User cannot login after switching network home folder from AFP to SMB

Question

Level 2

214 points

User cannot login after switching network home folder from AFP to SMB

I'm running Yosemite Server 4.1.5 in a home scenario. I set up file share to be used as a home folder. Initially the share was set to use as home folder via AFP - no encryption. I set up a couple of test accounts to use this share as a home folder. Everything worked fine. Out of curiosity I enabled the encryption setting on the share. This disabled the AFP checkbox and switched the home folder protocol to SMB.

The users that were assigned to this home folder were logged off at the time. When attempting to log in after this change - the users that use this share for home folders are no longer able to log in. A message box pops up indicating that the login is not allowed and that an error has occurred. The message is very vague. Rebooting the client (as well as the server) - does not resolve this issue. After this error occurs - other network users (those that use a different network home folder) might not be able to log in and might receive the same message.

After some experimentation - I discovered that I can correct the problem with the following steps: in the users pane of server app - select the users (one at a time) that are using the home folder that was set to encrypted mode. Change the home folder setting to Local Only - or to another home folder share. Save the changes. Edit the user again - and set the home folder back to using the share that was changed - then log in on client mac as that user. The login succeeds and the problem with the other users (using a different home folder) also corrects itself. Is this a bug - or am I missing something?

In my scenario - there are only a handful of users and they are all for testing purposes. What if I had 200 users and 100 of them were using the share that I just switched to use an encrypted connection? I would have to find all of the users that were using the share - and do the work around that I described above - for each user. Can anybody shed some light on this? I realize that typically one would not be changing the share settings on a regular basis - but what if were really necessary to switch the protocol and encryption settings - then you are faced with this problem. Also - I wanted to point out that the problem is not so much caused by enabling/disabling an encrypted connection - rather it seems to occur when I change the "share as home folder over AFP/SMB" setting back and forth between AFP and SMB - regardless of whether the "use encrypted connection" checkbox is checked.

In the 200 user scenario (theoretical) - how would I go about searching to find which users are using the share in question?

~Scott

MAC MINI SERVER (LATE 2012), OS X Server

Posted on Sep 4, 2015 11:39 PM

Reply

Answer 1

Nov 5, 2017 1:16 AM in response to michaelhoch

I found a solution. Go in the Server App, select multiple users, click on the wheel and select edit user. Change the location of the home folder to local and save. Switch back to the original location and the share point url will be updated...

Reply

Answer 2

Sep 5, 2015 7:30 AM in response to SBeattie2

typically one would not be changing the share settings on a regular basis

There certainly are a lot of ways to get Server to explode in your face, now including this one.

Reply

Answer 3

SBeattie2 Author

Level 2

214 points

Sep 5, 2015 11:37 AM in response to Grant Bennet-Alder

The reason that I think this is a bug (or maybe an oversight) - is that the user home folders in the share are not actually encrypted when encryption is used - it is only the SMB connection that is encrypted. Encryption is not supported when connecting to the share via AFP. The more I look at this issue - it really seems to be caused by switching the home folder protocol of the share between AFP and SMB. You must use SMB if you want an encrypted connection to the share. Almost seems as though the network home folder connection info is being cached on the server - and the only way to clear the incorrect settings seems to be to switch the user's home folder share to either local or to a different home folder share - and then switch it back to the original share immediately. The prior settings in use (AFP vs SMB) seem to survive a reboot of both the client and the server. As far as determining which users would be impacted by such a change - in the case of a large number of users - I suppose it would be fairly easy to look at which user's home folders exist in the share in question and fix each user with the workaround described. I'm somewhat of a beginner with Open Directory and I was wondering how I would go about querying the user information?

~Scott

Reply

Answer 4

SBeattie2 Author

Level 2

214 points

Sep 5, 2015 7:52 PM in response to Grant Bennet-Alder

I now see what is happening. I looked at the LDAP entries for the network users - using Directory Utility. The fully qualified path to the home folder share including the protocol afp:// or smb:// is being saved for each user - under Users where the attribute is "HomeDirectory". For example if the share "Network Home Folders" was set to use for home folders via AFP - and then you create network user John Doe - the HomeDirectory attribute for johndoe is set to the following "<homedir><url>afp://server.example.com/Network%20Home%20Folders</url><path>joh ndoe</path></homedir>". So if you change the Make Available for Home Folder via AFP to SMB - the HomeDirectory key is not updated - and it persists on the server even through a reboot. You can use Directory Utility to edit the HomeDirectory attribute and simply change the "afp://" to "smb://" - but you would still have to search for all users that were using the share "Network Home Folders" - and make the same change for each user. This is why swapping the home folder setting via Server App was correcting the problem - because it was rewriting the LDAP entry for HomeDirectory.

In the event that a user attempts to log on with their network account - before you have fixed the LDAP entry - they will get the "You are unable to log in to the user account "johndoe" at this time. Logging into the account failed because and error occurred." message. Once you get this message on the client - it does not seem to clear itself and the client Mac needs to be rebooted.

To find all of the users that are currently using the "Network Home Folders" share for their home directory - just use the following dscl command:

dscl /LDAPv3/server.example.com -list /Users HomeDirectory | grep "Network%20Home%20Folders"

This will show you the user id and their home folder paths and you can then pick and choose the users that will need to be updated - and most likely it will be all of the users shown. I'm sure with some creativity - it would be possible to pipe the output of this command into another "dscl -change" and perform a mass change of all of the affected users.

I no longer believe this is a bug - but I do believe that the Server App really needs a safeguard that would stop somebody from changing certain settings of the share if any users are set to use it as a home directory - possibly making the modifications automatically to conform with the specified protocol for the home folder share settings.

I do believe that on the client side - the failure to log in should be a bit more intuitive and report exactly what the problem is (user home folder path set to afp or smb - and the home folder share settings are incompatible.

Hope this helps others that have encountered this error.

~Scott

Reply

Answer 5

Nov 4, 2017 10:43 AM in response to SBeattie2

Are there any news on this topic? I recently switched from afp to smb and have the same problem...

Reply