Skip to main content

We've run into an issue with local homes for our Student lab users which affects the dock shortcut to their network home and mobile account sync. We are using JAMF Casper to deploy and manage OS X 10.7 Lion, Active Directory for authentication and Samba shares.



We've got AD configured with:
Force local home directory on startup disk - CHECK
Use UNC path from Active Directory to derive network home location - CHECK



So the problem is that although we have managed preferences configured via Casper, I'd also like to be able to sync preferences through mobile accounts. Ideally we would sync preferences and bookmarks at login and logout. When I configure AD with "Create mobile account at login", the sync has been failing with a message similar to "Unable to sync home directory at (null)" .



Putting that to one side for a moment, there is another difficulty. Yes, network users can login successfully. And the root of the share containing their home directory is mounted on the user's Desktop. However, the dock item which links to their home directory is broken and can't be removed.



The broken dock item is caused by folder depth on the Samba share. For example, this folder hierarchy has a broken link in the dock:
\\servernamesharesubfolder_herehome_directory



But this works fine:
\\servernamesharehome_directory



The network home directory dock item is not listed in the user's dock plist – it's there because it's an active (broken) mount. Our home directories all have numeric names like 00012345. The share and its subfolder are all lowercase. We have tested that there is no issue with permissions - we gave a test user "Full Control" over the entire path from the root of the mounted share down to home directory, and still there was a question mark in the dock. Ultimately we will be using DFS, but for testing we have switched to a plain hostname. We have also tried reducing the length of the home path in Active Directory from this:
\\servernamesharesubfolder_herehome_directory
to this (same folder depth, but shorter names):
\\servernameshare11



We've posted here: http://www.macwindows.com/forum/viewtopic.php?f=2&t=20 and I'm wondering whether the mobile account sync failure and the broken dock item are related – I will test.



By the way, the short \\servernamesharehome_directory configuration also works fine for our clients on an independent server with a different Samba mount and AD service. Can anyone tell me whether folder depth causes a known error with SMB mounted home directories on Mac OS X 10.7.2 and is there a client side workaround?



Looks like there shouldn't be a problem, right?
http://support.apple.com/kb/HT4829



Regards
James

Client side workaround No.1
Disable the broken dock item as described here:
https://discussions.apple.com/thread/3302952?start=0&tstart=0

Looks like that could be a managed preference.

The Apple extended schema has not been applied to our Active Directory, and Mac OS X 10.7.2 is independently parsing the standard homeDirectory attribute into its share address and path.



The difference between a mobile account with a broken link to the network folder and one with a good shortcut is in the local directory service cached credentials.



BROKEN



macbook:/ admin$ dscl . -read /Users/somebody/ OriginalHomeDirectory

OriginalHomeDirectory: <home_dir><url>smb://server.fqdn.edu.au/shareRoot/folder</url><path>somebody</path></home_dir>


FIXED



macbook:/ admin$ dscl . -read /Users/somebody/ OriginalHomeDirectory

OriginalHomeDirectory: <home_dir><url>smb://server.fqdn.edu.au/shareRoot</url><path>folder/somebody</path></home_dir>


There is a workaround at:
https://discussions.apple.com/thread/3198558?start=15&tstart=0



And it looks like it's fixed in the latest developer seed of 10.7.3, at least when "Create mobile account at login" is checked in Directory Utility under Active Directory -> Advanced Options -> User Experience.



In the meantime, I will probably leave that unchecked and set up policies in Casper scoped by category of user according to their AD group. The policy will have a login script attached based on the workaround above - something like this:



#!/bin/bash



userName="$3"

personType="$4"

finalChar="${userName: -1}"

createmobileaccount="/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount"



$createmobileaccount -vsxn $userName -u smb://server.fqdn.edu.au/shareRoot -t ${personType}${finalChar}/$userName



exit

If the logical path to the user's original home directory doesn't match the actual mount path, the shortcut in the dock will not work. In our case the network home shortcut is pointing to /Volumes/${shareName}/${subFolder}/$userName but my home directory is mounted at /Volumes/${shareName}/ so I see a question mark.



I fixed this with a script which creates the missing subfolder, and inside of that a link called $userName pointing back to /Volumes/${shareName}



The script is called by a launch item at login time, so it runs as the user. To tidy things up, I made the subfolder hidden and it gets removed on logout.

Thanks for posting this detailed run down James. We were seeing similar challenges in getting a wireless-AD-home share config profile working right (causing 2 min login delays) until I manually disabled the home share mount in the Dock with dsconfigad:



dsconfigad -sharepoint disable


PS: We are running 10.8.2 here though.

Terms & ConditionsCookie settings