Disable automount where volume is already mounted?

[tlarkin]

I work for a school system, so Wyandotte is a high school and 2011 is a graduation year. It is a way that I nest home folders with in a share point. I do it by building and graduation year.

[DrKdev]

ok. Cool.

So, on [i]xs106-b[/i] you have a hard disk mounted on [i]/Volumes/data_hd[/i] and in there you have [i]homes[/i].
You’ve created a sharepoint called [i]homes[/i] from [i]/Volumes/data_hd/homes[/i], guest-sharing automountable.

I suspect that you do NOT also have a sharepoint called [i]/Volumes/data_hd[/i] like we do?
(maybe that’s my mistake).

Are 11briric is able to ssh into xs106-b? Is his resulting HOME set to
1. /Users/11briric
2. /Network/Servers/xs106/b.kckps.org/Volumes/data_hd/homes/wyanadotte_2011/11briric
or
3. /Volumes/data_hd/homes/wznadotte_2011/11briric

If the answer is 1, or 2, then what happens when both [i]11briric[/i] and [i]11bob[/i] are ssh-d into [i]xs106-b[/i] at the same time. Do they both retain write access?

And if 11briric logs in via the login panel on xs106-b, what is their HOME? 1.,2.,or 3.?

Maybe it works for you because your sharepoint is called [i]homes[/i] and not [i]users[/i].

[tlarkin]

I don’t give my users ssh access so, nope they cannot. They cannot even access the terminal. However, since OD is replicated across the board, they can be in any location and log in with their LDAP credentials into any machine bound to the directory.

[DrKdev]

Ok.

Actually, that much *is* actually working for me.
As long as the users are only using the client macs, they can use the login-panels with their LDAP credentials.

My problems start when we consider them ssh-ing or login-paneling into the file-server (server1) or computation-server (server2).

Thanks for all your help so far, btw.

shawn

[tlarkin]

[QUOTE][u]Quote by: DrKdev[/u][p]Ok.

Actually, that much *is* actually working for me.
As long as the users are only using the client macs, they can use the login-panels with their LDAP credentials.

My problems start when we consider them ssh-ing or login-paneling into the file-server (server1) or computation-server (server2).

Thanks for all your help so far, btw.

shawn[/p][/QUOTE]

Well I do use Casper at work, and there is an ssh account on every machine used for management. However, that ssh account is local and doesn’t really need a home directory, it just needs to be able to execute policy from the Casper Servers.

If your users are already going to be logging into their macs, and their home folders are already going to mount, why not just find a way to tell sshd to never mount home folders when a user authenticates over ssh? I am not sure if that is viable, but it seems like a work around that could possibly work.

[DrKdev]

[b]Oh my goodness.. what a brilliant idea…. for the servers :-))))[/b]

Actually… if they ssh from one clientmac to another, it’s normal (and it works) that they are given access to their network home. For example:[code]user1@mac1:~ > pwd
/Users/user1
user1@mac1:~ > ssh mac2
Password:
Last login: Thu Jun 24 16:14:09 2010 from mac1.disney.ch
user1@mac2:~ > pwd
/Network/Servers/server1.epfl.ch/Volumes/team1/users/user1

user1@mac2:/Volumes > df -h
Filesystem Size Used Avail Use% Mounted on
/dev/disk0s2 298G 42G 256G 14% /
devfs 108K 108K 0 100% /dev
afp_4CklDY4dyApk4Cs3qI0ykk2M-1.2d00000e
6.9T 3.8T 3.2T 55% /Network/Servers/server1.disney.ch/Volumes/team1/users[/code]But YOU’RE RIGHT!
If I can find a way so that that sshing/logging into server2 sets their HOME to /Volumes/team1/users/user1 then everthing would work!
(Actually, equivalently.. if I could just somehow force /Network/Servers, on server2, to contain a symbolic link server1.epfl.ch–>/ that would do the trick too) 🙂

I can feel success around the corner.

[DrKdev]

[b]I FOUND A SOLUTION[/b] (I’m so happy)[code]On server2, do the following:
1. comment-out the /Network/Servers line in /etc/auto_master
2. tell autofs to reread the config files: sudo automount -v
3. in /Network/Servers create the folder server1.disney.ch
4. in /Network/Servers/server1.disney.ch create the folder Volumes
5. in /Network/Servers/server1.disney.ch/Volumes create a symbolic link to /Volumes/team1[/code]So now, when user1 (who has a mobile account) ssh’s from mac1 into server2, he will be given his network home folder, as usual: /Network/Servers/server1.disney.ch/Volumes/team1/users/user1
He’s given that because in WGM on server1 (where the afp server is autosharing the /Volumes/team1/users) has configured his home folder as follows:[code]CONFIGURATION 1
Server/sharepoint url: afp://server1.disney.ch/users
Path to home folder: user1
Full path: /Network/Servers/server1.epfl.ch/Volumes/team1/users/user1[/code]Since /Network/Servers is no longer managed by autofs, and the symbolic link (of step5) is in place, the home folder is correctly provided. 🙂 (I still want to know why autofs was failing to handle the /Network/Servers folder and am wondering if it’s related to our use of XSan).

And since there is no actually mounting going on, the double-mount problem mentioned at the head of this thread isn’t happening either. 🙂

On the client machines, his mobile account means that he logs into /Users/user1. When he syncs his portable home directory (PHD + [i]’a synced subset of his network home folder and local home folder[/i]’ according to the 10.6 manuals) a temporary mount of /Volumes/users (from the afp sharepoint on server1) occurs during syncing.

OOF!

[b]@TLARKIN & @MACSHOME,.. When next you come to Switzerland, your free beer’s on me.[/b]

[tlarkin]

Glad you got it working, because I was sort of taking shots in the dark at your issues, hahaha. Man I need to go to Europe one of these days on a side note!

[DrKdev]

Sorry to say this but,..

That ‘solution’ only seems to work under two conditions 🙁
1. when sshing from the newly installed laptop
2. when using a fully qualified hostname for the server (as opposed to Local name)

When coming from an [b]older[/b] laptop [i]mac6[/i] (but still using the [i]user1[/i] account that had been successful from [i]mac9[/i]) ssh-ing into [i]server2[/i] still causes server2.disney.ch (the ODreplica) to RE-MOUNT /Volumes/team1/users whether or not the ssh-ing is to server2.disney.ch or to server2.local (causing us those file permission errors that lead off this thread).

When using the [b]new[/b] laptop [i]mac9[/i] (using that user1 account) ssh-ing into server2.disney.ch does [b]NOT[/b] cause any mount to happen (So the permissions on /Volumes/team1/users – which is inside the already mounted /Volumes/team1 – happily don’t change) and the user’s home directory (specified in the full path via WGM) is respected thanks to the manually installed symbolic link in /Network/Servers/server1.disney.ch/Volumes/team1/users–> /Volumes/team1 ).
BUT
When using that new laptop to ssh into server2.local, the server double-mounts (I called this afs-prejudice in a related posting – http://discussions.apple.com/thread.jspa?threadID=2483662&tstart=0 ).

[b]Any new brainstorm thoughts @tlarkin,.. @macshome ?[/b]

shawn

p.s. Upgrading the server and clients to 10.6.4 + rebooting, didn’t resolve the issue.

[tlarkin]

What is the differences between the Macs? OS versions? Are they bound? DNS is something you [u]must[/u] have working in order for services to function over the network.

[DrKdev]

@Tlarkin,.. All our client Macs are identical for OS (10.6.4). Differences are with the processor (2.93GHz versus 1.83GHz and/or Intel Core 2 Duo versus Intel Core Duo) – actually, here I’m comparing a problem-causing portable (mac6) to the successful ssh-ing mini (mac1).

:::: Are the Macs bound?
:::: DNS is something you must have
:::: working in order for services to function
:::: over the network

[b]1. Answering your questions :[/b]

If you mean by [i]bound[/i], ‘bound to and OD server’, then yes: In Prefs>Accounts>Login I learn the following:[code]On Server2 (where we’re getting the double-mount):
Network Account Server: local server
Remember that server2 is the OD-replica

On Mac6 (from which, if I ssh into server2 it causes a double-mount)
Network Account Server: server1.disney.ch

On Mac1 (from which, if I ssh in server2.disney.ch no doublemount occurs, but ssh into Mickeymouse.local a doublemount occurs).
Network Account Server: server1.disney.ch[/code][b]2. How can I be sure DNS is correct?[/b]

Is there a summary somewhere, for knowing all the points to check?
I already know to do [i]sudo changeip -checkhostname [/i]and that this should reveal identical values for current hostname and DNS hostname (in our case [b]the values differ[/b]).[code]admin@server1:~ > sudo changeip -checkhostname
Primary address = 128.178.123.45 (<---- correctly corresponds to our manual setting) Current HostName = Mickeymouse.local (<----we've set computer name to be Mickymouse in Prefs>Sharing)
DNS HostName = server2.epfl.ch

To fix the hostname please run /usr/sbin/changeip for your system with the
appropriate directory with the following values
/usr/sbin/changeip 128.178.123.45 128.178.123.45 Mickeymouse.local server2.disney.ch
dirserv:success = “success”[/code][b]3. Finding a way to tell sshd to never mount[/b]

I’m looking into this suggestion by @tlarkin.
Any docs on this somewhere, beyond the man-pages?
I found a 2002 article here: http://www.macwrite.com/critical-mass/secure-shell-logins-and-mac-os-x-part-1

[b]4. Using a custom mount-point per user ?[/b]

If I can’t avoid the double-mount, what do you guys think of @TK’s solution to make a custom mount point per user?
http://discussions.apple.com/message.jspa?messageID=9991495&tstart=0
That would allow the double-mount to happen, but at a low-enough level so that the file-permission problems don’t matter.

s.

[tlarkin]

Another shot in the dark here, have you tried using sshfs at all? It has options to set mount points of home directories, you could write a function maybe that points the home directory back to the local machine when using ssh?

[pablomole]

Hello all, this thread is the closest/same error I am getting, and I’m hoping someone can throw a little light on it because I’m all out off coffee….

I get the following error on logging in on one of the two test mac’s I’m using:

“You are unable to log on to the user account at this time” and
“Logging in to the account failed because an error occurred”.

I’ve also noted that Clients take an ‘age’ to logout, without Public Internet connectivity. However, I think this is unrelated.

I’m trying to set up a small system, and the environment right now is small, controlled & managed and low traffic, specifically:

MacMini Server (10.6.4)
Client 1 – Macbook Air (10.6.4)
Client 2 – MacBook Pro (10.6.4)
Connectivity – DLInk Ethernet Router (CONNECTED TO THE INTERNET)
Kerberos Realm SERVER.DOMAIN.CO.UK
DNS Address server.domain.co.uk

Used WGM to :
– create users with home dirs (in the default automount)
– shared an application from the server

Preferences:

Folder redirection is on to minimise network traffic. This works because if I make a change to the desktop, or documents folder for example, the change is noted on the server when browsing ‘File Sharing’.

Services and Setup:

Address Book
– Kerberos
– SSL – Don’t Use

iCal
– Type DIgest
-SSL – Don’t Use

Mail
– Login and Plain disables
– No SSL used.

AFP
– Kerberos

DNS
– zone records for Primary and Reverse work for the server.
– (no local zones)

Open Directory
– Role Open Directory Master
– LDAP – no SSL

Push Notification
– server.domain.co.uk iCal
– server.local Mail

KEY ISSUES:

I can login to all accounts on the MacBook Pro, mail works, iCal works and shares are accessible.
But I login to the account from the MacBook Air, I see the following in the system.log file

secure.log:Oct 10 12:52:10 macbook-air SecurityAgent[152]: User info context values set for helen
secure.log:Oct 10 12:52:11 macbook-air authorizationhost[149]: ERROR | -[HomeDirMounter mountNetworkHomeWithURL:attributes:dirPath:username:] | PremountHomeDirectoryWithAuthentication( url=afp://server.domain.co.uk/Users, homedir=/Network/Servers/server.domain.co.uk/Users/helen, name=helen ) returned 80

I also frequently see errors in ‘Server Admin’, such as:

“The service has encountered an error.”
Try to refresh the view (server.local/Address Book). (kNetworkError).

I do not know if the above is related or not, and in Open Directory, there are 2 IP addresses listed in the ‘Replica Tree’.
The first is an old unused IP address (192.168.0.100). Does this (can this be removed?)

cat /private/etc/hostconfig
# This file is going away

DNSSERVER=-YES-
AFPSERVER=-NO-
AUTHSERVER=-NO-
AUTOMOUNT=-YES-
NFSLOCKS=-AUTOMATIC-
NISDOMAIN=-NO-
TIMESYNC=-YES-
QTSSERVER=-NO-
WEBSERVER=-NO-
SMBSERVER=-NO-
SNMPSERVER=-NO-
PARALLELS=-YES-

[tlarkin]

If you changed the IP address of your server, you need to use the changeip command to ensure that all DNS records are set up properly.

[Author]

Posts