Yosemite Automatic Home Drive Mount

@davidacland ,

I just upgraded to Yosemite and now I am having the same problem regarding the home directory showing up as a question mark. If I use your script, do I have to modify anything? Also, how do I automate the clearing of the checkbox in Directory Utility "Use UNC path from Active Directory..."?

Thanks

Mark

It will run as is, although there are a lot of script snippets on this thread now so I'm not sure which one we're talking about!

I'm referring to this:

https://github.com/amsysuk/public_scripts/blob/master/mount_SMBHome/mounthome.sh

To stop the AD plugin trying to mount the share you use dsconfigad in Terminal (or as part of a policy). I can't remember the exact option but if you use man dsconfigad in the terminal it shows you the available options.

I am experimenting here as well. I have a working Homes folder share on a Windows 2008 R2 server with Enumeration enabled. When accounts are created in AD, the user home is created, but empty. Permissions to this point are correct: User has rw for all subfolders and files. There is no Everyone ACL in this folder. All folder permissions for non-admin group access above this point are set only for "This folder only". Only administrator accounts have rw for "All Files and Subfolders" in the home share. The server also has Group Logic's ExtremeZ-IP set to share out the home folder share using AFP with Use for Home Folders enabled.

Client is a 10.10.3 iMac that is bound to AD with Force local home unchecked. Use UNC path is checked. Protocol is either AFP or SMB

Starting from an empty home folder, if AFP is enabled for the client protocol, the first login creates the usual home folder structure. Everything works and it works as expected.

Starting from an empty home folder, if SMB is enabled for the client protocol, the first login creates the usual home folder structure BUT an ACL for Everyone is applied to all of the top level folders EXCEPT Library and Documents. This Everyone ACL denies traverse permission to all users which includes the user, admin users and everyone else. The user can create folders on their Desktop, but can't see them. They can't see Music, Pictures, Documents, Movies folders that are there, but can't be seen.

Since OS X is building this initial folder structure, The Everyone ACL must be coming from the AD Plugin when using SMB as the protocol?

Anyone else see this?

@dpeterka ,

All my home folders are pre-created when accounts are created in AD. The permissions are set at that time. Users logging on with a Mac dont change the ACL at all. We have 'Force local home directories" checked off. I also have "Use UNC path from Active Directory with network protocol:" set to CIFS.

I have a separate Config Profile to show all drives & network shares on the desktop.

Everything seems to be working fine for me. I should mention we are not using Enumeration yet since the servers still need to be upgraded.

Thanks

Mark

@msnowden,

When you say home folders are pre-created when accounts are created in AD, does that include the Apple specific subfolders like Desktop, Documents, Downloads, Library, Movies, Music, and Pictures? If so, how are you doing that from AD? All I am seeing is a home folder named after the username that is empty. The subfolders are created upon first login from a Mac.

@dpeterka ,

We are checking (selecting) "Force local home directories" so there are no Apple specific folders being created. If you do not select that option, I believe it works as a roaming profile.

OK, so our findings are that while the home folder is created properly (when the AD account is created), the Apple specific subfolders have permissions issues when they are created when the user logs in for the first time. The user template being using on OS X is not creating correct permissions.

Upon further investigation, one permission that is being applied is Deny Delete to Everyone. This should not keep the user from seeing the contents of their Desktop folder, but it does. Remove this permission and the user has access. This happens when the home folder is auto mounted using SMB.

Using AFP (via ExtremeZ-IP) - to the same server and empty home folder - the Apple folders are created - also with the Deny Delete to Everyone permission. In this case, the user CAN read and write into their Desktop folder. They can even delete the Desktop folder despite the Deny.

I'm just not understanding these permissions and the user experience here.

Something I found with DFS in our environment is that the home folder would mount to the root of the DFS share, so a path like smb://domain.com/data/staff/user would mount to /Volumes/data. So if you have any other policies that mount from the same DFS namespace, such as a smb://domain.com/data/shared folder, they would fail. Or if the other policy goes first, the home folder mount would fail and show a question mark because /Volumes/data/ already existed.

Once I disabled the automatic home share mount and set up a profile to mount smb://domain.com/data/ once at logon, all my problems seemed to go away. The alternative I suppose would be to make sure that home folders are under a different namespace than everything else.

If anyone is interested I have written a script, which we bundle into an automator app, that will allow users on non AD bound Mac's to connect their home drive easily. It prompts for their username and password then connects to AD to find the home folder path then mounts it.

I also did a version for AD bound Mac's which is of course easier.

both of these can be set as a login item and run manually as required.

I will post my code if anyone wants it?

Hey, gang. Just getting into scripting the login call. I'm guessing your scripts are all built with the predetermined fact that user name and user share name are the same?

For us, users have a separate AD login from their directory path for the network home drive.

@tburris that would work fine. If the correct value is listed in the SMBHome attribute in AD, then the script I posted above would work ok.

If it's different, you can alter or add to the server path variable to accommodate the changes.

yea exactly, if the server name differs from the value in smbhome you can just cut the server name out from the variable its stored in and then add the correct server name to the variable.

@marklamont

I would love to checkout your scripts for non AD bound machines. This has been proving to be a major headache to get functional.

Thanks!

@brunnalls here it is, the article explains it all I hope

Hi guys. As of this week I am rolling out 30 Macs for a cart for a programming lab. I need some help as I have never used Macs in any of my previous jobs. I need to map the home drives for the students but at this point I can't even get it set up to log them in on the domain. So I guess my question is twofold. 1) how to set it up so the different kids can log in using there AD credentials. 2) how to map their home drives so they can have access to them. I have seen the scripts you guys are posting and for a mac I don't even know where to post this script to have it run.

Sorry for being such a newbie.

Hi @neakins

Although there are some advanced script methods in use, just as a starting point you may be able to get by without them. The basic steps to do what you're looking for are (on each Mac):

1. Open /System/Library/Core Services/Applications/Directory Utility.app
2. Click the padlock and authenticate as the local admin
3. Double-click the Active Directory option to configure it
4. Enter the AD domain name, check the computer name is as you want it to appear in AD and click "Bind..."
5. Enter the credentials of an AD account that is allowed to join computers to the domain

In it's default state, the user will log in, create a local home folder and map the network home into the Dock at the bottom of the screen.

@davidacland we are trying to use your script however cannot get it to work. The policy runs at login and returns that it completed saying.

"Script result: STARTING: User drive mount
Network share already mounted for"

We are trying to create a local home for a user on a Mac and then mount a Network Share for that user.

Hi @JKingsnorth

It will be getting confused by the logging in user as Casper is running the script as root. If you change any instance of $USER to $3 in the script it should work ok.

@davidacland IT WORKED! Thank you!

@davidacland

Sorry that I'm new to scripting so I'm still trying to figure out where to put in or define our Domain and the location of the AD Home drive to update the SBMHome Attribute correctly ...

For example: Our Domain is ........................................ MagicCasper.com

Our AD User Home Folder is ................ Server-03FSHome$%username%

Appreciate if you can help us update the following two lines in the script to make it work ...

Thanks,

ShortDomainName=`dscl /Active Directory/ -read . | grep SubNodes | sed 's|SubNodes: ||g'`

adHome=$(dscl /Active Directory/$ShortDomainName/All Domains -read /Users/$USER SMBHome | sed 's|SMBHome:||g' | sed 's/^[\\]*//' | sed 's:\\:/:g' | sed 's/ ////g' | tr -d '
' | sed 's/ /%20/g')

Hi @rahanna

The ShortDomainName line will read the domain that the Mac is joined to and save the short domain name or Netbios name as a variable. In your example it would be something like MAGICCASPER

The adHome line will read the logged in users record ($USER) looking for the attribute called SMBHome and it will save the value in the variable.

So as long as you are putting the Server-03FSHome$%username% value into the home folder section of the profile tab in user account properties in AD, the script will read from there.

The only other catch, running the script with Casper means it is executed as root, so $USER doesn't work. If you are running it as a login policy, you need to change $USER to $3.

Hope that helps.