[cmra]

Ok we have found a solution to this using the mcx logoutscript

As we all know logout scripts run as the root user and you can pass the login username in with username=${1}

but if we try to run an rsync as the login user (using kerberized ssh) it doesn’t find the correct tickets for the user as its still trying to run the command as the root user

Solution,we fork out a background session as the login user
———————————————————————————————-
#Note the & symbol which forks out the session

echo “forking out session for user” &

rsync -avuF –exclude=Library –exclude=.Trash –delete /Users/$username/ [email protected]:/Volumes/DATA/Homes/$username
—————————————————————————————————————————————————-
This will then rsync as the login user with the correct tickets, you can run a klist in the logout script to test this. The users principals should then be listed in the system.log on the client.

Note: this doesn’t work with a login script, only on logout with Magic Triangle 10.6.3 due to the flaky kerberos problems on the client (see my post in the Active Directory Forum)

[cmra]

In the interests of others wanting to go down this path here is some more useful information.

Logging on to a test machine both 10.6 and 10.5 I examined the kerberos states and errors logs remotely at the different stages of mobile home creation and synchronisation.

To start with kerberos on 10.6

User Logging on

Klist

Kerberos 5 ticket cache: ‘API:Initial default ccache’
Default principal: [email protected]

Valid Starting Expires Service Principal
05/17/10 13:59:24 05/17/10 23:59:24 krbtgt/[email protected]
renew until 05/18/10 13:59:24

Create Mobile Account Y/N?

Y

“Home Sync Failed, Continue without a synced home?
If you continue, sync your home as soon as possible. If you cancel, your home will not be created.”

Cancel or Continue

klist:Internal credentials cache error while locating the default credentials cache

Examining the user record with dscl reveals the cache is present.

Continue

Klist

Kerberos 5 ticket cache: ‘API:Initial default ccache’
Default principal: [email protected]

Valid Starting Expires Service Principal
05/17/10 13:59:24 05/17/10 23:59:24 krbtgt/[email protected]
renew until 05/18/10 13:59:24

05/17/10 14:04:12 05/17/10 23:59:24 afpserver/[email protected]
renew until 05/18/10 13:59:24

On the users second login the login sync will work as expected, with no Kerberos tickets dropped. Logout sync never initiates unless triggered manually at least once from the Finder menu.
In addition the process never checks the most recent version of the Users home unlike in Leopard where this feature works as expected.

I repeated the procedure this time examining the /var/db/system.log during the login process

This is with a user augmented using mcx prefs, note It seems not be able to launch the ccacheserver daemon for the user.

Log in with user
May 18 10:52:10 snowleptestv1 edu.mit.Kerberos.CCacheServer[1111]: launchctl start error: No such process
May 18 10:52:11 snowleptestv1 SecurityAgent[1103]: NSSecureTextFieldCell detected a field editor ((null)) that is not a NSTextView subclass designed to work with the cell. Ignoring…
May 18 10:52:13 snowleptestv1 DirectoryService[11]: Misconfiguration detected in hash ‘Kerberos’ – see /Library/Logs/DirectoryService/
DirectoryService.error.log for details

Create Mobile Account Y/N ?

Home sync Failed

May 18 10:53:51 snowleptestv1 com.apple.launchctl.Background[1131]: Bug: launchctl.c:2325 (23930):2: (dbfd = open(g_job_overrides_db_path, O_RDONLY | O_EXLOCK | O_CREAT, S_IRUSR | S_IWUSR$
May 18 10:53:51 snowleptestv1 HomeSync[1127]: HomeSync.doHomeSyncLoginLogout: Unable to mount server URL at ‘afp://ourserver.com/TestHomes/’ (80). No sync will occ$
May 18 10:53:52 snowleptestv1 HomeSync[1127]: HomeSync.cinch_doLoginChecks Login sync returned 80
May 18 10:53:53 snowleptestv1 com.apple.coreservicesd[54]: ThrottleProcessIO: throttling disk i/o

Continue Y

May 18 10:56:14 snowleptestv1 edu.mit.Kerberos.CCacheServer[1134]: launchctl start error: No such process
May 18 10:56:14 snowleptestv1 loginwindow[1090]: Login Window – Returned from Security Agent
May 18 10:56:14 snowleptestv1 MCXLoginLogoutScriptTool[1141]: login: “loginscripts” in “com.apple.mcxloginscripts” is missing or is not a CFArray.
May 18 10:56:14 snowleptestv1 com.apple.loginwindow[1090]: 2010-05-18 10:56:14.177 MCXLoginLogoutScriptTool[1141:903] login: “loginscripts” in “com.apple.mcxloginscripts” is missing or is$
May 18 10:56:14 snowleptestv1 loginwindow[1090]: USER_PROCESS: 1090 console
May 18 10:56:14 snowleptestv1 com.apple.launchctl.Aqua[1143]: Bug: launchctl.c:2325 (23930):2: (dbfd = open(g_job_overrides_db_path, O_RDONLY | O_EXLOCK | O_CREAT, S_IRUSR | S_IWUSR)) != $
May 18 10:56:14 snowleptestv1 com.apple.launchd.peruser.1340472719[1129] (com.apple.ReportCrash): Falling back to default Mach exception handler. Could not find: com.apple.ReportCrash.Self
May 18 10:56:14 snowleptestv1 com.apple.launchctl.Aqua[1143]: Bug: launchctl.c:2325 (23930):2: (dbfd = open(g_job_overrides_db_path, O_RDONLY | O_EXLOCK | O_CREAT, S_IRUSR | S_IWUSR)) != $
May 18 10:56:14 snowleptestv1 migCacheCleanup[1147]: Flushing Cache Locations…
May 18 10:56:14 snowleptestv1 com.apple.loginwindow[1090]: 2010-05-18 10:56:14.379 migCacheCleanup[1147:903] Flushing Cache Locations…
May 18 10:56:14 snowleptestv1 com.apple.loginwindow[1090]: Deleted: /Users/user/Library/Caches/Cleanup At Startup

DirectoryService.error.log

2010-05-18 10:56:23 BST – T[0x0000000104699000] – Misconfiguration detected in hash ‘Kerberos’:
2010-05-18 10:56:23 BST – T[0x0000000104699000] – User ‘user’ (/Local/Default) – ID 1340472719 – UUID CFE5FD8F-07FB-4D32-9B4D-34E28CA21874 – SID S-1-5-21-111448075-1160815709-283310661$

Next I tried logging in with a test account augmented in the WGM with the Apple Attributes and with syncing enabled via Managed Preferences.

Note that a network home is created at 11:12 but the service is unable to mount this folder at 11:14, Kerberos CCache daemon again. (this is a per user Launch Agent that maintains a users Kerberos credentials)

Login

May 18 11:12:47 snowleptestv1 DirectoryService[11]: Misconfiguration detected in hash ‘Kerberos’ – see /Library/Logs/DirectoryService/DirectoryService.error.log for details
May 18 11:12:49: — last message repeated 3 times —
May 18 11:12:49 snowleptestv1 edu.mit.Kerberos.CCacheServer[1315]: launchctl start error: No such process
May 18 11:12:49 snowleptestv1 SecurityAgent[1299]: NSSecureTextFieldCell detected a field editor ((null)) that is not a NSTextView subclass designed to work with the cell. Ignoring…
May 18 11:12:55 snowleptestv1 authorizationhost[1298]: afp home directory mount succeeded

Create Mobile Account Y/N

Y

May 18 11:12:56 snowleptestv1 DirectoryService[11]: Misconfiguration detected in hash ‘Kerberos’ – see /Library/Logs/DirectoryService/DirectoryService.error.log for details
May 18 11:14:46 snowleptestv1 HomeSync[1335]: HomeSync.doHomeSyncLoginLogout: Unable to mount server URL at ‘afp://ourserver.com/TestHomes/’ (80). No sync will occ$
May 18 11:14:47 snowleptestv1 HomeSync[1335]: HomeSync.cinch_doLoginChecks Login sync returned 80
May 18 11:14:48 snowleptestv1 com.apple.coreservicesd[54]: ThrottleProcessIO: throttling disk i/o

Home Sync Failed

May 18 11:16:28 snowleptestv1 edu.mit.Kerberos.CCacheServer[1344]: launchctl start error: No such process
May 18 11:16:28 snowleptestv1 loginwindow[1286]: Login Window – Returned from Security Agent
May 18 11:16:28 snowleptestv1 MCXLoginLogoutScriptTool[1351]: login: “loginscripts” in “com.apple.mcxloginscripts” is missing or is not a CFArray.
May 18 11:16:28 snowleptestv1 com.apple.loginwindow[1286]: 2010-05-18 11:16:28.821 MCXLoginLogoutScriptTool[1351:903] login: “loginscripts” in “com.apple.mcxloginscripts” is missing or is$
May 18 11:16:28 snowleptestv1 loginwindow[1286]: USER_PROCESS: 1286 console

Next I compared the process logging on with a 10.5.8 client, with Mobile Account creation and syncing set by managed preferences. Note there are no kerberos errors.
Login with user

May 18 12:50:21 testleopardfordev3 loginwindow[471]: Login Window Started Security Agent
May 18 12:50:42 testleopardfordev3 authorizationhost[482]: MechanismInvoke 0x11bb10 retainCount 2
May 18 12:50:42 testleopardfordev3 SecurityAgent[483]: MechanismInvoke 0x180da0 retainCount 1
May 18 12:50:44 testleopardfordev3 /System/Library/CoreServices/UserNotificationCenter.app/Contents/MacOS/UserNotificationCenter[494]: SessionGetInfo(0x1ea21b0) -> -2147417855
May 18 12:50:49 testleopardfordev3 com.apple.usbmuxd[293]: stopping.
May 18 12:50:49 testleopardfordev3 com.apple.usbmuxd[496]: usbmuxd-176 built for iTunesNine on Jul 20 2009 at 13:06:53, running 32

Create Mobile Account Y/N?

Y

May 18 12:52:10 testleopardfordev3 org.apache.httpd[579]: httpd: Could not reliably determine the server’s fully qualified domain name, using testleopardfordev3.local for ServerName
May 18 12:52:11 testleopardfordev3 HomeSync[580]: Could not find image named ‘mobility_64’.
May 18 12:52:12 testleopardfordev3 kernel[0]: AFP_VFS afpfs_mount: /Volumes/TestHomes, pid 580
May 18 12:52:17 testleopardfordev3 /System/Library/CoreServices/FileSyncAgent.app/Contents/MacOS/FileSyncAgent[592]: reading from /Users/user/Library/FileSync/FileSyncAgent_key_dir_2010-0$
May 18 12:52:17 testleopardfordev3 /System/Library/CoreServices/FileSyncAgent.app/Contents/MacOS/FileSyncAgent[592]: setting security information: Operation not permitted
May 18 12:52:21 testleopardfordev3 SecurityAgent[483]: NSSecureTextFieldCell detected a field editor ((null)) t

Logged in

I also checked the Kerberos on login with klist, there were no errors at any point as you would expect.
It seems that synchronisation process is currently flawed using Synced Mobile accounts with AD in Snow Leopard, broken CCacheserver? kerberos is part of the jigsaw, good luck people!

[cmra]

HI Mike

In effect we do use augments, the home directory attribute and the apple-user-url are added automatically to the account when its created on the the local machine. This happens as a result of either the sync url setting in mcx or as the path as stated in the command line mobile account creation. It has to be noted that network accounts work fine, its mobile accounts that are utterly broken. The kerberos patch will fix the initial TGT on login problem but the synchronisation will not work as expected. It seems we are now holding out for Apple to fix this in 10.6.4 (fingers crossed). It also should be noted that I have tried the augment route as described by Bombich’s Leveraging AD on Mac Osx and whilst this also works fine for Network accounts it does not work properly for Mobile accounts, in fact you get the same issues as related in the my above post using the mcx settings to manage synchronisation. As has been noted in other posts you don’t need to go down the augment route if the only extra functionality you require is to have Mobile accounts, as the other two methods create the same result with much less work. Its frustrating that all this works fine with leopard client and snow leopard server, I think we would stick with leopard client but as we are getting new machines all the time its not an option.

[cmra]

We have a split environment with users having a small amount of storage when logging onto PC’s and a media type area when logging onto Macs (different servers), we cant store the mac account in the PC area and vice versa so they must remain separate entities.

However for those interested these are the findings so far.

The settings as above work fine within a golden triangle setup with the following config:

10.6.3 Server, 10.5.8 Client. AD Kerberos Realm

User logs in gets a mobile account created in the correct place and sync settings work perfectly just as if the account was created in OD

However this is when it gets bad when we go the ideal setup

10.6.3 Server, 10.6.3 Client, AD Kerberos Realm

Using the managed preferences as above the user is informed that their mobile account cannot be synced at this time “Cancel” or “Continue”
Users clicks continue. When trying to manually sync, users gets prompted for password. Checking with klist reveals user not receiving a TGT. Log out log back Login Sync performs and user has a TGT. Account wont sync on logout and doesn’t checks to see whether the Local or the Network version of the mobile is the latest at any point, even if changes are made to either. (note this worked perfectly on above setup). Found an apple fix for the TGT issue http://support.apple.com/kb/HT4100
Tried again, still had the initial error message but this time a ticket was generated for user on first login so manual sync now working. Still not syncing on logout and not checking for network or local.

As an alternative to the MCX redirects tried the command line approach

ran the following command

/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n username -u afp://server.domain.com/Home/username

This creates a mobile account for the user upon first login, with the correct server path.
Logged in as user, this time no error message and account syncs upon login. Logged in using klist we see the user has a ticket generated. Manual sync works and logging off the mobile account syncs. However it still doesn’t check at any point whether the local or the network version is the most recent.

With the command line method being the most successful I tried running this as as part of a loginscript. To start off with this was running with the trust setting as Anonymous. Logins in ok without errors but does not generate a TGT for the user on first login despite the Apple patch being applied. Again a logout and a login for that user then generated a ticket. However the account does not sync again at logout and again does not check network or local. I began to wonder whether the TGT issue was because according to the Apple Docs the trust relationship must be set to Partial for clients using AD. With this is mind I changed the trust setting on both client and sever and ticked “Digitally Sign all Packets” which is a requirement of Partial trust. This breaks the authentication of the diradmin on the OD master and the client can longer bind to the server until this feature is then unticked! This is it so far… headscratching continues!

So Mobile accounts using 10.6 client with AD seem a little broken at the moment! 10.6.4 anyone?!

[cmra]

I am also having problems trying to setup the secure binding settings. In my case I am trying to setup a trust relationship between client and server to run a login script on a client in a golder triangle setup. According to the documentation if you are using an AD directory you need “Digitally Sign All Packets” to be ticked. If I tick this and reboot the server i can no longer authenticate as the diradmin in workgroup manager or bind clients to the OD. I have tried running a repair permissions on the Master as someone had recommended in another post but this didnt fix the issue. I can only authenticate as diradmin when this feature is unticked and the server rebooted. I wonder if this is anyway related to the kerberos being sourced from active directory with the OD kerberos not running (the feature requires kerberos).

[cmra]

Apparently you can setup quota’s for AD users using the edquota command (though this is broken in 10.5, not sure if its fixed in 10.6)

See page 20

https://www.afp548.com/filemgmt_data/files/AD-OD-2.1.pdf

Not sure about adding augments to AD groups in 10.6

[cmra]

Hi Ryan thanks for that, yes thats exactly what the issue is, we are still working on a dev setup that has mac OD accounts so will be moving it to the AD realm soon.
I think its going to work pretty well as it does create the home folder for the user in 10.6.2
Now If I could only do the quota’s without augments!

[cmra]

Managed to take this a stage further with the following changes

create PHD false
Create Mobile Account” “True”
“Mobile Home Location” “path”
Create Mobile account from Local template true
“Mobile Home Parent Path” “/Users”
“Synchronisation URL” “afp://our-server.com/Home/%@”

This now creates the local mobile account and the network one, however syncing prompts for username and password, need to to do further testing as we are getting password prompts at sync..

[cmra]

I totally agree however I was told that Augments were not necessary for Mobile Accounts only for network homes. I was told that if you applied the following preferences which are defaults in the managedclient.app then these settings would be applied to anyone who was in that group or logging into a machine in that computer group.

We have this setup as a preference in a test computer group

After adding the managedclient.app the settings are set under “Mobile Accounts and other options”

Create Mobile Account” “True”
“Mobile Home Location” “path”
“Mobile Home Parent Path” “/Network/Servers/our-server.com/Volumes/DATADRIVE/Home”
“Synchronisation URL” “afp://our-server.com/Home/%@”

The bottom line should set the mobile account path sync url to whoever logs onto the particular machine. However as listed above the error indicates it either cant find the path or write to the path, even though its shared I have given the AD group permissions to write to that share and I can access and create a folder there on the command line using the test AD account.

I suspect we will have to go down the augments path in any case as we need to add in user quotas .

To lock down the machine to particular users just add the AD users who have access, to an OD group (or users within an AD group nested in an OD group) and setup a managed preference to only allow users within that group to logon to machines within a particular computer group.

[cmra]

I understood it possible to do the above process without doing any augments. We don’t want to change anything on the AD record. The user is using the AD just for authentication purposes.
The idea is that when the user logs into the mac a mobile account is created for them on the mac server which is just for mac use. The users also use PC’s which have a home directory set on the windows server. The two have to be separate. We dont want the users to be prompted for a mobile account if possible as this will cause confusion.

Apparently this is undocumented by Apple but this is possible so I was informed

Im not sure why the preferences don’t work as the path is set to a network share

[cmra]

I forgot to add the error which makes it a little more clear where the problem lies

“04/03/2010 12:57:09 com.apple.loginwindow[3879] 2010-03-04 12:57:08.998 ManagedClient[3886:903] MCXCCreateMobileAccount(): Failed to create account. Error = -6304 (mobile account file path is either not a directory or could not be properly created). Cleaning up mobile account record.”

just to note that directory does exist!

[cmra]

Hi Stu, its been a long time since you replied to this post but we are only just moving on this now and we have run into a couple of stumbling blocks namely the creation of the mobile accounts at first login, I wonder if you could point out anything we may have missed

The steps we have taken so far are:

We have bound our OD Master (currently running KDC for mac users, though this wont be the case for much longer) to AD
Bound a test client to AD and OD (OD first in search path) unticking use UNC path and unticking create mobile account at login.

Created a computer group on the master

Added ManagedClient to preferences
In the details tab I have modified the “Mobile Account & Other Options” to include the following
“Create Mobile Account” “True”
“Create Portable Home Directory” “True”
“Mobile Home Location” “path”
“Mobile Home Parent Path” “/Network/Servers/our-server.com/Volumes/DATADRIVE/Home”
“Synchronisation URL” “afp://our-server.com/Home/%@”

No problems with authentication but when logging on with the client and “ad_username” I get the error “Unable to create Mobile account” There was a problem while creating or accessing “/Network/Servers/our-server.com/Volumes/DATADRIVE/Home/ad_username”

KDC is still on the OD (would this make a difference?)

The path is accessible from the client in terminal, initially I thought it was a permissions issue and gave the user write permissions to the share, just to test but that made no difference.

Is there something Im missing here, any tips would be gratefully recieved!

[cmra]

Ah cheers thats all good stuff, they way I would want it would be that the PC and Mac user areas were totally separate, PC one an a AD Server Mac home on the Xserve, but still using the same user id. I suppose I could set the URL via a computer list mcx so if users logged into a mac in the list the home url parameter is changed to point at the xserve. Then reset on logout to the AD default using a logout hook?

[Author]

Posts