[Network Administration]: OS X and Mobile Accounts

I have both Ubuntu and Linux machines. One of the goals is to have access to all of the same information regardless of where I log in, and to have it transparent to the machine that I’m actually using.
When I create new users, I typically create a very basic user directory. Essentially, it’s a skeletal unix home directory. It looks something like this:

[shannon:filer-01/volume1/accounts] % ls -laR user1
total 36
drwsr-s---  3 user1  users  4096 Mar 14 10:59 .
drwxr-x---  9 admin  users  4096 Mar 14 10:52 ..
-rw-------  1 user1  users   220 Mar 14 10:52 .bash_logout
-rw-------  1 user1  users  3103 Mar 14 10:52 .bashrc
-rw-------  1 user1  users    63 Mar 14 10:52 .csh_aliases
-rw-------  1 user1  users   449 Mar 14 10:52 .cshrc
-rw-------  1 user1  users   675 Mar 14 10:52 .profile
drwx------  2 user1  users  4096 Mar 14 10:52 Desktop

I have these home directories stored on my Synology NAS filer on the network. With this directory structure, I can command line log into a Linux machine and also su into my user account on the OS X machines. Both my Linux accounts and my OS X accounts use the same Desktop (they share the same empty directory Desktopabove). The home directory locations are looked up from the user account entries in the LDAP directory that we already added to the directory. The appropriate entries are:

homeDirectory: /home/user1
apple-user-homeurl: nfs://home-filer/accounts/user1

The home directory is listed as /home/user1. This is the entry that the Linux machines use. It’s also used by OS X as the path on the local filesystem to get to the home directory. In the LDAP mappings in Directory Utility, this maps to NFSHomeDirectory. There is also an entry apple-user-homeurl. This is only used by OS X. This is a URL that specifies the home directory. In the entry above it specifies to connect over NFS, and gives the path. We’ll get to that in a little bit. Our specified home directories don’t exist on the local machines. We want to centralize them so that they are available on any of the machines that we log into. The auto mounter will take care of doing that for us. It will pull the exported location from the LDAP directory that we added. The corresponding entry in the directory is:

dn: cn=*,ou=auto_home,ou=autofs,ou=daemon,dc=example,dc=com
cn: *
objectClass: automount
automountInformation: -fstype=nfs,rw,atime,sync,hard,intr filer-01:/volume1/accounts/&

This entry will cause the automounter to mount the home directory for user1 to location /home/user1 using the NFS protocol. The first time that I log into the OS X machine it will create more of the home directory that it needs. At this point I can now log in to any OS X or Linux machines and have access to my home directory.At this point, I’m considered to have a Network Account
This all works well as long as I’m on the network. The problem with this is what happens when I’m not on the network. One of the OS X machines that I have is a MacBook Pro and I want to be able to use this machine when I’m out and don’t have access to all of the resources of home. For this, OS X has an account type defined as a mobile account. A mobile account essentially creates a local account on the machine that is mirrored to the network account. When the machine is on the network, it is synchronized with the network accounts keeping the local account in line with what is on the network. Part of this the creation of a local home directory in local storage that can be synchronized with the network home directory. Apple calls this Portable Home Directory or PHD.

    There are two ways I’ve found to create a mobile account out of the network account in this network setup.

  • The first is to log into the machine as the network user. In the System Preferences, Users & Groups the network users should be listed. Once the user is authenticated as an administrator to the system, the button to create a mobile account should be available. There are some options regarding the syntonization frequency and which directories to synchronize.
    Mobile Account Creation Dialog Box
    Mobile Account Creation Dialog Box

    Clicking on Create will cause the user to log out and create a local directory for the user to use. At this point, the users home directory is now located at the default local home directory location, typically /Users/users1. During synchronization, the machine will mount the network home directory, and then synchronize any changes between the two. Unfortunately, I have not been able to use the GUI to alter the synchronization settings for the mobile account after creation using System Preferences. The data is stored as a plist, so editing the file would allow for changes to be made to the settings after the fact.
  • The second is to use the createmobileaccount script from the command line.
    taylor:~ admin$ sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -X -s -v -n user1
    createmobileaccount built Oct 23 2015 21:47:59
    verbose output on.
    user name = "user1"
    home path = "(null)"
    user password = "(null)"
    prompt for password = FALSE
    encrypt new home = FALSE
    create as external account = FALSE
    home sync new account = TRUE
    effective home path = /Users/user1
    
    Mobile account record:
            dsAttrTypeStandard:RealName = "First USer"
            dsAttrTypeStandard:RecordName = "user1"
            dsAttrTypeStandard:GeneratedUID = "1000x"
            dsAttrTypeStandard:UniqueID = "1000x"
            dsAttrTypeStandard:PrimaryGroupID = "1000x"
            dsAttrTypeStandard:NFSHomeDirectory = "/Users/user1"
            dsAttrTypeStandard:OriginalNFSHomeDirectory = "/home/user1"
    

There are some hiccups with it. When the machine is rebooted, and the user logs in, the machine will create the local space and setup the user. At this point the machine should try to sync, but it doesn’t. I need to add the HomeSync menu item to the menu bar to get the machine to start syncing the home directory. It can be added by clicking on /System/Library/CoreServices/MenuExtras/HomeSync

By default, the machine should now sync the home directory at every login, logout, and 20 minutes in between.

I did have an issue at first where only manual synchronization worked, and the automatic synchronization always failed with an error specifying:

 0:: [16/03/19 13:44:13.181] EXCEPTION: NilPtr 
 0:: [16/03/19 13:44:13.181] BACKTRACE: {
 0:: [16/03/19 13:44:13.181] ? | 0x10da00d81   
 0:: [16/03/19 13:44:13.181] ? | 0x10d994658   
 0:: [16/03/19 13:44:13.181] ? | 0x10d993ca2   
 0:: [16/03/19 13:44:13.181] ? | 0x10d9933ba   
 0:: [16/03/19 13:44:13.181] ? | 0x7fff90bedc6f
 0:: [16/03/19 13:44:13.181] ? | 0x7fff9439ec13
 0:: [16/03/19 13:44:13.181] ? | 0x7fff9439eb90
 0:: [16/03/19 13:44:13.181] ? | 0x7fff9439c375
 0:: [16/03/19 13:44:13.181] }
 1:: [16/03/19 13:44:13.182] Peer "network" is unable to sync. (-[SPeer_FS_PHD mountPeerVolume] (Peer-FS-PHD.m:142): "'((homePath))' is nil")
 0:: [16/03/19 13:44:13.182] Peer "network" is unable to sync. Not enough peers will be available to continue syncing.
 0:: [16/03/19 13:44:13.182] Aborting sync of "HomeSync_Mirror".
 1:: [16/03/19 13:44:13.182] -[SPeer abortSync] "local"
 1:: [16/03/19 13:44:13.185] -[SStore_FS setupWithAlias:andRef:] (Store-FS.m:447): unlink('/Users/user1/.FileSync/.fstemp.JHyEzlmFfjD-t.3Fx-XkvE6.noindex')
 0:: [16/03/19 13:44:13.186] EXCEPTION: !IF 
 0:: [16/03/19 13:44:13.186] BACKTRACE: {
 0:: [16/03/19 13:44:13.186] ? | 0x10d993d65   
 0:: [16/03/19 13:44:13.186] ? | 0x10d9933ba   
 0:: [16/03/19 13:44:13.186] ? | 0x7fff90bedc6f
 0:: [16/03/19 13:44:13.186] ? | 0x7fff9439ec13
 0:: [16/03/19 13:44:13.186] ? | 0x7fff9439eb90
 0:: [16/03/19 13:44:13.186] ? | 0x7fff9439c375
 0:: [16/03/19 13:44:13.186] }
 1:: [16/03/19 13:44:13.263] -[SStore_FS deleteStateTreeTurdFile] (Store-FS.m:476): unlink('/Users/user1/.FileSync/store.filesyncstatetree.statetree_dirty')
 1:: [16/03/19 13:44:13.264] Peer "local" is unable to sync. (-[SPeer(protected) doPrepareForSyncWithResolvedConflicts:] (Peer.m:1146): "'(([self checkAbort]))'")
 0:: [16/03/19 13:44:13.264] Peer "local" is unable to sync. Not enough peers will be available to continue syncing.
 1:: [16/03/19 13:44:13.264] EXCEPTION: SFAbortedException 
 1:: [16/03/19 13:44:13.264] -[SSyncEngine threadMain_SyncEngine_sync:]: sync failed with exception "-[SSyncEngine _waitForPeers:] (SyncEngine.m:1909): "'(_abort)'"".
 0:: [16/03/19 13:44:13.298] Sync of "HomeSync_Mirror" encountered errors. (-[SPeer_FS_PHD mountPeerVolume] (Peer-FS-PHD.m:142): "'((homePath))' is nil")

This (specifically, the part about “((homePath)) is nil”) was because the homeDirectory attribute in the OpenDirectory mapping was not set, causing, I believe, the originalHomeDirectory attribute in the local account to not be set. It appears that the attributes homeDirectory and NFSHomeDirectory in the network LDAP directory are converted to the attributes originalHomeDirectory and originalNFSHomeDirectory in the mobile account – probably to keep track of the synchronization peer directly from the network account. Greg Neagle has a post here about the issue with the home path set to nil.

If you wanted to get a dump of your account details, you can use

/usr/bin/dscl . read /Users/user1
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s