Network user accounts - what is a good path going forward?

Question

Network user accounts - what is a good path going forward?

Hello experts,

I am managing a small 100% OS X-based network with a server and about 5 desktop MacMinis. The server runs OS X Server with open directory and also hosts FileMaker Server.

The staff does NOT have dedicated workstations. Depending on the needs, staff needs to be able to sit at any computer, log in with their network account and find their items and settings where they left them while working on a different workstation the day before.

Today, this is realized with network home folders located on the server and works reasonably well, occasional oddities with Mail aside.

I do not really use any other OS X server services besides network accounts with server-based home folders, basic DNS and file sharing (no calendar, mail, website, etc.).

Given Apple's (unfortunate) decision to dismantle and cripple OS X Server functionality with Mojave, I am looking for an alternative going forward. Staying current with FileMaker versions (the core business app) requires upgrading to Mojave at some point and maintaining the ability for staff to move between computers is also critical.

How should I approach this? Should I completely separate the login/home folder issue by using a different technology, like *cough* an AD server? Are there other reliable mechanisms to synchronize local home folders with a network location reliably at the beginning and end of a user session?

I'd like to avoid the need to setup up local accounts for every staff member on every desktop (even there are "only" 5) and manage email and other account settings in that way, if possible.

Please do share your ideas, if you have a minute. I certainly appreciate it!

Thanks.

Posted on Aug 13, 2019 10:50 AM

Reply

Answer 1

Best reply

Erich Wetzel

Level 2

384 points

Sep 4, 2019 12:33 PM in response to StefanDaGerman

Our network and use is almost exactly as you describe including FileMaker. We have a dozen users and need them to be able to log into any of our client machines across two separate locations. We are on High Sierra for both the server and clients because we still need Messages.app and Server.app to use and host the Jabber server. We were using Network Home Directories and had all of the problems the John refers to continually cropping up. Management of problems became a nearly daily bother.

Our solution was to copy the userhome of all of the users to each of the client machines and to set the userhome location as "local" in Server.app. Using this method, the server still authenticates the user but all details are stored on the client machine as of the time of the copy. This way none of the existing users need to reset or re-enter settings. The most notable drawbacks are that the content of the userhomes will gradually diverge over time and that any changes to services will need to be updated on all of the clients. Secondarily, new users will need to add their settings on several machines or the admin will need to move copies of the newly set up userhome to the other client machines. We placed folders in a file-share for each user to have a centralized place to put their files since the userhome was no longer centralized. This method also allows for multiple users to be logged into a client concurrently since the userhomes are all local to the client machine.

While it has not been as convenient as a properly working Network Home Directory system, we have had no functionality issues since making the change and the maintenance problem has totally disappeared. The biggest issue has been our staff trying to remember not to leave files on their Desktop or in Downloads if they wanted access from another machine at another time.

-Erich

Reply

Answer 2

Aug 22, 2019 2:19 AM in response to StefanDaGerman

Apple over years gradually made using Network Home Directories less and less practical. Realistically there are so many problems that even if hypothetically it is still possible with Mojave the likely pain is simply to great.

One major area (amongst many issues) is that when Apple introduced iCloud Keychain syncing they also introduced the 'local items' keychain. This resides in a folder with a name that matches the unique UUID number of the Mac when this gets created. Therefore when you login on a different Mac it is not valid for that other Mac and hence you cannot access that keychain. This keychain is used for all Apple's programs i.e. Mail, Calendar, Contacts and Safari. Apple also switched more and more things to using SQLite databases instead of plist files and SQLite does not like accessing its database files on a network share and often will corrupt these files. Guess what the 'local items' keychain is - an SQLite database!

With regards to FileMaker a possible workaround would be to use the web-browser client to FileMaker. This would let you upgrade the FileMaker server but use an older Mac and let it access FileMaker via a web-browser.

Another approach to consider but which will require some work is to use a 'Terminal Server' style approach. You would have client Macs very stripped down - maybe even only using Guest logins and then run a Terminal Server connection to a Mac server and run their main environment from that. This way they could login from any Mac and access the same Terminal Server.

There would be two possible approaches for doing the Terminal Server approach -

If you use Screen Sharing from a client Mac to the server you can have more than one person connect at the same time using different logins and each person sees a different window.
There is some software specifically aimed at doing this, see https://www.aquaconnect.net/ and https://www.nuords.com/products/nuords-ts/ check the details of this thoroughly, it maybe that one or both may not be compatible with the latest versions of macOS

Note: Some applications do not allow being run more than once e.g. by the multiple logins listed above. However I would expect most would. A workaround would be to make duplicate copies perhaps in users home directories e.g. ~/Applications

Reply

Answer 3

Aug 22, 2019 12:41 PM in response to John Lockwood

Thank you for the detailed response, John. Really appreciate it.

Your explanation really confirms the recurring issues we are currently seeing, with SQLite errors flooding the console and weird account behavior for internet accounts (GSuite in this case), where SMTP server settings go missing, preference panes showing the spinning beachball, etc. In some cases, I am able to recover it, in others I have to delete and re-create the user account in directory services.

I had assumed it's limitations in the OS X server implementation, but I now realize that all the issues start within OS X on the client itself.

So, the bottom line is: There really isn't any hope for a working setup where users can log in on any computer on the network and find the same personalized work environment, if we want to stick with OS X clients, because from what I determine from your explanations, the problems really start on the client side (with machine UUIDs used for files vs. user UUIDs, SQLite issues on network mounts and who knows what else). In the past, it worked "OK" if I was really careful in ensuring that all versions of OS and FileMaker were correct and in synch across the network. But with Mojave, all the feedback I am reading is really pointing away from even trying.

The terminal server idea is interesting, but will likely require a more powerful server machine (currently an all macMini environment) and come with a new set of challenges.

It really hurts me to say it, but all of these issues point in one reasonable direction, and that is to go back to Windows as the client OS (my head is already hurting).

Alternatively, we would need to change our approach and get personalized laptops that staff gets assigned and completely forego any network user accounts. Filemaker and a shared server disk have been working just fine.

Frustrating to see that Apple is making this so difficult. Whatever happened to the easy to use stuff?

Anyways, thanks again for your insights!!

Stefan

Reply

Answer 4

Sep 4, 2019 12:55 PM in response to Erich Wetzel

@Eric Wetzel

Your approach could be considered to be half way between a 'mobile account' and a 'portable home directory account'. For those unaware Portable Home Directories were officially discontinued with MacOS Sierra.

A mobile account syncs credentials to a directory server but not the home directory, and a portable home directory account synced both the credentials and home directory contents. It is presumed Apple discontinued PHDs due to never being able to make the syncing process reliable.

In theory you could use an alternative tool to do the syncing, e.g. ChronoSync - https://www.econtechnologies.com/chronosync/overview.html however this will still leave the issue of the dreaded 'local items' keychain raising its ugly head. It maybe that by adding a script to the ChronoSync setup you could automate the renaming of the local items keychain folder. The script could lookup the UUID of the Mac during the syncing.

Reply

Answer 5

Sep 4, 2019 2:38 PM in response to Erich Wetzel

Thank you Erich, almost feels good to know that I am not a victim of not seeing the obvious solution. ;)

I have considered the approach you outline, but never implemented it, because it almost completely removes the need for any kind of network directory setup (other than centrally managing permissions, which we have very few of to begin with). With more restrictions to the server suite on the horizon, I can't help but wonder when directory server will meet its untimely demise.

Sadly, your approach seems to be the only way to make this work reasonably well, especially since I only have to manage ~5 user accounts and have almost non-existent staff turnover. Also, updates to keychain items are relatively rare (mostly email accounts), so I'd be OK if passwords needed to be changed on more than one desktop. Sounds like the 90s, doesn't it? ;)

The only other thing I would like to synchronize would be files placed in the Desktop and Documents folders. I wonder if a softlink on the OS level to a mounted network share would work. Alternatively, maybe a script/application can be written that copies files from the network share onto the local user's folders (Desktop/Documents) and does the reverse on logout. That script would have to stay running (stay open app) and copy to the shared directory "on quit". Hacky, and problematic with multiple logins on different machines from the same user, but I can pretty much prevent that. Problem is that my research on this in the past has shown that detecting logout and triggering an action may not be straightforward either. Sigh.

In any case, you have given me some things to think about & I really appreciate you taking the time to post a reply!

Cheers,

Stefan

Reply

Answer 6

Sep 4, 2019 2:50 PM in response to John Lockwood

John,

also thanks to you for pointing out the issue with the Mac UUID being used in the file path to the local keychain; I was unaware of that and the associated headaches. This actually explained to a large part the effects I have been seeing in my environment over time. That, and SQLite store corruptions.

It's really too bad that there is no better support for a small business environment that wants to utilize OSX for a number of very good reasons.

Of course, there is always the hardware approach, i.e. handing out personal laptops to each employee to use and ditching all attempts at centralized user management. Unfortunately, that's not within the limited budget for this here small business.

Cheers,

Stefan

Reply

Network user accounts - what is a good path going forward?

Similar questions