Windows 7 clients with a server running Mac OS X 10.9 Mavericks
That’s the plan:
- Running Windows inside a VirtualBox VM on a MOSX host.
- Authentication via pGina.
- Mount homes via Folder redirection.
- Roll out via Deploy Studio.
- Rename machines by hand. Ugly. Any ideas on how to improve this are welcome.
Virtual Box
Install VirtualBox, then Windows 7 as the guest OS. Activate windows (here: using multiple activation keys – MAKs). Set the time and date or (preferably) a network time server and make sure it works. It is not self-evident this works inside a VM and if it does not, it will break Kerberos communication. Updates, updates, updates. Oh combo update, where art thou?
Set the network adapter type in VirtualBox for this guest OS:
Making administration easier
Windows 7 blocks ping requests by default, making it invisible to some management tools – stupid. So we want to change that firewall rule as documented on this page.
We need to be able to log on as “administrator”. Configure it!
Configuring the client
Win7 and Mavericks do not work well together. The Samba version deployed by Apple is the problem here. Anyway, to fix this I followed the instructions in this post:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
“LmCompatibilityLevel”=dword:1 -allow older Lan manager style messages
“NoLmHash”=dword:0 -store the older, less secure Lan Manager encrypted password
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Netlogon\Parameters
“AllowNT4Crypto”=dword:1 -allow less secure encrypted passwords (intermediate keys must be created)
HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters
“RequireSecuritySignature”=dword:0 -don’t require new message signatures
and set the LSA-Level right.
Authentication
With Microsoft’s shift away from NT’s pdc technology with Windows 7, MOSX Mavericks will not allow windows clients to “bind” to Apple’s server software.
Instead we use pgina to authenticate users at the client. Caveat: windows users cannot change their user password. Download, install, choose LDAP plugin for authorization, authentication and gateway. Configure:
I have set the plugin-order in pGina like this:
Mounting a user’s home from the mac server
This script is run on user login:
ECHO ON
ECHO %time% Skript laeuft fuer %USERNAME% > C:\GymHerm\log.txt
net use /d * /y
net use H: \\share\share\%USERNAME% /USER:%USERNAME%
taskkill /f /im explorer.exe
explorer.exe
ECHO %time% Skript lief fuer %USERNAME% > C:\GymHerm\log.txt
pause
Configure the machine to run a login script and enter the location/name of the script above. Run gpedit.msc and then:
Under XP this would work, win7 is more careful about running login scripts so we need to enable the running of scripts via the following setting. Navigate to system preferences->User settings and configure:
folder redirection as explained here. Or here.
Setting the proxy for all users
I could work out how to do this with registry keys or group policies, so I included some batch commands to the login script (see above):
ECHO ON
ECHO %time% Skript laeuft fuer %USERNAME% >> C:\GymHerm\log.txt
setlocal
set SUBKEY=Software\Microsoft\Windows\CurrentVersion\Internet Settings
reg add "HKCU\%SUBKEY%" /f /v MigrateProxy /t REG_DWORD /d 0x1
reg add "HKCU\%SUBKEY%" /f /v ProxyEnable /t REG_DWORD /d 0x1
reg add "HKCU\%SUBKEY%" /f /v ProxyServer /t REG_SZ /d "172.16.80.2:8080"
reg add "HKCU\%SUBKEY%" /f /v ProxyOverride /t REG_SZ /d "<local>"
endlocal
net use /d * /y
net use H: \\hermes\Users\Homes\%USERNAME% /USER:%USERNAME%
taskkill /f /im explorer.exe
explorer.exe
ECHO %time% Skript lief fuer %USERNAME% >> C:\GymHerm\log.txt
pause
Note the code between setlocal … endlocal.
Last step: install software and printers.