Local Home Dir / Network Home Dir setting?

[LazLong]

Where is the setting stored for the type of home dir (network or local) a given user has? I know the AD plugin has the force local home dir, but that appears to be a system-specific setting rather than a user-specific setting.

The reason I ask, is that I’ve got a user on a 10.4.3 system who I can’t get configured to work out of their network home dir. The user doesn’t have a dir in /Users, but the system insists on creating one and storing settings there, even tho it is mounting the network home dir.

[chrisjasper]

The setting comes from the AD plugin in Directory Access, as long as you have bound the machine and set the correct kind of home directory it will work 10.4.3.

You need to make sure “Force local home directory on startup disk” is unticked and make sure that “Use UNC path from Active Directory to derive network home location” is ticked.
Try to use AFP on an apple server for the network home folder if you can, if you have it on a windows server do not use AFP as the windows AFP stack will not work at all, use SMB.
Extreme Z-IP will work very well though for AFP.
Make very certain that you have the correct path set in the users AD account, it is very case sensitive.

Also ensure that the AD setting comes directly after the /NetInfo/DefaultLocalNode setting (this should be at the top and greyed out as you should not be able to remove it) in the Authentication tab in Directory Access. If you have any other kind of authentication set up, such as ldap authentication to an OD server it must come after the AD setting.

[dom9inic]

Hi Chrisjasper,

when you say,

[QUOTE]Make very certain that you have the correct path set in the users AD account, it is very case sensitive.[/QUOTE]

What does that mean? You don’t mean specify the correct path in the Directory Access Plugin as there is no option to do so. You mean at the AD server? In that case, what is a correct Windows path that is compatible with the Mac Directory Access Plugin?

Does the Mac Directory Access Plugin require a specific Directory Structure on the AD Home Folder server? I didn’t think so, but then again, I’m not an authority.

Cheers

[chrisjasper]

The path is set in the profile tab of the AD user account in Active Directory Users and Computers, set the path to the correct server, share and folder e.g. \\\\Server1\\Users\\ANOther, it doesnt matter which drive letter you map the folder to, I use P: for personal out of habit, the mac ignores that part anyway.

There is no specific directory structure required, as long as you have the correct path typed in and the user has access to it it should work fine, not sure if the mac will fill the folder with the necessary folder structure when the user first connects (Public, Movies, Pictures etc.) as we create our home folders manually at the moment so we can use a specific template for the neccesary settings and folders we need where I work.

(Edit: Apologies, the path above is supposed to have backslashes in but this forum appears to remove them, replace the forward slashes with backward ones. Ed. note: You have to escape your backslashes with yet more backslashes. 🙂 )

[dom9inic]

Cheers Chrisjasper,

that’s what I thought you were driving at, just wanted to be clear. Especially as yet, the AD Home folder does not mount for my 10.4.3 clients at all. I even spoke to the Apple tech gurus at a recent event in London and they testified to my Directory Access setup. However, can’t get that folder to mount, which is delaying our rollout.

Need to remote monitor the login with DirectoryService.debug in hyper mode , see what gives.

[chrisjasper]

Its worth checking the permissions on your folders, try setting a generic users account to “everyone” access on the folder and see if that mounts, if not then the problem lies elsewhere.

SMB mounting for a windows shared folder work for me, we are running windows 2003 server, 2000 may be a little more finicky.

To be honest though, we are starting to look at migrating away from network home folders and using mobile users instead, we have had a few instances where the appletalk listener has crashed and all our network home users just died, despite a complete reconfig of our entire network inrastructure. Mobile accounts give us the best of both worlds in terms of user experience and redundancy/backup.

[dom9inic]

Hi all,

No MS Cluster behind the scenes.

Don’t know where to check the NIDB Cached User.

Connect to server mounts the entire User Home Dir, so I can see all user home folders, but only have permissions to read write within my home dir. (My meaning test account). Is that the problem? That I cannot mount an individual Home Dir? That I’m only able to mount the whole share? The connect looks something like this:

smb://eg-example/staff/user.name

But this only results in the whole share being mapped. I can do the same leaving out the user.name

Directory Service debug shows nothing that I can decipher. I see the CreateHomeDir running through NetInfo but no errors about trying to mount a remote HomeDir through the AD plug. Then again, that logfile is long and as I don’t know what a correct AD Plug Home Dir mount logfile should look like, I’m not sure what to look for.

tcpdump showed lots of handshaking between the AD servers but nothing of note about HomeDirs. Will do a few more, see if anything jumps out.

Will check sys log tomorrow, tired.

Thanks for all your help.

[LazLong]

[QUOTE BY= macshome]Take a look at the cached user record in the NIDB and see what it has for your home location.[/QUOTE]

This was it. Being a casual (read that as infrequent, as in when forced ) I keep forgetting that the Mac caches stuff in the evil NIDB.

[QUOTE BY= macshome]Are these homes on a MS Cluster?[/QUOTE]

No, they are on an RHEL box and are being mounted via afp by means of netatalk v2.03. I got tired of trying to solve the evil file locking problem FireFox had with SMB mounted (via samba) homedirs, and gave up. Don’t suppose you have any pointers on this?

Thanx for your help! I just wish I could get our Mac admins to frequent this site….

[chrisjasper]

To Dom9inic:
As long as you have the correct path in the AD profile setting and set the correct protocol (SMB in your case I believe), it should mount the network home directory in the local file structure, it should go direct to the necessary folder rather than mounting the entire share (Although the share will mount as a volume on your desktop, but the home folder will be directly placed in your sidebar).

to LazLong:
Got me stumped, not sure if the version of netatalk that comes with RHEL is fully compatible with OsX 10.4.3. Could you share a folder on a standard mac workstation with the home folder to see if it mounts?

[dom9inic]

To ChrisJasper,

when you say mount the network home in the local filesystem, you don’t mean?:

/Users/username

Surely it must be

/Network/Servers/servername/username

or something similar?

Either way, what I get is a local homedir as I can see throughout the DirectoryService.debug.log

I can see NetInfo creating it. I just don’t see any AD activity failing.

Any idea why when I mount the share it only goes to the whole mount point? Again, this is me doing the following:

smb://servername/staff/username

I get the staff share mount on the desktop and I open it and can see every users folder, but can only see the contents of my username.

[LazLong]

[QUOTE BY= chrisjasper]
to LazLong:
Got me stumped, not sure if the version of netatalk that comes with RHEL is fully compatible with OsX 10.4.3. Could you share a folder on a standard mac workstation with the home folder to see if it mounts?
[/QUOTE]

chrisjasper:

Sorry, I guess my message wasn’t clear. It was in reply to macshome’s suggestion to look at the NIDB’s cached user info. It indeed had the out of date info, and was overriding the AD UNC path for the homedir.

My issue with file locking has to do with samba shared homedirs and FireFox.

[LazLong]

[QUOTE BY= macshome]Netatalk is a AFP3.x server, so you should be OK there. Is the RHEL in your AD kerb realm? Were the mounts working with SMB? There are a few different things going on in this thread, so I just wanted to clarify.[/QUOTE]

macshome:

Yes, netatalk appears to work fine.

The RHEL server isn’t configured to auth via krb5, but Samba has security = ADS set.

The smb mounts via samba generally worked, with the exception of file locking issues with Mozilla and FireFox. It kept thinking the .profile was in use, when it wasn’t, and wouldn’t launch. The other issue appeared to do with amd (which on 10.3.x clients is the first version to support OS X), and it often not realizing that a mount had been successful. Users would then get the following message:

The “Home” folder for user “username” cannot be found in the usual place.

This resulted in their $HOME var not being set, and them getting the generic ‘profile.’ However, a df showed that the home dir had indeed mounted. I got tired of trying to figure this out (posted here a couple of times about it), and switched to netatalk. This was annoying as it meant one more service to support (as I already had Samba set up to support my Windows users).

[chrisjasper]

Dom9inic, the AD plugin derives the path from the AD account and mounts that path as your home directory as if it were on the local hard drive. If you customize the toolbar on your finder windows and add the path command you will be able to see where the home directory is coming from.

If the directory is on a non apple server it will mount the entire users share on the desktop as well and users will be able to see all the user folders, but as long as you have the correct security setup they will only be open their own.
This is due to Windows file sharing being a bit pants for Macs.

They should access their home directories through the home icon on the dock or the home icon on the sidebar in finder windows, rather than trying to browse the mounted share..

if you e-mail me I can send you a set of screenshots of an example setup that should work.

Do bear in mind though that SMB home directories can be pretty flaky from a windows box, if you are intent on sharing home directories from a windows server I would advise getting Extreme Z-IP and sharing through AFP instead.

[Author]

Posts