Converting a local user account to a mobile account

—By Josh Wisenbaker, <josh at computertree dot com>

18 January 2004

The Old Problem:

Managing PowerBooks with mcx has always been a tricky proposition. Mac OS X would not cache the authentication authority of the network domain so you could not use Open Directory network accounts on the road.

About the best solution anyone has been able to come up with is to create local users on all the Macs and then manage them at a computer level. (I wrote an earlier article about that which you can read here.) This seems to work OK in most situations, but can be a bit flaky sometimes and really isn’t what people are looking for in the way of managing users as it defeats the whole point of a centralized user database.

Apple has heard your pain...

The New Solution:

Mac OS X and Mac OS X Server 10.3 introduce us to the concept of the Mobile Account:

“A mobile account is a Mac OS X Server user account that has been copied to a local computer and remains synchronized with the server account so that both locations contain a matching set of data.” (Mac OS X Server User Management, p. 46)

OK, so let’s decipher what Apple just said…

1. “A mobile account is a Mac OS X Server user account …" Translation: The user account must first exist in a network accessible Open Directory domain.
2. “… copied to a local computer …” Translation: A special, local user is created.
3. “… remains synchronized with the server account so that both locations contain a matching set of data." Translation: The management information for the user is synchronized. The home folders are not.

What happens you you create a mobile account on a workstation is that a special, local user is created in the local NetInfo database. The user account will authenticate to the server account when it is on the network, but it caches the authentication authority so that the user can still authenticate on the road. Since it is a local account the user has local home folder and all of his work stays with him. Apple has essentially taken the machine based, mcx caching we used to use to manage PowerBooks and added user accounts to it. For organizations that are largely PowerBook based this is great, we can now centralize user management for all the Macs, not just the desktops.

But what about all my stuff?

A problem that comes up is that most PowerBook users have already been working for quite some time. My home folder and account have existed since 10.0 and have been moved from system to system as I have changed PowerBooks over the years. I have a ton of stuff in it and don’t want to loose it. What would be nice is if there was an easy way to convert my local, admin level, account into a mobile, local admin level, account. Well guess what? There is a way, and it is even pretty easy...

1. (This assumes you have a OD domain setup and that the PowerBook is configured to use it.)
   Let’s say we have a local account named Joe User. Now Joe has been using his PowerBook and Mac OS X since day one, so he has a lot of stuff built up in his home folder. After you have backed up Joe’s home folder and the local NetInfo DB on his Mac we need to create a network account that has matching names to Joe’s local accounts. This account can match your other accounts and you really don’t need to do anything special. Since Mac OS X always checks the local user DB first it will never ask the OD server for Joe’s info. We’ll fix that in a second.

(Click image for larger view)

2. Now, with Joe’s network account selected, click on the Preferences button in Workgroup Manager and then on the Mobile Accounts button. Tell it to always manage the settings and to create a mobile account at login. You can set the confirmation setting if this user might be logging in from a desktop from time to time and would need to access a network home folder. When you are done quit Workgroup Manager and go to the Mac you are going to manage.

(Click image for larger view)

3. Log in as your local admin user that you keep around from troubleshooting. —What? You don’t have an extra local admin on each Mac? What do you do when an account gets messed up and you need to fix it? If you don’t have one make it now and learn to love the safety net that it provides.— go to /Users and select the 'joeuser' folder. Get info on it and change the ownership on it to your admin user that you are logged in as. Once you have done that, set the name to something like 'oldjoeuser'.

(Click image for larger view)

4. Double check that you in fact did change the name of Joe’s home folder. Once you are certain of that fact open up the Accounts pane of System Preferences and delete Joe’s account. Go ahead, it’s OK. Take advantage of the new immediate delete function if you wish, it will save a little cleaning up later.
5. Go back to /Users and select the 'oldjoeuser' folder and fix the name back to 'joeuser', just like it looked before. Now close that Get Info window and fire up the Terminal.
6. If everything is working correctly in your OD setup you should be able to type id joeuser and get some output that reflects his network account; his UID will be the giveaway. If it is in the 500 range then you probably forgot to delete the local account. Most network accounts are >1000 for the UID, really just make sure it matches whatever you assigned in Workgroup Manager. Assuming this works you now need to fix up the ownership of Joe’s home folder.

   sudo chown -R joeuser:staff /Users/joeuser

7. Log out and then log in as Joe User. It should authenticate to the network and then ask if you want to create a mobile account. Tell it create, and it will finish logging in. Since there is a home folder for joeuser already there it will just use that one. If you want Joe to be a local admin you can login as your other admin user and grant those privileges in the Accounts pane of System Preferences.

Now Joe User can go about his work and he may never even realize that he has a centrally managed account.

A few strange things you may find:

The mobile user accounts don’t seem to be able to edit anything in NetInfo. The main thing that this messes up for me is my user picture in my Address Book card. It defaulted to the little “network guy” image and I can’t change it!

Although it isn’t absolutely necessary, things seem to work more smoothly if you login and logout whenever you change network locations. E.g. I logout at work and then log back in at home.

You will probably go through the whole “Your appX has been updated, update the Keychain as well?” sort of deal again. This often happens when you update the OS too, so it shouldn’t be too big a deal for most users. I would run Keychain First Aid from the Keychain Access utility as well.

If your OD servers are visible on the internet the clients will attempt to authenticate to them. This sounds cool since we would pick up kerberos tickets, updated user info, and the like, but in practice it seems to suffer greatly from the latencies on the internet. When I first converted my account I had hoped to be able to authenticate from anywhere, but I find I get better results from using an internal only address in Directory Access for my OD server.

Home folders are NOT synced. So if you have a user that is logging in with a mobile account on the road and a network account on a desktop they will have multiple home folders. Most PowerBook users I know or support are PowerBook monogamous and it probably won’t be that big of an issue.

You will probably want to check out the permissions on your system since you just killed a admin user account.

Wrapping it up:

All in all this is a huge upgrade for the way we manage PowerBook users. I have been living in a converted account for a while now and haven’t found any real gotchas. If I find any as I convert my users to mobile accounts I will update this article with what I find.