I’ve been working on getting Portable Home Directories (PHDs) working in our environment. We use a third-party LDAP server for network authentication, and NFS home directories that are automounted at boot (along with other NFS mounts). The goal is to have PHDs without having to make any changes to our LDAP servers or NFS servers.
The first step is to get the OS to create a mobile account for a given network account. A trip to the Accounts System Preference gives us that option (after admin authentication):
This might be unintuitive. To create a mobile account without using Open Directory/Workgroup Manager/MCX, you login on the local machine as the network user, check the appropriate box in the Accounts preferences, log out, and log back in as the network user. So how does the OS know to create a mobile account the next time you log in? It writes some info to /Library/Preferences/com.apple.loginwindow.plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>LoginHook</key>
<string>/private/etc/hooks/loginhook</string>
<key>LogoutHook</key>
<string>/private/etc/hooks/logouthook</string>
<key>MCXLaunchOnLogout</key>
<true/>
<key>MCXLaunchOnUserLogout</key>
<dict>
<key>gneagle</key>
<true/>
</dict>
<key>PowerOffDisabled</key>
<false/>
<key>RetriesUntilHint</key>
<integer>0</integer>
<key>SHOWFULLNAME</key>
<true/>
<key>lastUser</key>
<string>loggedIn</string>
<key>lastUserName</key>
<string>gneagle</string>
<key>lastUserUID</key>
<integer>501</integer>
<key>mobileAccountActions</key>
<dict>
<key>gneagle</key>
<dict>
<key>archiveDeletedHome</key>
<integer>0</integer>
<key>createAtLogin</key>
<integer>1</integer>
<key>deleteAtLogout</key>
<integer>0</integer>
<key>deleteHomeWithAccount</key>
<integer>0</integer>
</dict>
</dict>
<key>noPasswordKey</key>
<false/>
</dict>
</plist>
The relevant key is mobileAccountActions. You could write that same key using the defaults command:
sudo defaults write /Library/Preferences/com.apple.loginwindow mobileAccountActions '{ gneagle = { archiveDeletedHome = 0; createAtLogin = 1; deleteAtLogout = 0; deleteHomeWithAccount = 0; }; }'
At the next login with this account, you are presented with a dialog asking if you want to create a portable home directory:
If you click yes, the mobile account is created and a local home folder is created.
The first time I tried this, I was disappointed that there was no initial sync of the home dir: instead I had an emply, default home dir. And the HomeSync menubar icon was nowhere to be found. Double-clicking on /System/Library/CoreServices/Menu Extras/HomeSync.menu installed the menu item.
Clicking on the menu item gave me this:
Looks promising. Unfortunately, clicking on “Sync Home Now” resulted in this dialog:
…and the “Configure” button in Accounts next to “Create mobile account” (which is where the “Home Sync Preferences…” item takes you remained grayed out and inaccessible.
So to proceed we need to manually configure our sync preferences. These are controlled by ~/Library/Preferences/com.apple.HomeSync.plist (and can be further controlled by MCX, but that’s outside this discussion.) There is another plist file at /System/Library/CoreServices/mcxd.app/Contents/Resources/CinchDefaults.plist which contains the system defaults. Based on this, I manually created a plist file to put in ~/Library/Preferences/com.apple.HomeSync.plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>excludedItems</key>
<array>
<dict>
<key>comparison</key>
<string>fullPath</string>
<key>value</key>
<string>~/Documents/Microsoft User Data</string>
</dict>
<dict>
<key>comparison</key>
<string>fullPath</string>
<key>value</key>
<string>~/Library</string>
</dict>
<dict>
<key>comparison</key>
<string>fullPath</string>
<key>value</key>
<string>~/.Trash</string>
</dict>
</array>
<key>excludedPrefItems</key>
<array>
<dict>
<key>comparison</key>
<string>fullPath</string>
<key>value</key>
<string>~/Library/Application Support/SyncServices</string>
</dict>
<dict>
<key>comparison</key>
<string>fullPath</string>
<key>value</key>
<string>~/Library/Caches</string>
</dict>
<dict>
<key>comparison</key>
<string>fullPath</string>
<key>value</key>
<string>~/Library/Icons</string>
</dict>
<dict>
<key>comparison</key>
<string>fullPath</string>
<key>value</key>
<string>~/Library/Logs</string>
</dict>
<dict>
<key>comparison</key>
<string>fullPath</string>
<key>value</key>
<string>~/Library/Preferences/ByHost</string>
</dict>
<dict>
<key>comparison</key>
<string>fullPath</string>
<key>value</key>
<string>~/Library/Preferences/Macromedia/Flash Player</string>
</dict>
<dict>
<key>comparison</key>
<string>fullPath</string>
<key>value</key>
<string>~/Library/Printers</string>
</dict>
<dict>
<key>comparison</key>
<string>fullPath</string>
<key>value</key>
<string>~/Library/Safari/Icons</string>
</dict>
<dict>
<key>comparison</key>
<string>startsWith</string>
<key>value</key>
<string>Exchange-</string>
</dict>
<dict>
<key>comparison</key>
<string>startsWith</string>
<key>value</key>
<string>IMAP-</string>
</dict>
<dict>
<key>comparison</key>
<string>startsWith</string>
<key>value</key>
<string>Mac-</string>
</dict>
<dict>
<key>comparison</key>
<string>fullPath</string>
<key>value</key>
<string>~/Library/Preferences/com.apple.iChatAgent.plist</string>
</dict>
<dict>
<key>comparison</key>
<string>fullPath</string>
<key>value</key>
<string>~/Library/Preferences/com.apple.sidebarlists.plist</string>
</dict>
<dict>
<key>comparison</key>
<string>fullPath</string>
<key>value</key>
<string>~/Library/Preferences/com.apple.systemuiserver.plist</string>
</dict>
<dict>
<key>comparison</key>
<string>fullPath</string>
<key>value</key>
<string>~/Library/Preferences/loginwindow.plist</string>
</dict>
</array>
<key>syncedFolders</key>
<array>
<dict>
<key>path</key>
<string>~</string>
</dict>
</array>
<key>syncedPrefFolders</key>
<array>
<dict>
<key>path</key>
<string>~/Library</string>
</dict>
<dict>
<key>path</key>
<string>~/Documents/Microsoft User Data</string>
</dict>
</array>
</dict>
</plist>
Some things I’ve discovered:
There are four top-level keys that control what items are and are not synced:
- excludedItems
- excludedPrefItems
- syncedFolders
- syncedPrefFolders
syncedFolders is the list of folders that should be synced automatically in the background (or manually when you choose “Sync Home Now” from the HomeSync menu). Normally, this would be a single entry for “~”, which means the home folder of the current user.
excludedItems is a list of items to be excluded from the periodic or manual sync. I added ~/Documents/Microsoft User Data so that the Entourage database would not be synced while it was in use – instead we’ll sync it at login/logout. ~/Library is in this list for good reason. I do not recommend removing it. Instead use login/logout sync to sync Library items.
syncedPrefFolders — This one is named confusingly. It’s actually the list of folders to sync at login/logout. I imagine Apple was thinking that prefs should only be synced at login/logout, thus the name. I added ~/Documents/Microsoft User Data to this list so that the Entourage DB would sync at login/logout. You could also add “~” to this list if you wanted the rest of home to sync at login/logout.
excludedPrefItems — this is the list of exceptions for the login/logout sync. I removed ~/Library/Preferences/com.apple.dock.plist from this list because I wanted the Dock prefs to sync. I noticed that Apple had entries for items that start with “IMAP-” and “Mac-“: I presume these are to keep ~/Library/Mail/IMAP-* and ~/Library/Mail/Mac-* from syncing, as these also live on the appropriate mail servers, so there is no need to sync them to the network home. Following this lead, I added a corresponding entry for “Exchange-” so ~/Library/Mail/Exchange-* is not synced – for the same reason. This is probably the area that will have the most tweaking as you figure out what things should not be synced or do not need to be synced.
There’s one more relevent key that controls what is and is not synced, but it lives in a different file: /System/Library/CoreServices/mcxd.app/Contents/Resources/CinchDefaults.plist:
<key>excludedAlways</key>
<array>
<dict>
<key>comparison</key>
<string>fullPath</string>
<key>value</key>
<string>~/Library/Mirrors</string>
</dict>
<dict>
<key>comparison</key>
<string>fullPath</string>
<key>value</key>
<string>~/Library/Logs/MirrorAgent.log</string>
</dict>
<dict>
<key>comparison</key>
<string>fullPath</string>
<key>value</key>
<string>~/Library/Preferences/com.apple.homeSync.plist</string>
</dict>
<dict>
<key>comparison</key>
<string>fullPath</string>
<key>value</key>
<string>~/.mcxlc</string>
</dict>
<dict>
<key>comparison</key>
<string>fullPath</string>
<key>value</key>
<string>~/.Spotlight-V100</string>
</dict>
<dict>
<key>comparison</key>
<string>fullPath</string>
<key>value</key>
<string>~/.TemporaryItems</string>
</dict>
<dict>
<key>comparison</key>
<string>fullPath</string>
<key>value</key>
<string>~/.Cleanup At Startup</string>
</dict>
<dict>
<key>comparison</key>
<string>startsWith</string>
<key>value</key>
<string>.afpDeleted</string>
</dict>
</array>
These items are never synced. Modify this list at your own risk.
Once there was a valid ~/Library/Preferences/com.apple.homeSync.plist file, the “Sync Home Now” item in the HomeSync menu started working:
and automatic background syncing started working as well at the default interval of every 20 minutes. But login/logout syncing did not work – yet!
In my next post, I’ll continue the saga. I did get login/logout syncing working – and even figured out how to enable the “Configure” button for PHDs in the Accounts preference pane.
Managing OS X 
Thanks for all the info! I added ~/.bash_history to my com.apple.HomeSync.plist excludedItems, since I do a lot of work from the command line on my various machines, and would like to keep the shell history local to each one, and avoid all the conflict warnings.
One more interesting point: after an item is synced, if you have ACLs enabled on the target file system, ACLs are added to the synced file when it’s synced:
original (on remote machine):
bucky:~ bkoehn$ ls -le testsync
-rw-r–r– 1 bkoehn staff 39 Mar 28 08:41 testsync
copy (on network home):
fungo:~ bkoehn$ ls -le testsync
-rw-r–r– + 1 bkoehn staff 39 Mar 28 08:41 testsync
0: user:bkoehn inherited allow read,write,execute,delete,append,readattr,writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown
Very nice! Quick question — any ideas how to create mobile accounts on the fly from the loginwindow.plist setup, without having to have the network user login first, then change the account type to mobile?
I tried wildcarding the user key
mobileAccountActions
*
…
also tried
mobileAccountActions
$USER
…
Maybe write a logon hook to modify the plist? Not sure about the order of execution — hooks before the plist is read.. Just thought you might know a bit more than I do about this..
These posts are a huge help, thank you!
Whoops!
mobileAccountActions
*
…
also tried
mobileAccountActions
$USER
…
I’m not sure what you’re asking – here’s what I do: I build the machine, then log isn with an admin account and run a script that does this
sudo defaults write /Library/Preferences/com.apple.loginwindow mobileAccountActions ‘{ $username = { archiveDeletedHome = 0; createAtLogin = 1; deleteAtLogout = 0; deleteHomeWithAccount = 0; }; }’
It also creates a stub local home directory and copies in my default com.apple.homeSync.plist.
The first time the user logs in, he/she is prompted to create a mobile account.
If you mean, can you simply create the mobile account without the user having to click anything or agree to anything – I don’t think that is possible.
I’m very interested in your LDAP setup. I’m currentyl trying to set up an OpenLDAP directory to hook my Apples up to but so far I haven’t been terribly lucky. I’m not sure if I need kerberos or not and the documentation out there is not exactly complete. Can you elaborate on your setup?
Plain vanilla RFC2307 (Unix) schema with passwords stored encrypted in the LDAP directory. No Kerberos.
Great talk at MacWorld!
Is it possible to set up so that when a laptop user logs into a networked desktop they can log straight into their networked copy of their home without it asking if they want to create a PHD?
In other words can some machines be set up to ask if the user wants to create a PHD and some be set up to never ask and just log in as if the person was a plain networked users?
Thanks – I had a good experience speaking at Macworld. This was my first time.
It’s absolutely possible to do what you want – assuming you are using MCX or Managed Preferences via Workgroup Manager, you want to manage Mobility by Computer List, not by User or Workgroup. If the preference is attached only to a Computer List, and that list contains all your laptops, then when the user logs into the laptop, he/she willl be prompted to create a Portable Home/Mobile Account. When he or she logs into a desktop machine, which is presumably NOT in the Computer List that contains your laptops, they’ll just get the normal network home.
-Greg
One thing that’s confused me … the portable home is great if you have a user who’s always on a laptop, or a user who’s always on a network home drive. But realistically, I’ve got a laptop and a desktop; I want the desktop to always use the network drive, and a laptop to use the mobile syncing. Unfortunately, the setup seems to be on a per-user basis, rather than per-computer basis. Is there any way to configure it so that the same user can have a synced portable home directory on laptops but uses synced network directories on desktops?
Alex – your scenario is addressed in the comment above yours! You don’t have to manage PHDs on a per-user basis – instead, manage them on a per-machine basis. Put all the laptops you’d like to have PHDs in a computer list, and manage mobilty for that list of computers.
-Greg
And remember to remove the preferences assigned to users or user groups – in MCX, these will always override preferences assigned to computer lists; i.e., if a user logs in to a desktop and his account is set to use a PHD, he will get one. This will happen even if your desktop is in a computer group that has its Mobility preferences set to _never_ create PHDs; if the Mobility preference is unmanaged for that list of computers, the same thing happens, as you might guess. User preferences override computer lists preferences with MCX. We’ve generally gone with preferences attached to various computer lists, separating these lists out by location and department within the building to provide default printer settings and PHDs for all staff laptops.
[…] My articles on Portable Home Directories Explore posts in the same categories: OS X, General […]
“assuming you are using MCX or Managed Preferences via Workgroup Manager, you want to manage Mobility by Computer List, not by User or Workgroup.”
Is it possible to do this with the setup described in these articles (i.e. without using MCX or Workgroup Manager)?
I basically want Portable Home Directories for all LDAP users without having to manually create a mobile account for each user.
“Is it possible to do this with the setup described in these articles (i.e. without using MCX or Workgroup Manager)?
I basically want Portable Home Directories for all LDAP users without having to manually create a mobile account for each user.”
If it were me, I’d write a login hook that checked to see if the currently logging-in account was a Mobile Account, and if not, take the steps to enable it as such. Other options might include adding the MCX attributes to your third-party LDAP server, or using local MCX attributes via NetInfo, ala http://prowiki.isc-csg.upenn.edu:16080/index.php/Workgroup_Management_without_a_server
Thank you very much for your blog posts on the topic and for answering my question. I got it working using a login hook.
Thank you very much for the info – all three parts are most excellent!
Hi! and thx for the verry enlightning text!
Just one point that keeps throwing me off: how can i tell homeSync to use a specific directory on my AD-Server. all i manage to do is get it to sync with the fileserver Volume that Windows Users have as the autoMount (Z:data), but i can not get it to sync into my user folder.
thx,
phil
homeSync will sync with whatever folder the directory service says is your network home folder. If AD says Z:data is your network home folder, that’s what it will sync with. You need to set the correct network home folder in Active Directory.
You could probably use dscl to edit the OriginalHomeDirectory attribute for a cached account to point to the path you want to sync, but such an edit would be fragile – it would be overwritten the next time the account info was updated from the server.
Hi Greg. Do you know of a good resource for learning how to setup PHD from scratch? I’m trying to create a simple (or “simple-ish”) way for employees to login from any workstation and get their desktop. Any advice would be greatly appreciated! Thanks!
Jayme:
It sounds like you actually are looking for _network_ home directories. They allow a user to log into any machine and get their same desktop, Documents, and preferences. Portable Home Directories build on top of Network Home Directories – that is, you must have a Network Home Directory infrastructure before you can implement Portable Home Dirs.
Network Homes are fairly simple to set up as a proof of concept if you are using an OS X Server as an Open Directory master and have one or more AFP servers. See Apple’s OS X Server documentation for info. But for real, live, production use you need to actually design things to handle the expected load, provide reliability, and provide quick recovery from failure, and those topics are way beyond the scope of a casual blog post or blog comment!
Hi i am toufique ahmed nizamani, Portable Home directories with open directory wow. Its an awesome tutorial that i come across and you have shown it with coding also! so its just amazing Thanks for sharing with us
Nice post.
I was wondering how did you secure your NFS exports as NFS is not very secure.
I’m currently evaluating NFS with GSS security (so with Kerberos), but I’d really like to do it without Kerberos.
Also, I’m having troubles with creating mobile accounts.
I have working LDAP and schema extended with apple.schema. All works ok, users can authenticate and have their home directories via NFS.
However, when I want to create mobile accounts, the “Create mobile account” option is greyed out (even if I enable root user).
Any ideas?
Cheers,
Peter
We’re in a secure building with top-notch network engineers protecting us from the outside. We trust everyone in our building. We’re an open, collaborative environment, so the NFS security model works fine for us.
For your problem creating mobile accounts, try this:
Login as the user, then
defaults write mcxMobility skipAddlEnableCheck 1
Log out, back in and see if the button is available.
You can manage this via MCX/Workgroup Manager for all users, or write a script that runs at login.
Another option is the command line mobile home creation tool:
/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount
Hi Greg,
Got your RSS feed on my Firefox home bar. You’re the best!
Apple Enterprise can’t seem to answer this question satisfactorily so maybe you know. I have about 80% of the users in a particular department with broken home synhcronization. Completely random, from 11/07/2007 to 6/25/08. No rhyme or reason. People have just had issues. Everyone is on Tiger bound to Active Directory with their home directory pointing to an Apple File Share. Their home directories mount just fine, but the sync is broken. Is there anyway to get them to do a full resync? I’ve tried deleting the /Library/Managed Prefs as well as the mcx data in Netinfo. I’ve also tried delting the Library/SyncServices folder and any plist files in their local account.
Any suggestions? Thanks in advance for this terrific blog!
Please let me know if you’re looking for a article author for your blog. You have some really great articles and I think I would be a good asset. If you ever want to take some of the load off, I’d really like to write some content for your blog
in exchange for a link back to mine. Please send me an
email if interested. Thanks!
When I initially commented I clicked the “Notify me when new comments are added” checkbox and now each time a comment
is added I get several e-mails with the same comment.
Is there any way you can remove me from that service? Bless
you!
I don’t think I can do that for you. This is running on WordPress.com. I think you must do it for yourself, or contact WordPress support for help.
Hi, I do believe this is a great web site. I stumbledupon it
😉 I will return once again since i have book-marked it.
Money and freedom is the greatest way to change, may you be rich and continue to guide others.