Following up on some of my questions from last week…
Portable Home Directories and FileVault
This combination appears to work fine. Of course, FileVault has its own set of issues to be aware of, but if you need laptop data to be secure and also backed up, FileVault + Portable Home Directories is a compelling solution.
Disk Quotas and HomeSync
I wondered what would happen if a user added more data to their portable home directory than would fit in their network home directory subject to a storage quota. I tested this by creating a 200MB disk image on my Desktop that I knew would put me over quota. The good news is that I was presented with this dialog:
The bad news is that the error is terribly cryptic. At least its better than the corresponding entry in ~/Library/Logs/MirrorAgent.log:
Wed Mar 22 11:38:29.636 2006 *** Syncing "HomeSync_Mirror"
Wed Mar 22 11:38:37 2006: /SourceCache/MirrorAgent-99.8.1/FileSync-99.8.1/Agent/
Engine/whatis.m,261 err -5000 (iterateref)
copyCallback: got error -1425 at stage 3.
Wed Mar 22 11:39:50 2006: /SourceCache/MirrorAgent-99.8.1/FileSync-99.8.1/Agent/
Engine/syncio.m,759 err -1425 (cpfile)
Wed Mar 22 11:39:50 2006: /SourceCache/MirrorAgent-99.8.1/FileSync-99.8.1/Agent/
Engine/syncio.m,68 err -1425 (syncjobaddobj)
*** Exception -1425 logged for "Desktop/200MB_disk_image.dmg" ***
-1425 FAIL ADDED --> Desktop/200MB_disk_image.dmg
0 OKAY MODIFIED --> Desktop/.DS_Store
Wed Mar 22 11:39:53.657 2006 *** Done syncing "HomeSync_Mirror"
Elapsed time: 01:24.023
where there is no indication of the reason for the failure. So tell your users (and yourself) that “MHD DSKFULERR” is “Mobile Home Directory disk full error”, and that it means that they exceeded their quota on the network home.
Once I removed the offending item, syncs started working again.
Managing OS X 
This is a very helpful series! We’re investigating the same thing (although with Active Directory and ADmitMac). Your discovery of the difference between “Items” and “Prefs” (on a previous post) made me cheer.
Thanks for sharing.
This is still a work in progress – I continue to learn new things and fine-tune my implementation. As I discover things of potential interest, I’ll continue to post them here.
Thanks for the feedback – it’s good to know that this stuff is helpful to someone!
I too have found this series to be very helpful as I attempt to get 1500 iBooks set up to use this kind of technology. In testing with using an OS X server the whole synching thing seems to work perfectly, but unfortunately we’re trying to deploy these things to sync with W2K AD servers, and when I point the home folders to Windows shares I seem to be unable to sync… I have tried looking (in vain) for information on PHDs with W2K shares, or System Requirements for PHDs, but haven’t found anything to tell me that you need OS X shares for this to work… Earlier in your series you mentioned something about how you are using a non OS X LDAP and non AFP or SMB shares which PHD was designed to work with… Just wondering if anybody else is getting this to work with W2K shares. Thanks
I don’t have that environment (we use OpenLDAP running on Linux as our direcotry server, and NFS homes on NetApps), but I know people _are_ using Portable Home Directories with Active Directory and SMB homes. You might want to look at Apple’s Disucssion forums – here’s the Portable Home Dirs discussion: http://discussions.apple.com/forum.jspa?forumID=714
What does the local NetInfo account look like? Specifically, what are the values of original_home and original_home_loc?
OK, I feel like I’m so tantalizingly close to this working, but there is definitely something missing…
Just so we’re on the same page – I’ve got my iBook bound to AD and to OD as detailed in afp548 kinda methodology. In my AD prefs I’m “Creating a mobile account at login” and “Using UNC path from AD to derive network home location” with afp network protocol. The users are in AD groups, and those groups are drug into an OD group and the MCX settings managed by OD group. So the network home folder is being mounted at login by the AD plugin, but the sync settings are set via WorkGroup Manager by OD Group.
So when my freshly imaged iBook logs into an AD user account it *WILL* sync anything that is in their network documents folder onto the local home directory that gets built – but only on the initial Mobile Account creation, and only from the server to the local folder. This is off of a Windows AFP share.
So I’m logged in now, the managed prefs come down, setting things like my desktop background, dock, the menuitems installed etc. All this seems to be working fine. If I go to the Sync Home Now menuitem, though, I get error messages for each of the files that would otherwise be updated – usually either an error -37 or -48. In my MirrorAgent.log I’m seeing messages like /SourceCache/MirrorAgent-99.8.1/FileSync-99.8.1/Agent/Enging/syncio.m,674 err 48 (cpfile). Not very clear as to what that means.
If I go back into local Admin account and look at the netinfo entries for this account, I see the following values:
original_home_loc = afp://facilities.windows.prn.bc.ca/Usersjdyck
original_home = /Network/Servers/facilities.windows.prn.bc.ca/Users/jdyck
When I looked a bit earlier I wasn’t even seeing that, but since then I enabled login/logout syncing, which I had disabled earlier as I really only want manual syncing for bandwidth reasons.
Again, if I change the profile drive in the AD Users & Groups to an AFP share on an OS X server it seems to work fine, but we only have one OS X File server in our District, and 23 AD servers (one on each site), so I’m really wanting to have these all go to the local AD Fileshare servers, which keeps the network traffic on the local networks rather than going out on the WAN.
I spent some time going through the discussion forums you linked above,and will spend some time when I go home tonight to see if I can learn some more. Other than that, any other ideas you can throw out are greatly appreciated.
Thanks
“If I go back into local Admin account and look at the netinfo entries for this account, I see the following values:
original_home_loc = afp://facilities.windows.prn.bc.ca/Usersjdyck
original_home = /Network/Servers/facilities.windows.prn.bc.ca/Users/jdyck”
So are those correct? Is your network home on an AFP share on facilities.windows.prn.bc.ca, with a path of /Users/jdyck ? Does this share automount at /Network/Servers/facilities.windows.prn.bc.ca/Users/jdyck ?
I’d post your problems and the relevant errors from your MirrorAgent.log to the Apple discussion forum I linked to above – there’s at least one Apple engineer very familiar with PHDs who monitors and replies to questions there. He might at least be able to tell you what those errors mean.
-Grge
I know the afp address is correct for sure, but will double check the /Network/Servers…. mount to make sure the share is mounted there. And thanks again for the pointer to th apple discussion, looks like there could be some valuble info there, just gotta sift through it…
Thanks for the ideas.
I have mobile home directories working just fine. My only issue is locking a user to his/her specific folder. The automount feature mounts the root “home” folder and any user has read access to all of the other users “home” directories. I want users to be able to see only their specific folders and nothing else. Can anyone give me a hand on this?
Pierre – are your Network home directories mounted via AFP, SMB, or NFS? By default, the top level of an OS X home dir is readble so that the Public folder can be accessed. There’s nothing stopping you from making all home directories mode 700, which prevents access by anyone other than the owner. This would then make the ~/Public and ~/Public/Drop Box folders inaccessible, but perhaps your users don’t use them anyway.
These instructions don’t work very well with Leopard, because Netinfo is missing and Directory Access is now Directory Utility. Can we use dscl instead of niutil? If we’re not able to use Leopard Server, do we have to put nonstandard things in our LDAP? Do the instructions have be completely rewritten?
I wouldn’t expect these to work unchanged with Leopard – there have been significant changes between Tiger and Leopard.
I’ve been having lots of issues implementing PHDs on our environment with Leopard. As I make progress, I’ll post my findings.
Thanks a million!
great work Greg
– was the basis of our successful Tiger MHD implementation with Red Hat DS
– Tho we can get 10.5 clients to use smb home dirs [after editing the new Leopard ldap.conf !] MHDs cannot be created
– I don’t yet have a Leopard Server install to test myself, yet. Looking forward to your updates
I’m having lots of problems with mobile accounts/PHDs in our environment under Leopard as well. I have no real solutions as of yet, but I need to post some of my findings so far.
I can actually now create mobile accounts (RedHat DS LDAP and NFS-automounted homes) but HomeSync is unreliable.
Look at the new createmobileaccount tool in /System/Library/CoreServices/ManagedClient.app/Contents/Resources
./createmobileaccount -n seemed to work
– User Account prefs – ‘Mobile Account:Settings’ is active and associated home syncing magic appears to work.
Even the new replacements for MirrorAgent.log – the FileSyncAgent group – seem a bit more informative
– thanks very much for the tip
Sounds like it’s working better for you than it is for me :-(. Are you using RFC2307 schema, or have you extended the schema and added Apple attributes? I’m using NFS homes rather than SMB, and that might be the most important diffference between our environments.
in client Directory Utility :
rfc2307 customised with added attribute Users: HomeDirectory
mapped to apple-user-homeurl
in the DS
apple-user-homeurl =
‘home_dir”url’smb://home.server.com/username/’/url”path”/path”/home_dir’
[the inverted commas represent angle brackets…]
– moving the ‘path’ value to be part of the url enabled fast user switching for network users
– the trailing slash at the end of the url value is critical. ie. username/
hope this makes sense
I’ve got Mobile Accounts working in our environment under Leopard now – I’ll try to write something up soon, but the basics are the same as under Tiger…
Hi Greg,.. I’m coming to you almost 3 years later,.. but perhaps you have a suggestion for us?
Our goal is to get Mobile Accounts with Portable Home Directories working. The home folders are stored on an external hard drive on Mac OS X Server 10.6.3. It’s more or less working… but not quite ARGHH! HELP!!
1. /Volumes/…. vs /Network/Servers/….
Since all the files for user1 are stored on macsrv1 in /Volumes/team1/users/user1 I believe that in WGM I should have:
Share Point URL: afp://macsrv1.disney.ch/users
path to home: user1
full path: /Volumes/team1/users/user1
but when I try to log onto user1, for the first time, on a mac1, it fails (see *error1)
IF I CHANGE the full path to:
full path: /Network/Servers/macsrv1.disney.ch/users
THE LOGIN WORKS (I’m asked if I want to create a mobile account and when I say yes, the mobile account gets created, and any syncing does indeed cause files to appear on macsrv1 in /Volumes/team1/users/user1
HOWEVER/BUT/OH-NO!(argh)
When the user does an ssh into macsrv1, his home directory (cd ~ or echo $HOME) is /Network/servers/macsrv1.disney.ch/users/user1 which is really just /users/users1 which is a virgin/template-like folder.. certainy not /Volumes/team1/users/user1 😦
BUT (goodnews here)
If I now set the full path back…
full path: /Volumes/team1/users/user1
Everything works. Loggging into mac1 ok. SSHing into macsrv1 ok.
But logging into mac2 fails (until I switch out the full path again)
a. WHAT SHOULD BE THE CORRECT VALUE FOR FULL PATH?
b. If it should be /Volumes/team1/users/user1 then how can I convince the client macs to create the mobile account?
2. I have a 2nd question concerning the automount re-mounting the drive… causing a double mount! I’ve described the problem here: http://discussions.apple.com/thread.jspa?threadID=2461695&stqc=true
THANKS FOR ANY INSIGHT/help.
*error1:
After the login window, the user is informed that “Zou are unable to log into the user account. An error has occurred”. In system.log on mac1 I read “edu.mit.Kerberos.CCacheServer[927]: launchctl start error: No such process”
edu.mit.Kerberos.CCacheServer[927]: launchctl start error: No such process
Looking forward to it, Greg!
I’ve managed to get Tiger OS X Server playing nice (sort of) with Windows 2003 Active Directory just recently. All of the home directories for the AD accounts go back to a folder on the OS X server and PHD on the Mac side seem to sync OK. Mobile accounts on the Macs seem to work and sync as well.
It wasn’t without issues though – setting home directories for AD accounts under the OS X Workgroup manager returns an error, but still sets the home location (weird eh?). Luckily I was able to get it all working without having to change the AD scheme – that was a last resort. The Windows clients aren’t any the wiser and I’ve had no issues with them using a share on the OS X box.
Little quirks with the Apple clients – the odd mounting of the root home directory here and there and trying to access the Login Items on the client locks up System Preferences. Makes changing login items a real pain, but you can only change so much to an AD account under the Workgroup Manager on the OS X side.
I’m running Leopard 10.5.2 myself (the rest of the clients are Tiger 10.4.11 machines), but so far I don’t think it’s quite ready for AD integration – the login process takes at least 5 mins (with home dir sync’ing) and coming out of a lock screen saver takes a minute or so. Haven’t gotten deep into it yet as I’ve been tweaking/fixing odds and ends on the OS X client machines.
Jeff – can online imagine 1500 iBooks! (though that was posted over a year and a half ago) as I’ve only about 8-10 Mac clients.
Thought I’d drop a comment as I’m in the same boat.