Can anyone help me with network accounts 'services only'

[Fallwind]

Hi there,



I am planning to set up a OS X server for my small business with 5 desktop clients.

I going to use it for filesharing, wiki server and maybe calendar/ contacts.



After reading some docs and tutorials I think I am going for network accounts with 'services only'.

So I don't need to rely on the server to log into my clients. And the mobile account seem's to be a bit to complicated for me.



Now I am looking for some hints and tipps but I cannot find much for network accounts with the option 'services only' in the docs or on the internet.

Can you help me with that?



For instance - I'd like to know if there is any sense or advantage in giving the network account the same login name as for the local user on the client?

Another question is: Is there a way to 'globally' log into the network account from my client to use all services or do I have to login for each service separately for example for filesharing or by setting ab an account for the calendar or the contacts?

Is the profile manager of any help with network accounts 'service only'?



Thanks for any help with network accounts 'service only', hints or links...

cm

 

[ocabj]

It's going to be easier to step back a bit and think about all of this from a general context and not Apple/Mac specific.

You're running a server. The server is going to run services that users can access. The services require authentication/authorization.

You're going to create user accounts in some sort of database on the server.

You're going to grant access to services to those users in your user database.

I'd like to know if there is any sense or advantage in giving the network account the same login name as for the local user on the client?

This depends on how integrated the client is with the server. My local username has no relation to my Google Mail username. I authenticate to Google Mail using a browser session or IMAP client with a different user name and password.

But in an Active Directory environment with a Windows Server and Windows desktops joined to the domain, users can get Single Sign On with MS specific services by logging into their workstation with their domain username/password and then accessing something like Sharepoint in the domain.

Now stepping into the Mac specific realm, Mac OS X Server uses Open Directory for both it's internal user database as well as the user database for services running on the Server itself.

What "network services only" means is that a user in Open Directory won't have access to the server console itself (either at keyboard or via SSH) and their user object in Open Directory is used for authentication and authorization for services such as file sharing.

Is there a way to 'globally' log into the network account from my client to use all services or do I have to login for each service separately for example for filesharing or by setting ab an account for the calendar or the contacts?

Single Sign On is dependent on the services themselves. Even if they all use the same user store for authentication/authorization, how they interface with the user store will determine SSO.

 

[Fallwind]

@ocabj
Thank you very much for the interesting remarks.
If I understand correctly: Using the same login and password for the local client account and the 'network services only' account does not induce a 'single sing on' for the network services when logging into my client computer?

So concretely asked: how do I implement Single Sign on with OS X Server and 'network services only' accounts.

Thanks again
Fallwind

 

[marzer]

@ocabj
Thank you very much for the interesting remarks.
If I understand correctly: Using the same login and password for the local client account and the 'network services only' account does not induce a 'single sing on' for the network services when logging into my client computer?

So concretely asked: how do I implement Single Sign on with OS X Server and 'network services only' accounts.

Thanks again
Fallwind

By default a network sign on is a single sign on. You can configure individual services to restrict users but by default active services are enable for all users (assuming your a single domain environment). Accounts created as "network services only" give authenticated access to user services without creating a home directory on the server computer.

 

[Fallwind]

By default a network sign on is a single sign on. You can configure individual services to restrict users but by default active services are enable for all users (assuming your a single domain environment). Accounts created as "network services only" give authenticated access to user services without creating a home directory on the server computer.

@marcer
Sorry for asking again, but I'm not sure, if I understood correctly...
I understand, that I can configure individual services to restrict users.
I understand, that a network sign on is a single sign on.

- But simply don't know, how to sign on for network accounts with 'services only': -

With a normal account with home folder, it's easy: once I start my client computer and the log in screen appears, I can enter my login and pass and log into the server using my client computer.
With a 'services only' network account, I don't know when or how to log into the server: once I start my client computer and the log in screen appears, I can enter my login and pass BUT I will only log into my client computer.
I assume it's a very simple question so I hope anybody can help me.

Thanks
Fallwind

 

[marzer]

@marcer
Sorry for asking again, but I'm not sure, if I understood correctly...
I understand, that I can configure individual services to restrict users.
I understand, that a network sign on is a single sign on.

- But simply don't know, how to sign on for network accounts with 'services only': -

With a normal account with home folder, it's easy: once I start my client computer and the log in screen appears, I can enter my login and pass and log into the server using my client computer.
With a 'services only' network account, I don't know when or how to log into the server: once I start my client computer and the log in screen appears, I can enter my login and pass BUT I will only log into my client computer.
I assume it's a very simple question so I hope anybody can help me.

Thanks
Fallwind

With a "services only" account you login only as needed to access authenticated services. Connecting for file sharing, connecting for Time Machine backups, etc. In such cases the server will ask for authentication to connect, that's when you can authenticate with the appropriate "services only" account.

 

[ocabj]

By default a network sign on is a single sign on.

In this context, it's only SSO for services that rely on the same authentication mechanism (e.g. Kerberos).

I could technically have a file share on the Mac Server that uses the Open Directory user store, but then have a web application that also uses the same Open Directory via mod_auth_ldap, but it won't be SSO.

 

[Fallwind]

With a "services only" account you login only as needed to access authenticated services. Connecting for file sharing, connecting for Time Machine backups, etc. In such cases the server will ask for authentication to connect, that's when you can authenticate with the appropriate "services only" account.

Ok. So I just have to create a couple of login accounts on the client computer to use all the services like calendar, contacts, filesharing, etc.
But there is another question below...

In this context, it's only SSO for services that rely on the same authentication mechanism (e.g. Kerberos).

I could technically have a file share on the Mac Server that uses the Open Directory user store, but then have a web application that also uses the same Open Directory via mod_auth_ldap, but it won't be SSO.

What happens, if I open my system preferences on the client, go to users and groups and do an authenticated bind with the login and pass of the network account 'service only' I created on the server?
Does this help me to get some single sign on feature while using 'service only' network accounts?