Typical small Mac networks use peer to peer networking which does not require or provide for levels of consistency. Within the College, Macintosh Network Login Services are provided by linux servers running LDAP to provide user login authentication. The LDAP servers authenticate and authorise the users to login to the Mac and to connect to the linux SAMBA servers providing users’ network home directories This allows people to use the same username and password across all Macintoshes. The requirement is that the user has a valid account and the Macintosh is using Directory Services to authenticate login.
Mac OS X provides the capability for network home directories which are mounted when a user logins in. In addition, locally developed software has the capability to populate “Favorite Servers” with all of the shares that a user has rights to.
Mac OS X contains all of the User settings within the Library folder in the home directory for each user. Logging into any ‘Directory Joined” Mac will present the user with their usual set of preferences, bookmarks, application settings, etc. In addition a login script is run, which can be used to customise the environment. Currently this is only used to launch the DriveMapper application to dynamically populate “Favorite Servers” and redirect the user cache folder to the local hard drive. If a user logs into multiple workstations then the last one logged out will be the winner in terms of changes saved. In general, logging into multiple workstations is to be avoided.
These machines use a local account only. Using portions of the Mac OS X “Mobile Home Directory” service, the user account is still authenticated against Directory Services. Updates to the user password, made via the Life Sciences Directory tool, will be passed to the laptop on connection to the College network. Laptops employing FileVault user directory encryption, will be prompted to enter their old password to unlock and update their protected files.
It is best practice to not use administrative rights during normal operation. Nor is it usual to grant users administrative rights to a standard workstation. Should circumstances warrant it, the chosen approach is to register for an admin account via: http://directory.lifesci.dundee.ac.uk/register/admin This account is not available for log in for Macs, but can be used to authenticate such admin tasks as non-standard application installs and application updates
The scalable approach employed is as follows :
Within the College, Macintosh application deployments are associated with workstations rather than users. A full range of standard applications are packaged for remote deployment on College Macs. Requests for particular specialist application installs can usually be met within an agreed timescale. In some minority cases, typically where applications have been ported from Unix or Linux, application packaging and remote install cannot meet the requirements of the end user. Such cases are best handled by granting local admin access. Some self-contained applications can be installed with user-level access rights, to the user home directory, from a downloaded disk image or from /Users/Shared.
Typically the application will be installed into /Applications/ApplicationName. Sometimes the application likes to either write preferences or read background information from this folder or from the /System or /Library folders. The application should have set the permissions appropriately on installation but sometimes they don’t. While the best approach is to determine exactly which files need to be read or written too often it is simply more expedient to allocate either Complete Control or at least read, write and execute to the Users Group on the local machine. This means that everyone who logs into the machine will have enough privileges to use the application. The downside is that they can also probably modify the application but it is assumed that this will not be done maliciously.
Only ever use the Life Sciences Directory password change facility to change your user account password. Whilst the Mac user account management “Change Password” reset will update your LSD password, it will not change other dependant services downstream of the LSD, particularly the SAMBA services that manage the home directories.
