Ok, Some Good news and clearer understanding to disseminate in this post I hope it helps
"the Universe" so I am posting it here in my "ever-the-noob" blog on apple forums.
Problem
What do you do when you get an error when logging into a mobile account setup?
One symptom would be the error message below...
"You are unable to log in to the user account "<%short_name%>" at this time.
Logging in using >console You get the message…
"No home directory: <path to home directory>"
or
"You are unable to log in to the user account "<%short_name%>" at this time.
Logging in using >console tells me this No home directory: <path to home directory>
Solution
Do the check list…
Short Version
- Sever Admin.app > Access (Key Component)
- Check Permissions on directories for your file shares.
(The reason stuff doesn't work especially when you're rebuilding/recovering a server)
- File sharing setup (Turned ON, Home sharing Enabled)
- Directory Utility > Directory Editor or dscl
(Do not underestimate the importance of this part!!!!
Use white-gloves when you're handling it though!!!)
- Workgroup Manager
(You're poopy "main" interface that really is a "window", not a "door", but maybe Apple likes to do things "Dukes of Hazard" style?)
Long Version
- Check Sever Admin.app > Access
Make sure that your user has the "Proper" access. For me I created a test user from Server.app and saw what access he had as a way to "check myself for a properly created users" and because I think one is kind of on his/her own using WGM and duplicated the same access. (I was a little neater, though and did it with a group, not individual users, that would have been a mess!)
Server Admin.app > Access
Click the "+" sign, sort by UID and Add the imported users to the following Services…
(You can use a group, but understand when Server.app creates users they get added
individually to each of these groups.)
Address Book
AFP
iCal
iChat
Mail
Profile Manager
SMB
VPN
- Check Permissions on directories for your file shares.
(That's an understatement) I could go in depth about all the crap I had to read about, I still
know I am missing a chunk of tech brain when it comes to the particulars. Basically, I boil
it down to this…
Permissions require thinking about things first with regards to POSIX permissions... good
ole ls, chmod, chgrp, chown to the rescue with ugo permissions or the old 755, 600 etc
stuff.
Apple's file-sharing access uses this as a starting point to see what the user is allowed to
access.
I also needed to use chflags once to unhide a file that I mucked around with using xattr.
I still haven't figured out why folders can lose their triangles, but I didn't find out if you cp or
move them from terminal, the triangles come back in the moved or copied directory. For a
minute I thought it was because cp alone doesn't preserve flag attributes, but mv actually
works by doing a cp that preserves the flags, unless it's a bug. I dunno.
This helped me get my file visible again...
chflags hidden path_to_file
chflags nohidden path_to_file
Read up on those manuals, if you're not a terminal type go to apples website
http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/
or download...
http://www.bruji.com/bwana/ I thought that was cool.
or if you prefer to read the manual in pdf try…
man -t sharing | pstopdf -i -o ./Desktop/Sharing\ Manual.pdf
man -t chown | pstopdf -i -o ./Desktop/CHOWN\ Manual.pdf
man -t chmod | pstopdf -i -o ./Desktop/CHMOD\ Manual.pdf
man -t chgrp | pstopdf -i -o ./Desktop/CHGRP\ Manual.pdf
My basic guideline was avoid using ACLs if at all possible, if you try to use them, things
can get crazy complicated, take notes and plan, baby. If you read above, opening up
permissions wide is wrong though. You would restrict permissions tightly to begin with and
then place ACE (Access Control Entries) to specifically target the rights you want to enable.
Here's one that's obviously a novice attempt to do this, but since the novice is the only one
speaking…. here it is, Universe… >:P
sudo chmod -R +ai "admin allow read,write,delete,file_inherit,directory_inherit,search,list" Department/
That allowed my admin to do all the things a normal user could do so far… It fixed things for
my admin, which made me happy. I really hate having to authenticate or sudo just to see
the contents of a nested directory. I could explain it, and even give a few notes on why its
probably overkill, but I will attempt to look less stupid till "poked".
There's another command line utility I STILL haven't read, which may bear mentioning
because…well I haven't read it. umask (seewikipediaorunix.com)…I worked past my
problems without going into it so far, but obviously it's there, and it serves a purpose.
I also found this article helpful…and educational. :O
http://www.bresink.de/osx/300321023/Docs-en/pgs/ACL.html
( Its enlightening to hear the air whistling between a developer/coder's ears, still it's
apparent he has a clear idea what's going on.
Ever wonder why when you use get info to check or assign permissions it kind of
flakes out and doesn't take? Read this article! )
Second, if you can't obtain the "specific" permissions you need with POSIX, chmod also
can set the 2nd category of permissions, which windows users may be familiar with
Access Control Lists (ACLs) and here you get some really fine granularity...messy stuff.
All in all, if I felt I could guide you through these murky waters, I would, but I think I'll let
the professionals weigh in on that one and cut my wall-of-text to ribbons.
To heuristically check I would connect from a client as one or two of my users and see what
folders I could mount as a share, armored with an understanding of what ls -le@O * showed
me in Terminal.
3.) File sharing setup (Turned ON, Home sharing Enabled)
Here is an example of using command line sharingutility where each share is properly
labeled (that took a bit for me to figure out) still this share only enables the AFP share as
you can see from my flags.
sudo sharing -a /Volumes/Hard\ Drive/Department/Database -A Database-afp -F Database-ftp -S Database-smb -n Database -s 100 -g 000 -i 10
Then you do a sudo sharing -l and get back what you just did…
List of Share Points
name: Database
path: /Volumes/Hard Drive/Department/Database
afp: {
name: Database-afp
shared: 1
guest access: 0
inherit perms: 1
}
ftp: {
name: Database-ftp
shared: 0
guest access: 0
}
smb: {
name: Database-smb
shared: 0
guest access: 0
}
If you mess up the sharing command, you may not be paying attention (I wasn't) but there
are a lot of defaults that Apple will just assume you meant to do anyway and it won't read
any of your flags, you have to get it right or the flags will be defaulted.
( Basically I could tell I was bombing it for one, I explicitly only wanted afp working, but
the default was afp and smb. So each time I ran sudo sharing -l after I shot my sharing
command…back would come smb shared: 1 and I knew that wasn't right. Also my
custom names were defaulting to the name of the directory not the name I had
specified. )
I like to know what protocol my share is over so when it doesn't work, I know which protocol's
are connecting. It's not full-proof, but it's a bookmark. I wish the network browser would
identify the protocol that its available listed shares are using, because small visual queues
like that help when you're trying to see what works. Maybe that's something I should
investigate via the command line?
As a note about reading forums, I discovered using command line that "\" is kind of like a
way of going to next line neatly with long commands…."\ " is a way to insert a space. As you
can see above where I have a volume with a space in it.
Removing shares was a little trickier though, sharing -r Share\ With-space didn't work….I
had to enclose it in quotes and do "Share With-space" instead. So nooby beware!
( *nix users are now rolling their eyes at this tip. )
I wasn't sure how you enabled a share for home directories from the command line, maybe its
in the manual, but I was up to my eyeballs in manuals already so I haven't gone back to
revisit this question since my work around was to go to Server.app and verify that what I set
up in the sharing in terminal was being reflected in the gui…sort of my own MVC
(model-view-controller) check.
4.) Directory Utility > Directory Editor or dscl
Make sure what you see in WGM and Server.app are reflected here….to that question let's
take a journey where I did some exploring about that.
Ever really wonder "WHY CAN"T I REMOVE AN OLD HOME DIRECTORY SHARE?!!!"
Ah, then you will - LOVE - this tip…
( Provided my testing or yours, later, doesn't prove that in my ignorance I've broken
Open Directory. Remember, WHITEGLOVES!!!! but here we get a little dirty. I think of
OD as Apple's Registry, but that's not what it is at all. However, you as the user do have
to "****" around in it from time to time. )
I scoured the forums and everyone was saying things like "You have to change your server
role" etc. which seemed a little bit dumb to me (dumb because you're pushing views around
not "controlling"), and well, yea, that share that I couldn't modify or delete was REALLY
bugging me.
Now hmm… Before you do ANYTHING, how do you try to not hurt yourself…in Windows you
can make a Registry Backup….(yea bad analogy) In Server Admin.app you can go to your Open
Directory Service > Archive and Choose a place to Archive your information. (Figure this out by
yourself, this is getting long…sheesh! It's easy. Restoring is just as easy and painless.)
Before we can remove the entry we "SEE" in WGM we should make sure no
one has it selected so as not to "corrupt" the OD db, so in WGM first before going to Directory
Utility set the Home directory to "None". (We need to remember to set this to a correct share
later….Mental Note!!!)
Now Open Directory Utility
Method 1
System Preferences > Users & Groups > Login Options
Click the Lock to make changes…
Authenticate -> click "OK" (do I REALLY have to step-by-step this?)
Network Account Sever: • Local Server - click "Edit" button here.
Open Directory Utility > Directory Editor
( Wow, did Apple hire someone from Microsoft? You'ld think with all their research in to
Human Interface Design that's WAY too many clicks to get to something you need. )
or
Method 2 (It's good to know about this directory, neat-o speed-o app's hidden here.)
Use "Go to Folder" Under Finder > Go > Go to Folder...
⇧⌘G /System/Library/CoreServices/
Click "OK"
and Double click Directory Utility.app
or
Method 3
Terminal
open /System/Library/CoreServices/Directory\ Utility.app/
Now From the Directory Editor Pane you will see a Pop-up menu Labeled "Viewing"
You should glance through this and get to know it. You should use it to see what
information is really being stored about your Users, Groups, Mounts…
We are interested in Mounts, which is where we want to go…and there is the pesky
mount that you will see reflected in WGM.
Authenticate, and delete the bugger.
Quit WGM and restart it. Voila, bad share is GONE!!!!!
a.) First select all my users
b.) Then I clicked on the "+" and added the correct share
( Remember, I only showed you the first one we created, this is another and
for THIS one you HAVE to go into Server.app and verify that it is set to be
available for Home Directories in this case for AFP. )
For the home directory entry you do this...
afp://computer.domain.com/Accounts-afp
%short_name%
/Network/Servers/computer.domain.com/Volumes/Hard\ Drive/Department/Accounts/%short_name%
%short_name% is a wild card for the short name there are other wild cards check out Apple's
Documentation on them. I lost the link 😟 sorry \<shrug\>
Interesting dscl commands…(check it out in command line form and compare side by side with
what you see in the GUI Directory Utility)
dscl . list /users
dscl . list /groups
If you want to output information about each user, though, use readall:
dscl . readall /users
dscl . readall /groups
And if you need to programatically parse said information, use -plist to make your life easier:
dscl -plist . readall /users
dscl -plist . readall /groups
This made a little more direct sense to me, language wise…but fyi "." is kind of a wild card I think so the first
commands I think look in ALL directories local, Search, LDAP whatever you have. The command here
corresponds to the Entry from the Pop-up menu "…in node > Blah…" see GUI of Directory Utility to confirm.
dscl /LDAPv3/127.0.0.1 -list /Users
dscl /Local/Default -list /Users
5.) Workgroup Manager
Remember this is a utility that is not long for this world. Apple's Mountain Lion is rumored to fully
replace it, why? Yea, Apple's making a go at MDM (Mobile Device Management) and somehow
desktop computers are being pulled/dragged along for the ride. I have plenty of issues with
Profile Manager, but I'll likely revisit it in a couple of months and see where we stand.
Anyway, treat this baby like the bottom rung, because, well it is built like you start your
foundation here, but it's just a viewer with controlling "tweaks". Use the other areas to get a solid
grasp of what is actually going on. Server.app is where you should create accounts you can
feel are safe. When you create accounts in WGM, you are responsible for making sure they
have the appropriate EVERYTHING.
This list is by no means complete, but these are the areas this noob is or was prepared to talk about.
Good night for now. Enjoy climbing my wall of text, and yea sorry about that. :O Run for you lives!!!!
- Signed Shadowwraith