Setting up Network Users - home folder on client Mac

There are two similar setups - Network Home Directory users, and Portable Home Directory Users, both are linked to Open Directory user accounts.

With a Network Home Directory user a user logs in and accesses their home directory stored on a server, this does not result in a home directory being created on the client Mac.

With a Portable Home Directory user, a user logs in and this triggers creating a local user account linked to their network user account and also triggers the creation of a local home directory stored in /Users on the local drive, optionally it will sync the content of their matching network home directory folder to the local home directory.

It is possible to configure via Workgroup Manager MCX preferences, or preferably these days via Profile Manager which approach is used. It is also possible to present a dialog box when the user logs in offering a choice. If the portable home directory choice is made then thereafter each time the login that portable home directory will continue to be used. Portable home directories are particularly suited to laptops as they can be used even when the laptop is not connected to the network. Password changes between a portable home directory user and Open Directory can be automatically synced so that when you change the password on your client Mac it updates the matching account in Open Directory, remember with a portable home directory account a local account has been created. (Linked to the Open Directory account.)

As far as Open Directory is concerned they are all network accounts so that is fine.

You control the behaviour as I mentioned either by setting preferences in Workgroup Manager (managed preferences - Mobility) or by Profile Manager - also Mobility.

In my case I created a device group in Profile Manager and added all the laptops to one group which was set to trigger the use of portable home directories, and I created a second device group configured to use network home directories. The default for Open Directory seems to be for Network Home Directories so my desktop device group does not have a Mobility setting whereas my laptop group does.

If your using Active Directory I believe the default is to offer the dialog to create a Portable Home Directory.

But now I can't log in as a network user... Gone to check more.

You have to restart the server, before you can log in with the same logon on the network. That is because it does not unmount the directory immediately if it is on the same Mac. That (the unmounting), only happens when logged on from the network.

Leo

Leopardus wrote:

But now I can't log in as a network user... Gone to check more.

You have to restart the server, before you can log in with the same logon on the network. That is because it does not unmount the directory immediately if it is on the same Mac. That (the unmounting), only happens when logged on from the network.

Leo

There are sadly these days many problems with network home directories and Apple seem disinclined to fix them. The following is not necessarily all of them but gives you an idea.

1. When logging out as a network home directory user the network home directory can remain mounted
2. When logging out as a network home directory user multiple processes can remain running and 'owned' by the former login, this in particular can cause problems with the user accessing their Keychain the next time they login
3. When logging in again it can trigger a fullblown entire reindexing of the users network home directory by Spotlight, if you have a lot of emails this can be extremely time consuming and until the reindexing is complete searching via spotlight can be impossible or incomplete
4. Various critical user files like the Addressbook/Contacts databases, the users Keychain, etc. can become corrupted
5. We also find that even when remaining logged in from time to time the user can lose access to their Keychain and this requires logging out or rebooting (or worse - see issue 4)
6. Using SMB for network home directories instead of AFP seems to make matters worse, as Apple these days seem to recommend using SMB this is to say the least ironic

Some of these issues have been discussed at length in various other threads in these discussion forums. In particular with reference to issue 2 above a logout-hook was devised to 'kill' the secinitd and secd processes which seems to be moderately helpful regarding that issue. I have also added my own addition to that logout-hook to make sure a users network home directory is dismounted when they logout.

Here is my combined version.

#!/bin/bash
killall -9 secinitd
killall -9 secd
logger "LogoutHook killed processes"
mountpath=`mount | grep /Network | awk '{print $3}'` 
if [ "$mountpath" != "" ] 
then 
  umount -f $mountpath 
  logger "LogoutHook unmounted network home"
fi 
exit

Again you can use Profile Manager to push out a logout-hook to all clients.

David Gordon wrote:

John, are you saying/suggesting network login may be more trouble than its worth? I'm looking at a small office, no more than 8 to 10 Macs maybe fewer. We can continue with individuals using their 'own' Macs but a couple of people have ended up with accounts on two or three machines. I thought this would be a good solution!

It will depend on each persons situation, I am still for the majority of our users using network home directories despite these issues. I am also using the logout-hook to help reduce the amount of problems.

If I was to for example use portable home directories then this would mean user files being kept on lots of computers, this in our case would mean also having to use FileVault to protect them. If I used syncing for portable home directories then that is also prone to problems for some people, if I do not use syncing for portable home directories then I would have to setup a backup process for each client Mac and if a client Mac failed e.g. a dead hard drive the amount of downtime is considerably greater than with network home directories the beauty of which is the user can simply login on a different computer.

John Lockwood wrote:

In particular with reference to issue 2 above a logout-hook was devised to 'kill' the secinitd and secd processes which seems to be moderately helpful regarding that issue. I have also added my own addition to that logout-hook to make sure a users network home directory is dismounted when they logout.

Here is my combined version.

Again you can use Profile Manager to push out a logout-hook to all clients.

If you don't mind, I will gladly use this! Saves me a lot of time logging out, restarting.

Leo

I hope you don't mind, but I am going to jump in here. I've also experienced issues with PHDs, especially with users that have larger media libraries in excess of 30G. I don't think that number is itself important. Another intelligent sysad I've met at the MacAdmins Conf this last July showed me how the PHDs can work, but he admitted that the synchronization method used by Apple is more effective with smaller files. He also pointed out problems of having too many locations where PHDs may need to be kept in sync. Have you had people log into multiple boxes using PHDs?

IMO, Apple has got to devote more attention to the network homes if they are going to remain in the SMB market.

However, I admit that with the new network I'm rolling out for my small office, I'm going with the network login and local home directories. This is possible because the devices are dedicated to the users. Will then use backups to the server for data redundancy. I have not decided on the method for this.

David,

It wasn't clear in reading this thread if you got the account to work?

In the Server.app, under Users-->Edit User, you have to point the Home Folder to the location you've shared for the home directories. It think that is the default for new user accounts created after you've shared the location, but good idea to check. Also make sure that in the File Sharing-->Shared Folders area, you have checked the box to share them as Home directories over SMB/AFP. SMB is the default now, but as John suggested, I typically shift back to AFP as it seems more stable.

Please forgive me in advance if I've stated the obvious.

Tim

Good to see the book. I was not aware an El Capitan-based server book had been written. I'm just now looking at El Capitan.

One think I wish I'd done when I first started out was to do more testing and learning using virtual machines. If you have the hardware to support, I suggest building up that capability. I use vmWare Fusion and am very happy with it.

Tim