Leopard, MobileAccounts, and NFS homes

On the MacEnterprise maillist, Arjen van Bochoven wrote of problems with automatic HomeSyncs under Leopard with NFS home directories. Manual syncs worked fine, but the automatic background syncs would fail with errors that looked like this:

1:: [228] Peer "network" is unable to sync. (-[SPeer_FS_PHD mountPeerVolume] (Peer-FS-PHD.m:140): "'((homePath))' is nil")
0:: [228] [2009/02/19 10:45:10.640] Peer "network" is unable to sync. Not enough peers will be available to continue syncing.
0:: [228] [2009/02/19 10:45:10.640] Aborting sync of "HomeSync_Mirror".

I saw the exact same problem in my environment. This also affected login and logout syncs. Here’s the (ugly) fix.

For each mobile account, you’ll need to make two modifications to the account info in the local DS:

/usr/bin/dscl . create /Users/$USERNAME dsAttrTypeStandard:OriginalHomeDirectory "nfs://$NFSEXPORT$USERNAME"

where $USERNAME is the short username, and $NFSEXPORT is the nfsserver and its export.

This gives HomeSync a nfs:// URL to use to mount the network home directory (It shouldn’t have to do this, since the network home is already available at the autofs mountpoint for the network home, and obviously really doesn’t need it since manual syncs work), but we have to do it anyway.

The OriginalHomeDirectory attribute has two parts – a URL describing the mount, and a path describing the path to the actual home dir, relative to the mount. In my case, when I type `mount`, my home autofs mount looks like this:

homeserver:/vol/home/fahome on /home/fahome

and my NFS home path is /home/fahome/gneagle

So the URL is ‘nfs://homeserver/vol/home/fahome/’ and the path is ‘gneagle’.

Depending on how the home mounts are setup in your environment, the division between the URL and the path might be different, for example, we might have had this instead:

URL ‘nfs://homeserver/vol/home/’ with a path of ‘fahome/gneagle’.

The next change:
/usr/bin/dscl . append /Users/$USERNAME dsAttrTypeNative:preserved_attributes dsAttrTypeStandard:OriginalHomeDirectory

This prevents the OriginalHomeDirectory attribute from being overwritten by the empty value presumably coming from the network. (If there was a useful value in the network directory, this hack wouldn’t be needed.)

You may be able to create the accounts “correctly” in the first place by using /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount and passing the syncURL with the -u option in the form “nfs://homeserver/export/home/gneagle”. This didn’t work in my environment, and even if it did, it wasn’t really an option to use createmobileaccount, so I instead wrote a login hook that “fixes” the mobile account if needed. WordPress will cut off the right side of the script when displaying it, but you can select, copy and paste into your favorite text editor for examination:

#!/bin/sh

# Leopard bug workaround as of 10.5.2. March 5 2008
# inserts nfs:// URL into OriginalHomeDirectory attribute
# for mobile accounts so that login/logout/background syncs
# work reliably
#
# Greg Neagle, Walt Disney Animation Studios

# the following is the actual NFS share that is mounted via autofs
NFSEXPORT="homeserver.example.com/vol/home/fahome/"

USERNAME=$1
LOCALACCT=`/usr/bin/dscl . read /Users/$USERNAME 2>/dev/null`
if [ "$LOCALACCT" != "" ]; then
  # $USERNAME is a local account
  NETHOME=`/bin/echo $LOCALACCT | /usr/bin/grep OriginalNFSHomeDirectory`
  if [ "$NETHOME" != "" ]; then
    # $USERNAME is a mobile account
    # in our case, the path and the username are one and the same
    /usr/bin/dscl . create /Users/$USERNAME dsAttrTypeStandard:OriginalHomeDirectory "nfs://$NFSEXPORT$USERNAME"
    PRESERVED_ORIG_HOME=`/usr/bin/dscl . read /Users/$USERNAME dsAttrTypeNative:preserved_attributes | /usr/bin/grep dsAttrTypeStandard:OriginalHomeDirectory`
    if [ "$PRESERVED_ORIG_HOME" = "" ]; then
      /usr/bin/dscl . append /Users/$USERNAME dsAttrTypeNative:preserved_attributes dsAttrTypeStandard:OriginalHomeDirectory
    fi
  fi
fi

The user logs in with their network account. MCX computer group settings cause the user to be asked if they want to create a mobile account, if they agree the mobile account is created and the home directory is encrypted with FileVault. As they log in, the login hook runs and if needed, inserts the additional info into the cached local account info so that automatic HomeSyncs work.

Though this fixed the issue for our environment, I still consider this a bug.

Explore posts in the same categories: DirectoryService, Leopard, OS X