2

I've setup an OS X Lion server at the office I work at, and would like to set it up so all the other Mac's in the office have to login when they want to go on their Mac and it connects to their user I've created on the server.

Can someone give me some resources (tutorial, link, information) to help get me started?

Richard Hedges
  • 167
  • 1
    A few of the good blogs and twitter peeps like @rtrouton, @cedge318 and @afp548 and their blogs http://derflounder.wordpress.com/ http://krypted.com/ and http://www.afp548.com/ will be a good place to start for news and resources. – bmike May 23 '12 at 13:37

2 Answers2

4

The following links will be helpful in getting you started with OS X Lion Server. Without knowing exactly what your client setup is, I simply provided general information in regards to OS X Lion Server. Hopefully it is organized in a fashion that is beneficial to you.

Standard Server documentation

Apple's new Profile Manager

Admin tools are still available

Step by step (very simplified)

E1Suave
  • 2,179
  • 2
  • 15
  • 18
2

Check E1Suave's answer for some good starting points.

One extra tip I can give you from my personal experience is to (re)consider if you really need your clients to authenticate to the Open Directory (OD) at login.

The two reasons (I can think off) where you might want to do this are:

1. Network Home Folders

The home folder is automatically synced from and to the server, which can be very convenient when a user switches computers and still has access to his files.

The bad side(s): I found the syncing very buggy. Somehow conflicts would arise which needed manual intervention or the home folder would no longer be synced. Also considering how easily you can use cloud services like Dropbox, Google Drive etc for the same purpose, I personally find the network home solution inferior to modern day solutions.

Related to the above, my users relied too heavily on it, leaving them unable to work on files they modified at home because they didn't sync properly.

And finally, typically a user only works on one computer anyway. For files that should be available on the server for multiple users, you would set up network shares. Also, while the network home folder will not get mounted automatically on the client computer, it can still be made available as a network share for the user to manually put some personal files on there.

2. Restricting user permissions

This might be a valid reason to do OD authentication and it sure looked like a great idea to me at first. You can extensively configure permissions for your network users and computers in the Directory Admin tool.

The bad side(s): in the end we work in a very small environment with not that many users (and that's typically the environment where Mac OS X servers are used anyway), and setting up all these different permissions was too much of a nuissance for me, with no added benifit.

When you restrict a user, you need to make sure the extra support requests you will get because a user can't do something he needs to do at any given time, outweigh whatever mischief the user could/would do on his computer without these imposed restrictions. I personally only got support requests from the users with restricted access, users with a local admin account could do their work just fine without my intervention.

When you don't need directory authentication at login

Even if your users login to their computer with a local account, they can still authenticate to file shares seperately with their directory login (and save the credentials in their keychain). You can still use the directory to easily manage these users and their groups. I personally use the Mac OS X server for file sharing and VPN access, but when setting up a user's laptop, I just create him a local admin account on his machine.

Gerry
  • 14,551
  • 1
    I agree with your points in that there may be drawbacks. I have moved away from mobile syncing, and have done much the same as you have described above in regards to regular admin users. Aside from standard clients (students) who are managed for specific restrictions I generally leave management of users alone. However there are certainly huge advantages in at least binding the machine to LDAP and having the users "known" by the server. :–) Also, mcx management/local mcx management is quite helpful if you have a need, and no other way of systematically managing by specific groupings. – E1Suave May 23 '12 at 12:08
  • Yes, I'm certainly not debating it has valid uses. I just wanted to warn the OP that this set-up might look very tempting to play with for a beginning server administrator, but it can in the end make your job harder, not easier. I should also stress that that is more likely to be true for small office environments like ours, but becomes less so in larger structures. – Gerry May 23 '12 at 12:09
  • Agreed, you make a very good point. Server|Client relationships in regards to small office situations are not always a good fit and I think a "heads up" should be appreciated. – E1Suave May 23 '12 at 16:35
  • Thank you very much @E1Suave and Gerry for the information you've provided. I am in a rather small office, but we're international too - I don't know how well that will 'go down'. Thank you again for all the information and I'll keep in mind everything that's been said. – Richard Hedges May 24 '12 at 08:50