Continued from part 2….
LDAP mapping changes
Now we had login/logout syncing working. Unfortunately, I found it stopped working the next day. A look at the output of
niutil -read . /users/gneagle showed that the
original_home_loc field was missing once again. I guessed that this was because this field was not defined in the LDAPv3 mapping I was using (RFC 2307 (Unix)). Periodically, the loginwindow must query the directory server and update the values for the cached password and network home info. This is probably the meaning of this field:
preserved_attributes: dsAttrTypeStandard:AuthenticationAuthority dsAttrTypeStandard:Password dsAttrTypeStandard:NFSHomeDirectory dsAttrTypeStandard:HomeDirectory dsAttrTypeStandard:Picture
So I altered the LDAP mappings, adding a custom mapping pointing the HomeDirectory attribute (which corresponds to the “home_loc” field in NetInfo) to homeDirectory, the same field NFSHomeDirectoy points to. (NFSHomeDirectory corresponds to the “home” field in NetInfo.)
Now DirectoryServices supported what Portable Home Directories was looking for, and login/logout syncing started working again.
An interesting side effect of adding the original_home_loc mapping was that the “Configure” button was no longer grayed out in the Accounts System Preference for Mobile accounts. But clicking on it caused System Preferences to crash.
A look at the crash log ferretted out the reason:
Application Specific Information:
Accounts v.1.7 (com.apple.preferences.users)
Exception: EXC_BAD_ACCESS (0x0001)
Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000006
Thread 0 Crashed:
0 com.apple.CoreFoundation 0x9073fba4 CFRetain + 60
1 com.apple.CoreFoundation 0x90750fa4 CFDictionarySetValue + 448
2 com.apple.preferences.users 0x017c71d0 LWNotifyMountServerWithCurrentAuthentication + 156
That call to “LWNotifyMountServerWithCurrentAuthentication” looked to me like the Accounts pref was trying to mount the network home dir using the original_home_loc field, but since this wasn’t an AFP or SMB homeDir URL, it failed and crashed. I reformatted this field to look more like an AFP URL:
And now the Accounts prefs didn’t crash when bringing up HomeSync preferences. But this caused other odd things to happen – like the NFS server mounting under /Volumes and refusing to unmount until a restart, so I reverted to a regular path for the home_loc/original_home_loc field. Ultimately this probably won’t matter for us, as when the user can access the HomeSync Preferences, any change they make completely blows away the ~/Library/Preferences/com.apple.homeSync.plist file, replacing it with something based on /System/Library/CoreServices/mcxd.app/Contents/Resources/CinchDefaults.plist and adding the user’s selections in the HomeSync prefs. This removes any customizations you have done. So not being able to access HomeSync Preferences might be a good thing for us.
That said, on my Open Directory test box, I set up NFS Home Directories for an OD test user, and found that I _could_ access HomeSync Preferences, even when original_home_loc was populated with a path instead of XML. So there’s more to this story, and I hope to puzzle more of it out in the future.
Conclusion and future directions
The original goal was to get Portable Home Directories working in my environment without having to make modifications to our LDAP or NFS servers. That has been accomplished. There are issues yet to be resolved.
NFS Home dir quotas
Our NFS home dirs are subject to disk quotas. Once a user hits their quota, they can no longer write to their NFS home dir. What happens if the user adds lots of material to their PHD which makes it larger than the available space under quota on the NFS server? How does the sync behave? Is there data loss? Is there any warning?
How do Portable Home Directories work with FileVault-encrypted home directories? I haven’t yet tested this combination.
How can we give the user some control over what syncs without overriding our preferred configuration? For example, by default I would not want to sync the Music, Movies, or Pictures folders – generally these are either empty, or filled with *personal* Music, Movies, or Pictures, things we as an organization don’t need to be backing up. But there will be users for whom it does make business sense to sync Music, Movies, or Pictures folders. Do we need to have an admin configure this? If so, should they just edit ~/Library/Preferences/com.apple.homeSync.plist, or can we provide a GUI? If we can get Apple’s HomeSync Preferences working, what can we do to prevent our “managed” list from being competely ignored?
Network change notification/Dynamic NFS mounts
With our current NFS automounts, which mount NFS shares based on automount maps, we have a custom startup item that calls automount to do the actual NFS automounts, and a periodic script that queries a server for newer versions of the automount maps.
For laptops, there are some additional challenges – if the laptop is off the company network when it boots, the custom startup script does nothing. A later connection to the network does not bring up the automounts; the user is (currently) required to reboot the machine to get the NFS automounts working.
What is needed is a way to receive notifications when the network changes, and then run a script that checks if the company network is available. If it is, it should check to see if the custom automounter is running. If so, send a kill -HUP signal, if not, start it. Perhaps it would be good to kill the custom automounter if we disconnect from the network, but that might be unneeded, instead relying on automount timeouts.
Additionally, a laptop is more likely to be off the comapny network (or off or asleep) when the periodic job runs that updates the automount maps. So even after the reboot, it’s possible the automounter will be started with obsolete automount maps. The same script that starts the automounter when we connect to the company network might also check the age of the automount maps and request new ones if they are more than, say, 24 hours old.
I’ve done some work on how to determine when the network changes, but have not yet found a 100% reliable way that’s accessible from a script. The SystemConfiguration Kicker bundle seems the most appropriate route, but I haven’t yet been able to get it to do what I want. Hints and tips appreciated!