Portable Home Directories in 10.8 Server?

Gerben Wierda wrote:

Or: you create the users anew in the network directory, you replace their home directories with the content of what is on the MacBook (TDM is your friend) and do the chmod. Easier still.

I was unaware of Target Disk Mode (TDM) until you made your post! Interesting. I assume that this is the procedure:

http://support.apple.com/kb/HT1661?viewlocale=en_US&locale=en_US

From what you are writing, I create "blank" User directories on the server using the Server App. I then connect up the MacBook with FireWire, copy over all the files, then change the directory permissions to match what is on the server. Suppose I can start at /Users/Kirk, act like I'm altering the persmissions, then apply to all subfolders and this should correct things.

Kirk

/etc/fstab is deprecated and should not be used in MacOSX.

dhcpclient9:~$ cat /etc/fstab.hd

IGNORE THIS FILE.

This file does nothing, contains no useful data, and might go away in

future releases. Do not depend on this file or its contents.

Gerben,

I've been struggling for several days to move 5 different local accounts over to server 10.8. I've actually tried hiring two different local apple certified engineers, and neither of them had experience setting up server, so I fired them after they fumbled around for a day each.

I just don't understand terminal well enough to be able to follow the instructions people have given. Part of the problem, i think, is that I wanted to put all the server's sharepoints on its 2nd internal drive, so my network users are supposed to go into Data/Network/Users/

The server runs from a volume called Server

So i've never been able to follow the terminal commands to move the files over and get them to end up in the correct folder.

Can this be done with carbon copy cloner or some other tool that i can understand?

mille1j wrote:

I just don't understand terminal well enough to be able to follow the instructions people have given. Part of the problem, i think, is that I wanted to put all the server's sharepoints on its 2nd internal drive, so my network users are supposed to go into Data/Network/Users/

The server runs from a volume called Server

So i've never been able to follow the terminal commands to move the files over and get them to end up in the correct folder.

Can this be done with carbon copy cloner or some other tool that i can understand?

That's pretty much my setup, HD n.1 has the OS, HD n.2 holds the Network Home directories.

When I moved data over, I just use that handy tool called the Finder. The original Homes, backup files I had cloned to an external HD -- on the external HD, I just set it to ignore permissions.

Carbon Copy Cloner will let you do "selective" cloning, i.e. cloning only certain folders/files. In fact I used that to clone to the external HD. I didn't clone back however the server's 2d HD -- I was doing some manual "pruning".

The thing to be careful of when using something like Carbon Copy Cloner to migrate the original data to the new location on the Server's 2d HD are the permissions, particularly the owner. CCC might actually clone with the old permissions/owner to the new location. Post-clone, you usually have to change that to the new owner. Although you might have the visibile name "mille" in both the old and new setup, the underlying code (UUID) for each user is different, requiring a correction to of the owner -- I just used "chown".

Gerben/Eric

Been very busy at my real job, and just had the chance last week to install the server app on the Mac Mini. I also upgraded my Macbook Pro to Mt Lion.

I engaged File Sharing and Open Directory on the Server. Set the settings for the "Users" share to share with AFP and SMB (I have a Windows machine I wanted to test), share with iOS devices (I have a few, so again, to test), and "make available for home directories over: AFP"

I have not added any Users yet to the server, but I thought I would try to get the Macbook Pro to "see" the server before progressing. After rummaging around the KB's and discussions, I got a bit confused over the difference between:

• Open Directory
• Active Directory
• Portable Home Directory
• Mobile User Accounts
• Mobility Settings.

I found one thread that led me to believe that you can set up the home directories automatically by using the Users and Groups on my Macbook. When I opened that section of Preferences, I could see my server (so at least "something" is working!)

I read some of the KB articles which seem to imply that to allow a user to login and create a portable directory, you had to change the "user experience" you can get to through the "Edit" button above:

I picked "Active Directory" and it showed me the following (when I selected the edit/pencil icon):

When I try to set it, it complains that it can't connect to a server.

I know I'm confusing some concepts here, and probably attacking this from the wrong angle. Can either of you get me back on the right track?

Kirk

Kirk - you are a bit confused from what I can gather from your posting. Open Directory, LDAP, Active Directory are all similar directory services solutions. While they can interact with each other - typically they are stand alone in a company or enterprise. Most people at home would not run a directory service (although you can and some do as I ).

If you have created an Open Directory server, then you could use that to "join" your macbook to that directory to share user account information and support kerberos authentication for auto mounting of file shares. If you are familiar with Windows servers this is a concept you should understand.

Portable Home Directories is a concept where your /Users home directory would not be mounted from that file server, but rather ported to your laptop for use when you are on a plane, at a remote site, or anywhere away from home. When you arrive home, MacOSX will try to sync. your directory with that on the file server for backup sake. If you had edited your resume on the plane, it will then update the file server with your resume version.

Your "Mobiliity" settings are a part of the Active Directory lingo and a function of Microsoft's services - unless you have Active Directory - you should have not chosen that and need not worry about it.

Sellers wrote:

Your "Mobiliity" settings are a part of the Active Directory lingo and a function of Microsoft's services - unless you have Active Directory - you should have not chosen that and need not worry about it.

I agree with what Sellers wrote, aside from that last bit.

"Mobility" isn't just an Active Directory term.

"Mobilty" is actually the term used in Server's "Profile Manager" (and I think in 10.8 version of Workgroup Manager as well) when you want to allow a Network User to create a Mobile User Account on their Mac, and Mobile User Account have a....portable home directory.

Kirk, a "pure" network user account has a network home stored on the designated "home share" on the server (you used /Users). On client Macs that have joined the Network Account Server (joined the OD server), a network user can login and use the home stored in the "home share". The network user never "exists" the client Mac nor is any info in his home directory -- it's all on the server. So if the client Mac can't connect to the server, a user can't login or have access to their data in their Home directory.

At the other extreme, is what you're used to on your (client) Mac; that is, a local user account that exists only that particular Mac, and whose home is also stored there.

The hybrid or fusion of these two extremes would be this. You have a Network User Account that also exists on a client Mac (Mobility User Account or Mobilty Account) with a home directory that exists not only on the client Mac (Portable Home Directory) but is also sync'ed with a copy of the home directory on the server. The Mobility Settings determine what (which folders) and how often (login, logout, every x minutes) the sync takes place.

The reason "Create Mobility Account at login" button isn't working for you is because all of your user accounts on the Mac are local accounts (you've got only "Admin" and "Standard"). The only users who can have a Mobility Account are Network Users. A Mobility Account will say "Mobile" under the user's name. I'm not sure that whether that button will work on it's own, even if you have a Network account. It *might* require setup in Profile Manager first, but I don't know for user. I setup "Mobility" in Profile Manager first, then created Mobility Accounts on my Macs. I never used that button it may be there in case a user later needs to create a Mobility Account, having originally decided not to (be it on purpose or by accident).

----

Unless you're working with Windows Server, you can set aside the info about Active Directory. It's Microsoft's product, which if you will is a competing product to Open Directory (which is what OS X Server uses).

Sellers/Eric

Thank you for trying to set me straight. Selecting "edit" for my server from the User & Groups pane on my client MacBook Pro, I see the following:

Fig 1

I then selected "Open Directory Utility". From your comments, and reading http://en.wikipedia.org/wiki/Apple_Open_Directory I deduce that the "LDAP" listed below is in fact the Open Directory service that should be provided by my Mac Mini Server syrinx. Is that correct?

Fig 2

Editing the LDAPv3 selection, I get the following pane:

Fig 3

And when "Edit" is selected here, I see this pane:

Fig 4

Is there a need to "bind" the server to initiate a connection that I can then create the Mobility Accounts?

Thanks

Kirk

Eric

By the way, I'm trying to set up the "hybrid" approach you describe in your post.

Eric. wrote:

The hybrid or fusion of these two extremes would be this. You have a Network User Account that also exists on a client Mac (Mobility User Account or Mobilty Account) with a home directory that exists not only on the client Mac (Portable Home Directory) but is also sync'ed with a copy of the home directory on the server. The Mobility Settings determine what (which folders) and how often (login, logout, every x minutes) the sync takes place.

You mention Profile Manager:

Eric. wrote:

The reason "Create Mobility Account at login" button isn't working for you is because all of your user accounts on the Mac are local accounts (you've got only "Admin" and "Standard"). The only users who can have a Mobility Account are Network Users. A Mobility Account will say "Mobile" under the user's name. I'm not sure that whether that button will work on it's own, even if you have a Network account. It *might* require setup in Profile Manager first, but I don't know for user. I setup "Mobility" in Profile Manager first, then created Mobility Accounts on my Macs. I never used that button it may be there in case a user later needs to create a Mobility Account, having originally decided not to (be it on purpose or by accident).

I wanted to see if I could "get" the client Mac to change it's accounts to network / Mobility Accounts by having it recognize the Server and Open Directory.

Is Profile Manager on the server? If so, I haven't seen it labeled specifically as such in the Server App.

Kirk

Kirk,

You're already bound to the server! See the green dot next to the name of your server in the first screen shot?

Your MPB is already bound, and the connection is good as indicated by the green dot. When you can't connect, it will turn red.

Profile Manager. To turn that on, use Server.app.

Once you have that setup and turned on, note the two links "Open Profile Manager ->" and "Visit user portal ->".

"Open Profile Manager" will launch the browser where you'll configure mobility and any other settings you want for the computer, groups of computers, users, or user groups. (That's like the Profile Manager Admin page.) You're using a browser, so you can eventually just go their straight from the browser. The address is usually something like:

https://server_fully_qualified_domain/profilemanager

So in your case it's probably:

https://syrinx.carter.private/profilemanager

The user portal lets users register their devices and can accept remote management. With remote management using the profile manager admin web page (the link given above), any modifications you make there will pushed to the devices.

Eric

Thanks for last post. It cleared a few things up, but I seem to have met another roadblock...

I went through the process that you layout in your post. When I get to this point:

Eric. wrote:

Once you have that setup and turned on, note the two links "Open Profile Manager ->" and "Visit user portal ->".

"Open Profile Manager" will launch the browser where you'll configure mobility and any other settings you want for the computer, groups of computers, users, or user groups. (That's like the Profile Manager Admin page.) You're using a browser, so you can eventually just go their straight from the browser. The address is usually something like:

https://server_fully_qualified_domain/profilemanager

So in your case it's probably:

https://syrinx.carter.private/profilemanager

The user portal lets users register their devices and can accept remote management. With remote management using the profile manager admin web page (the link given above), any modifications you make there will pushed to the devices.

I am met with the following:

When I try to "enroll", I get an error:

Can you advise as to what step I have missed in this?

Kirk

Kirk:

Prior to installing the Device Enrollment Profile you need to install a Trust Profile. In the My Devices window there is a Devices and Profiles. Click on Profiles and install the Trust Profile. If you do not have one you need to return to the Server app and select Review Certificates. In the Certificates panel you can create a self-signed certificate.

Here is how my Profiles appear in System Preferences for a PHD.

Each Mac that you want to use for Mobile Accounts will require the Trust Certificate and needs to be enrolled for Device Management. In the Profile Manager you will be able to set up how you want the Mobile Account managed. There are numerous settings that you can push to each machine. I manage a lab with about 8-10 Mobile Accounts and I find it most useful to have a Device Group "Mobile" that has all of the managed Macs, that way I can push to all Mobile Accounts at once.

Another note, I have found that that setting up Mobility on the Device Profiles works much better than setting Mobility from the User Profiles. I could never get it to work properly with mobility from the User Profiles.

Let me know if you need more detail, I am running Lion, not ML Server.