for file and print services, hosts profiles and home directories, and provides authentication services. The Mac OS X Server must be an Open Directory Master prior to becoming a PDC.

  • Backup Domain Controller (BDC), which allows file and print services, hosts profiles and home directories, and is a backup for authentication services on the PDC. The Mac OS X Server must be an Open Directory Replica prior to becoming a BDC.

Each of those options is available in the Windows service Settings pane.

Addressing Security Policies with Windows Accounts

Once you choose a role for your server, you then can choose the authentication methods for your Windows computers. Older versions of Windows will require less secure authentication methods, while newer versions of Windows can take advantage of Kerberos. LAN-Manager is the authentication method used for Windows 95. Any version of Windows later than Windows 95 but prior to Windows 2000 uses NTLMv1. Starting with Windows 2000, NTLMv2 and Kerberos are used for authentication.

Note

It is important that you discuss the options surrounding the Windows service settings with your network administrator and Windows administrator. Mac OS X Server can overtake or conflict with settings on Windows servers, so careful planning and discussion should take place prior to enabling the Windows service on Mac OS X Server.


The choices to allow different authentication methods and to allow guest access are made in the Access pane.[click here]

Note

The authentication methods used when accessing share points over SMB should be similar to the global password policies established prior to creating Windows users. Keeping the authentication methods similar will reduce the chance of Windows users using insecure authentication methods.


The Advanced pane of the Settings for Windows services should be viewed after the role for the server has been set. This is because certain roles will alter the possible settings in the Advanced pane. For example, choosing to make your server a PDC automatically will set it up as a Workgroup Master Browser and Domain Master Browser.

Other options include setting up the Mac OS X Server as a Windows Internet Naming Service (WINS) or connection to one. For more information on the various permutations possible, please refer to documentation from the Samba group at www.samba.org.

Enabling a Share Point Using SMB

Once the Windows service has been properly set up and started, you can choose which share points you want to enable with your Windows users. It is preferable to plan your share points in advance, to avoid having nested share points, which can lead to issues when users access those share points. It is also important to decide how your share points will be shared and which protocol will be used. Sharing a single share point over multiple protocols can lead to issues relating to access, especially when file-system access control is enabled.

Understanding SMB Permissions

When a share point is created, it is automatically enabled over three protocols: AFP, SMB, and FTP. The default SMB permissions for a share point are shown in the figure below.

As you can see, guest access is on, and the share point is automatically shared. Even though guest access is on, if you have not allowed guest access via the entire Windows service, no one can connect as a guest. In other words, both check boxes must be checked to allow guest access.

You also have the option of changing the appearing name of the share point. The share point name could be TPS_Reports, as in the preceding figure, but could be renamed as Cover_Letter_Required, as in the figure below:

Make sure that you follow any changes you make by clicking the Save button to write the changes to the configuration file(s).

More Info

You can also use the sharing command-line tool to set up and manage share points on Mac OS X Server.


Using File Locking on SMB Share Points

Once a share point is enabled, the next step is to decide how to manage the permissions for that share point. SMB is not UNIX; therefore, the default permissions are slightly different. As seen in the preceding figure, the default SMB permissions for a share point are to inherit the permissions from the parent share point. You can change this to automatically assign permissions for the owner, the associated group, and everyone else.

You also have the option of setting file-system access controls, which further expand the options for the user. For more information on file-system access controls (ACLs), refer to Apple Training Series: Mac OS X Server Essentials and Apple Training Series: Mac OS X System Administration Reference, Volume 1.

Finally, you can enable locking on the share point. Locking prevents others from working with files opened by a specific user that are located inside the share point. The "Enable strict locking" box is selected by default and disallows simultaneous file access over varying protocols. The "Enable oplocks" option enables computers running Windows to ask Mac OS X Server if it can cache portions of the file on its local system. This feature is beneficial, as the Samba service running on Mac OS X Server is the one responsible for permitting access to the clients.

Note

You should not enable oplocks if you are sharing over any protocol other than SMB.




Previous page
Table of content
Next page
Apple Training Series(c) Mac OS X v10. 4 System Administration Reference
Apple Training Series: Mac OS X v10.4 System Administration Reference, Volume 2
ISBN: 0321423151
EAN: 2147483647
Year: 2006
Pages: 128
Authors: Schoun Regan, David Pugh
BUY ON AMAZON
Strategies for Information Technology Governance
Oracle Developer Forms Techniques
Postfix: The Definitive Guide
Introduction to 80x86 Assembly Language and Computer Architecture
Information Dashboard Design: The Effective Visual Communication of Data
DNS & BIND Cookbook
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy