AD authentication OD Mobile Account 10.6.2

[Lark Ohiya]

I have to question why you want to separate user home directories based on operating system.

The check box to “Use UNC path from AD” will set the user home directory from the AD listing of the user profile. In our school district we use this feature and have not had any issues with students logging into the windows side giving errors after logging into osx.

We have mobile accounts enabled so that teachers can take the macbooks home with no trouble.

The main reason for us to use the UNC path solution is because our user home folders are segmented on the servers. They are not in a generic “user” location so setting up arguments for each school year and teacher group was rather time consuming and added a step of error.

Creat mobile account: true
force local home dir: true
use unc path from AD: true

workgroup manager preferences to not auto sync anything except the contents of documents folder minus music and video.

If having a shared home directory will work I suggest it.

(although it looks like for whatever reason it just wont work for you. I leave this information here for readers sake.)

[cmra]

We have a split environment with users having a small amount of storage when logging onto PC’s and a media type area when logging onto Macs (different servers), we cant store the mac account in the PC area and vice versa so they must remain separate entities.

However for those interested these are the findings so far.

The settings as above work fine within a golden triangle setup with the following config:

10.6.3 Server, 10.5.8 Client. AD Kerberos Realm

User logs in gets a mobile account created in the correct place and sync settings work perfectly just as if the account was created in OD

However this is when it gets bad when we go the ideal setup

10.6.3 Server, 10.6.3 Client, AD Kerberos Realm

Using the managed preferences as above the user is informed that their mobile account cannot be synced at this time “Cancel” or “Continue”
Users clicks continue. When trying to manually sync, users gets prompted for password. Checking with klist reveals user not receiving a TGT. Log out log back Login Sync performs and user has a TGT. Account wont sync on logout and doesn’t checks to see whether the Local or the Network version of the mobile is the latest at any point, even if changes are made to either. (note this worked perfectly on above setup). Found an apple fix for the TGT issue http://support.apple.com/kb/HT4100
Tried again, still had the initial error message but this time a ticket was generated for user on first login so manual sync now working. Still not syncing on logout and not checking for network or local.

As an alternative to the MCX redirects tried the command line approach

ran the following command

/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n username -u afp://server.domain.com/Home/username

This creates a mobile account for the user upon first login, with the correct server path.
Logged in as user, this time no error message and account syncs upon login. Logged in using klist we see the user has a ticket generated. Manual sync works and logging off the mobile account syncs. However it still doesn’t check at any point whether the local or the network version is the most recent.

With the command line method being the most successful I tried running this as as part of a loginscript. To start off with this was running with the trust setting as Anonymous. Logins in ok without errors but does not generate a TGT for the user on first login despite the Apple patch being applied. Again a logout and a login for that user then generated a ticket. However the account does not sync again at logout and again does not check network or local. I began to wonder whether the TGT issue was because according to the Apple Docs the trust relationship must be set to Partial for clients using AD. With this is mind I changed the trust setting on both client and sever and ticked “Digitally Sign all Packets” which is a requirement of Partial trust. This breaks the authentication of the diradmin on the OD master and the client can longer bind to the server until this feature is then unticked! This is it so far… headscratching continues!

So Mobile accounts using 10.6 client with AD seem a little broken at the moment! 10.6.4 anyone?!

[Mike Boylan]

When I first read your thread, I didn’t think it was related to mine because you specifically mentioned not using augments. However, if you want to have [i]separate[/i] windows and mac home directories, it is absolutely necessary to augment the records, as confirmed by our Apple engineers today.

That being said, I didn’t realize our threads were so similar – but they are. In my thread, I describe essentially the exact some problem. Mobile accounts for augments (AD users) are asking for a password on manual sync or logout sync. Login sync doesn’t even check. Sometimes it just says “never synced” and won’t even let you sync. Very sporadic behavior. The server is definitely kerberized correctly in the AD realm because logging in as an augment [i]without[/i] any mobility prefs set successfully generates the right tickets.

Talking to our apple engineers a bit more today, essentially they said to avoid augments at all cost unless absolutely necessary. In fact, they weren’t even going to mention them in the presentation. They also said they were aware of a kerberos problem with AD accounts and linked me to that article you found on your own about forcing a tgt for an AD login.

I have yet to see if that works for us. Unfortunately, I may not test it at all as we essentially decided today, with the encouragement of the engineers, to just keep our AD and OD records separate but write a password change script for OD available to our students on our password reset website.

If I do have time to test it though, I’ll definitely let you know what I find out. And if you find anything out, I’d love to hear it as well.

Mike Boylan
RMU IT :: Mac OS X

Home

@mboylan on Twitter

[cmra]

HI Mike

In effect we do use augments, the home directory attribute and the apple-user-url are added automatically to the account when its created on the the local machine. This happens as a result of either the sync url setting in mcx or as the path as stated in the command line mobile account creation. It has to be noted that network accounts work fine, its mobile accounts that are utterly broken. The kerberos patch will fix the initial TGT on login problem but the synchronisation will not work as expected. It seems we are now holding out for Apple to fix this in 10.6.4 (fingers crossed). It also should be noted that I have tried the augment route as described by Bombich’s Leveraging AD on Mac Osx and whilst this also works fine for Network accounts it does not work properly for Mobile accounts, in fact you get the same issues as related in the my above post using the mcx settings to manage synchronisation. As has been noted in other posts you don’t need to go down the augment route if the only extra functionality you require is to have Mobile accounts, as the other two methods create the same result with much less work. Its frustrating that all this works fine with leopard client and snow leopard server, I think we would stick with leopard client but as we are getting new machines all the time its not an option.

[cmra]

In the interests of others wanting to go down this path here is some more useful information.

Logging on to a test machine both 10.6 and 10.5 I examined the kerberos states and errors logs remotely at the different stages of mobile home creation and synchronisation.

To start with kerberos on 10.6

User Logging on

Klist

Kerberos 5 ticket cache: ‘API:Initial default ccache’
Default principal: [email protected]

Valid Starting Expires Service Principal
05/17/10 13:59:24 05/17/10 23:59:24 krbtgt/[email protected]
renew until 05/18/10 13:59:24

Create Mobile Account Y/N?

Y

“Home Sync Failed, Continue without a synced home?
If you continue, sync your home as soon as possible. If you cancel, your home will not be created.”

Cancel or Continue

klist:Internal credentials cache error while locating the default credentials cache

Examining the user record with dscl reveals the cache is present.

Continue

Klist

Kerberos 5 ticket cache: ‘API:Initial default ccache’
Default principal: [email protected]

Valid Starting Expires Service Principal
05/17/10 13:59:24 05/17/10 23:59:24 krbtgt/[email protected]
renew until 05/18/10 13:59:24

05/17/10 14:04:12 05/17/10 23:59:24 afpserver/[email protected]
renew until 05/18/10 13:59:24

On the users second login the login sync will work as expected, with no Kerberos tickets dropped. Logout sync never initiates unless triggered manually at least once from the Finder menu.
In addition the process never checks the most recent version of the Users home unlike in Leopard where this feature works as expected.

I repeated the procedure this time examining the /var/db/system.log during the login process

This is with a user augmented using mcx prefs, note It seems not be able to launch the ccacheserver daemon for the user.

Log in with user
May 18 10:52:10 snowleptestv1 edu.mit.Kerberos.CCacheServer[1111]: launchctl start error: No such process
May 18 10:52:11 snowleptestv1 SecurityAgent[1103]: NSSecureTextFieldCell detected a field editor ((null)) that is not a NSTextView subclass designed to work with the cell. Ignoring…
May 18 10:52:13 snowleptestv1 DirectoryService[11]: Misconfiguration detected in hash ‘Kerberos’ – see /Library/Logs/DirectoryService/
DirectoryService.error.log for details

Create Mobile Account Y/N ?

Home sync Failed

May 18 10:53:51 snowleptestv1 com.apple.launchctl.Background[1131]: Bug: launchctl.c:2325 (23930):2: (dbfd = open(g_job_overrides_db_path, O_RDONLY | O_EXLOCK | O_CREAT, S_IRUSR | S_IWUSR$
May 18 10:53:51 snowleptestv1 HomeSync[1127]: HomeSync.doHomeSyncLoginLogout: Unable to mount server URL at ‘afp://ourserver.com/TestHomes/’ (80). No sync will occ$
May 18 10:53:52 snowleptestv1 HomeSync[1127]: HomeSync.cinch_doLoginChecks Login sync returned 80
May 18 10:53:53 snowleptestv1 com.apple.coreservicesd[54]: ThrottleProcessIO: throttling disk i/o

Continue Y

May 18 10:56:14 snowleptestv1 edu.mit.Kerberos.CCacheServer[1134]: launchctl start error: No such process
May 18 10:56:14 snowleptestv1 loginwindow[1090]: Login Window – Returned from Security Agent
May 18 10:56:14 snowleptestv1 MCXLoginLogoutScriptTool[1141]: login: “loginscripts” in “com.apple.mcxloginscripts” is missing or is not a CFArray.
May 18 10:56:14 snowleptestv1 com.apple.loginwindow[1090]: 2010-05-18 10:56:14.177 MCXLoginLogoutScriptTool[1141:903] login: “loginscripts” in “com.apple.mcxloginscripts” is missing or is$
May 18 10:56:14 snowleptestv1 loginwindow[1090]: USER_PROCESS: 1090 console
May 18 10:56:14 snowleptestv1 com.apple.launchctl.Aqua[1143]: Bug: launchctl.c:2325 (23930):2: (dbfd = open(g_job_overrides_db_path, O_RDONLY | O_EXLOCK | O_CREAT, S_IRUSR | S_IWUSR)) != $
May 18 10:56:14 snowleptestv1 com.apple.launchd.peruser.1340472719[1129] (com.apple.ReportCrash): Falling back to default Mach exception handler. Could not find: com.apple.ReportCrash.Self
May 18 10:56:14 snowleptestv1 com.apple.launchctl.Aqua[1143]: Bug: launchctl.c:2325 (23930):2: (dbfd = open(g_job_overrides_db_path, O_RDONLY | O_EXLOCK | O_CREAT, S_IRUSR | S_IWUSR)) != $
May 18 10:56:14 snowleptestv1 migCacheCleanup[1147]: Flushing Cache Locations…
May 18 10:56:14 snowleptestv1 com.apple.loginwindow[1090]: 2010-05-18 10:56:14.379 migCacheCleanup[1147:903] Flushing Cache Locations…
May 18 10:56:14 snowleptestv1 com.apple.loginwindow[1090]: Deleted: /Users/user/Library/Caches/Cleanup At Startup

DirectoryService.error.log

2010-05-18 10:56:23 BST – T[0x0000000104699000] – Misconfiguration detected in hash ‘Kerberos’:
2010-05-18 10:56:23 BST – T[0x0000000104699000] – User ‘user’ (/Local/Default) – ID 1340472719 – UUID CFE5FD8F-07FB-4D32-9B4D-34E28CA21874 – SID S-1-5-21-111448075-1160815709-283310661$

Next I tried logging in with a test account augmented in the WGM with the Apple Attributes and with syncing enabled via Managed Preferences.

Note that a network home is created at 11:12 but the service is unable to mount this folder at 11:14, Kerberos CCache daemon again. (this is a per user Launch Agent that maintains a users Kerberos credentials)

Login

May 18 11:12:47 snowleptestv1 DirectoryService[11]: Misconfiguration detected in hash ‘Kerberos’ – see /Library/Logs/DirectoryService/DirectoryService.error.log for details
May 18 11:12:49: — last message repeated 3 times —
May 18 11:12:49 snowleptestv1 edu.mit.Kerberos.CCacheServer[1315]: launchctl start error: No such process
May 18 11:12:49 snowleptestv1 SecurityAgent[1299]: NSSecureTextFieldCell detected a field editor ((null)) that is not a NSTextView subclass designed to work with the cell. Ignoring…
May 18 11:12:55 snowleptestv1 authorizationhost[1298]: afp home directory mount succeeded

Create Mobile Account Y/N

Y

May 18 11:12:56 snowleptestv1 DirectoryService[11]: Misconfiguration detected in hash ‘Kerberos’ – see /Library/Logs/DirectoryService/DirectoryService.error.log for details
May 18 11:14:46 snowleptestv1 HomeSync[1335]: HomeSync.doHomeSyncLoginLogout: Unable to mount server URL at ‘afp://ourserver.com/TestHomes/’ (80). No sync will occ$
May 18 11:14:47 snowleptestv1 HomeSync[1335]: HomeSync.cinch_doLoginChecks Login sync returned 80
May 18 11:14:48 snowleptestv1 com.apple.coreservicesd[54]: ThrottleProcessIO: throttling disk i/o

Home Sync Failed

May 18 11:16:28 snowleptestv1 edu.mit.Kerberos.CCacheServer[1344]: launchctl start error: No such process
May 18 11:16:28 snowleptestv1 loginwindow[1286]: Login Window – Returned from Security Agent
May 18 11:16:28 snowleptestv1 MCXLoginLogoutScriptTool[1351]: login: “loginscripts” in “com.apple.mcxloginscripts” is missing or is not a CFArray.
May 18 11:16:28 snowleptestv1 com.apple.loginwindow[1286]: 2010-05-18 11:16:28.821 MCXLoginLogoutScriptTool[1351:903] login: “loginscripts” in “com.apple.mcxloginscripts” is missing or is$
May 18 11:16:28 snowleptestv1 loginwindow[1286]: USER_PROCESS: 1286 console

Next I compared the process logging on with a 10.5.8 client, with Mobile Account creation and syncing set by managed preferences. Note there are no kerberos errors.
Login with user

May 18 12:50:21 testleopardfordev3 loginwindow[471]: Login Window Started Security Agent
May 18 12:50:42 testleopardfordev3 authorizationhost[482]: MechanismInvoke 0x11bb10 retainCount 2
May 18 12:50:42 testleopardfordev3 SecurityAgent[483]: MechanismInvoke 0x180da0 retainCount 1
May 18 12:50:44 testleopardfordev3 /System/Library/CoreServices/UserNotificationCenter.app/Contents/MacOS/UserNotificationCenter[494]: SessionGetInfo(0x1ea21b0) -> -2147417855
May 18 12:50:49 testleopardfordev3 com.apple.usbmuxd[293]: stopping.
May 18 12:50:49 testleopardfordev3 com.apple.usbmuxd[496]: usbmuxd-176 built for iTunesNine on Jul 20 2009 at 13:06:53, running 32

Create Mobile Account Y/N?

Y

May 18 12:52:10 testleopardfordev3 org.apache.httpd[579]: httpd: Could not reliably determine the server’s fully qualified domain name, using testleopardfordev3.local for ServerName
May 18 12:52:11 testleopardfordev3 HomeSync[580]: Could not find image named ‘mobility_64’.
May 18 12:52:12 testleopardfordev3 kernel[0]: AFP_VFS afpfs_mount: /Volumes/TestHomes, pid 580
May 18 12:52:17 testleopardfordev3 /System/Library/CoreServices/FileSyncAgent.app/Contents/MacOS/FileSyncAgent[592]: reading from /Users/user/Library/FileSync/FileSyncAgent_key_dir_2010-0$
May 18 12:52:17 testleopardfordev3 /System/Library/CoreServices/FileSyncAgent.app/Contents/MacOS/FileSyncAgent[592]: setting security information: Operation not permitted
May 18 12:52:21 testleopardfordev3 SecurityAgent[483]: NSSecureTextFieldCell detected a field editor ((null)) t

Logged in

I also checked the Kerberos on login with klist, there were no errors at any point as you would expect.
It seems that synchronisation process is currently flawed using Synced Mobile accounts with AD in Snow Leopard, broken CCacheserver? kerberos is part of the jigsaw, good luck people!

[Author]

Posts