snowleopard.jpgMy last post looked at an issue where network users without a proper path assigned to their home directory in WorkGroup Manager would be unable to properly create a local home folder. This post looks at an issue with login failures that can arise with mobile network accounts under Snow Leopard Server. If you have mobile network accounts – AD or LDAP – that cannot login, jump to the bottom of this post for the fix.

After creating several network user accounts under Snow Leopard, I found that my test user account was unable to login. But instead of the standard shake of the login window that indicates a failed login attempt, the login window actually began to collapse as if the login process was starting – the login & password boxes disappeared briefly before reappearing suddenly & displaying the familiar shake to indicate that login had failed.

Interestingly, the user account could still be used to access system services without issue. Attempting to login to AFP shares or setup iCal for shared calendaring using the users login credentials worked fine.

Several reboots & rebinds later I dug through the system log to find the following error: error = Error Domain=NSOSStatusErrorDomain Code=-35 “Operation could not be completed. (OSStatus error -35.)” (no such volume).

Turns out the ManagedClient.app was unable to create the mobile account at login. The solution was to create it manually. On the client computer, login as an administrator & run the following two commands as root:

sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n username

sudo createhomedir -c -u username

This forces the creation of both the mobile user account & their home directory. Log out & log in with your mobile user’s credentials – you should be able to login without issue. This should work for both Active Directory and Open Directory mobile user accounts.

Thanks to Rich Trouton of the macenterprise google group for posting the fix!

As of this writing, Snow Leopard Server is at version 10.6.1

Advertisements

snowleopard.jpgUPDATE: Due to some errors on my part, I have had to heavily edit this article. The information contained herein is now accurate. Sorry for the confusion!

I recently ran into a bit of an irritating issue while setting up directory services on a new server running Snow Leopard Server (10.6.1). It seems that as of 10.6, users without a value for their home directory (NFSHomeDirectory) are unable to create a home directory on managed clients. I had created a series of users and assigned them to groups. Every time I would log in to test, however, error messages would appear warning about problems creating the user’s home directory.

What is interesting, however, is that users can still access system services (AFP, iCal, etc) without issue. Attempting to login to AFP shares using the users login credentials works fine. Attempting to login to a managed client, however, generates a warning message about being unable to locate the users home directory. When logged in, the user cannot create new files or folders on the desktop – the whole system behaves as if the user has no permissions for the desktop.

A quick look at the logs on the server hinted that the issue was tied to home directories, with several warning messages about problems with home directories: CFPreferences: user home directory at /99 is unavailable. User domains will be volatile.

Sure enough, when I looked in WGM, I had forgotten to assign home directories to the accounts. I quickly corrected this (relatively large) oversight & BAM! clients were logging in without issue!

This is a fairly sharp departure from previous behavior. Prior to Snow Leopard, network users with no home directory assigned (NFSHomeDirectory=99) could still login; their home directories were simply created in a folder named “99” in the root of the boot volume (/99/user1). As of 10.6 this behavior seems to have changed. Why exactly, I’m not yet sure – although I imagine it must be tied to security.

My next post explores an issue where mobile account creation can sometime fail on login. Stay tuned!

As of this writing, Snow Leopard Server is at version 10.6.1.

wgmCreating network home folders for users in Open Directory is typically a fairly painless task using OS X Server. What can be a little more painful is trying to figure out how to create a clean, locally cached home folder on a client workstation. The only obvious options for home folders in Workgroup Manager are¬†None & the creation of an AFP or NFS share that’s stored on the server.

While leaving the settings in WGM set to None does result in the home folder getting cached on the local machine, it’s a less than perfect solution. For starters, the profiles get cached in the root of the drive, under a directory labelled 99. Plus the home folders it creates doesn’t have the usual directory structure – they only contain a Desktop and a Library folder. Not quite what we’re looking for. Ideally, the home folder would get created in the /Users directory, using the standard home folder template just like a local machine account is.

The fix to this is to make sure the NFSHomeFolder attribute is set for all your network accounts. That’s what happens when you select an AFP or NFS share – the path to the network share is written to the NFSHomeFolder attribute in the LDAP directory. When you leave the home folder setting at None, the default value is assigned to NFSHomeFolder – a value which happens to be 99 (hence the 99 directory that appears in the root directory on client machines whenever a user without a specified home folder logs in).

Set Network Account Home Folders to the Local Users Directory (/Users):

  1. Launch WGM & login to your Open Directory server
  2. If the Inspector tab in WGM isn’t visible, enable it in the Preferences
    1. Check the box next to “Show ‘All Records’ tab and inspector
  3. Select a network user account & click the Inspector tab
  4. Locate the NFSHomeDirectory attribute – it should read 99 – & change this value to ‘/Users/username‘ where username is the shortname of the user.
  5. Save your changes.

MCX Lessons from Macworld

January 20, 2009

wgmManaging OS X, Greg Neagle’s OS X sysadmin blog, has a great PDF of slides from Greg’s Macworld presentation on MCX & managed preferences in OS X. If you’re involved in client management in any way on OS X, you should probably take a minute to check this out.

You can download the PDF direct from his blog here.