Network profiles or synchronized mobile homes not working

Question

Level 1

0 points

Network profiles or synchronized mobile homes not working

Hello Guys

I need a solutions for some environments where I have more users than computers. It doesn't need to work right out of the box, but it needs to have a deterministic behaviour and function reliably.

I tried different solutions to get network homes or synchronized mobile homes working, but did not succeed.

So here is what I tried so far:

pure OS X Setup: Open Directory server with file services enabled. Destination of the user homes in a shared folder on the server.
Issue: The keychain items do not get synchronized. Whenever a user logs in (even when he just logged out on the same machine) he has to re-enter the password (and no: iCloud keychain isn't a solution!)
Active Directory 2012 R2, user homes on OS X Server or user homes on synology or user homes on windows server:
Same issues as with the "pure" OS X solution, the keychain items do not get synchronized. Also, other items (many of them from the library) do not get synchronized correctly or with the wrong permissions set on the file.

A general problem with network homes seems to be that many applications can't cope with a home folder which isn't located on the local disk. Because of that, I decided to give synchronized roaming profiles a chance.

Here is what I tried:

Active Directory, Roaming Profiles, synchronized with an OS X Server over AFP
Active Directory, Roaming Profiles, synchronized with an OS X Server over SMB
Active Directory, Roaming Profiles, synchronized with a Windows Server over SMB
Active Directory, Roaming Profiles, synchronized with a Synology Server over SMB
Active Directory, Roaming Profiles, synchronized with a Synology Server over AFP

In all cases, user homes were created fine on the local disk and the users were able to log in. But as soon as I wanted to synchronize files (doesn't matter if automatically or manually), many synchronization errors occured, rendering this option as unusable as the "network home only" solution.

Configuration details:

NTP was set correctly on all machines and servers
I did not use a .local domain (I used the domain "lab.intra") and had a DNS server in place (2 colleagues assured me that it was configured correctly)

All I want is that users can login on any machine they want and get their user profile. Up to 10.6.X this worked well, but it seems like it changed very much since then.

Any help would be greatly appreciated!

Regards

Christian

Posted on Nov 18, 2015 2:03 AM

Reply

Answer 1

cdhw

Level 4

3,588 points

Nov 18, 2015 2:34 AM in response to crazy_owl

Open Directory + mobile homes with OS X 10.10.5 on server and clients works fine for me. I do, however, use login/out scripts that kill off the user processes that stay running otherwise. One of these (securityd from memory) is a real nuisance if it is not stopped.

C.

Reply

Answer 2

crazy_owl Author

Level 1

0 points

Nov 18, 2015 7:08 AM in response to cdhw

Thank you for your reply!

Just to be sure: Do you mean mobile profiles (user profiles stored on the local disk of the mac), network profiles (user profiles stored on a central server and attached via SMB or AFP) or mobile homes with synchronization (mobile profiles, but profiles are also copied on a central server)?

Regards

Christian

Reply

Answer 3

cdhw

Level 4

3,588 points

Nov 18, 2015 7:46 AM in response to crazy_owl

You seem to be mixing up the terms 'home directory', 'account' and 'profile'. What I meant was this:

OS X Yosemite: Create and configure mobile accounts

C.

Reply

Answer 4

crazy_owl Author

Level 1

0 points

Nov 18, 2015 11:49 AM in response to cdhw

Hey cdhw

Well, I had to learn that the same things are called by different names in this field;)

However, what you are doing is not what I am looking for 😟

I got that working myself without any problems, because the user profile (or home directory 😉) resides on the local disk. This even works with Active Directory.

What I want is to have the home directory residing on a server or beeing synced 😉

Regards

Christian

Reply

Answer 5

cdhw

Level 4

3,588 points

Nov 18, 2015 3:43 PM in response to crazy_owl

Nope, what I am doing is exactly what you're looking for. Read the description of mobile accounts in the Apple document I referred to again. Home directory on server kept in sync with local copy(ies) on client(s).

C.

Reply

Answer 6

crazy_owl Author

Level 1

0 points

Nov 25, 2015 6:31 AM in response to cdhw

Hello cdhw

Thank you for your reply and for the correction, you're right, I got you wrong.

It took me so long to write back to you, because I wanted to double check everything in my lab environment, but I didn't like the result: There are still synchronization errors and the keychain doesn't get synced at all.

In the meantime I spoke to someone who is a bit more in touch with apple than I am, and he confirmed that he also does not support such environments anymore because they do not work reliably. The main problem in the whole topic is that os x puts the keychain entries in a special folder in "~/Library/Keychains" which is named to the Hardware-UUID of the device. And when you log in to another computer, of course the UUID changes and the new computer can't read the values stored in the keychain.

I don't see a way to get around it but maybe you solved this problem somehow? (Or do you use the synchronization only as a backup and your users do always log into the same machine?)

Regards

Christian

Reply

Answer 7

cdhw

Level 4

3,588 points

Nov 25, 2015 7:33 AM in response to crazy_owl

There are client-specific things in ~/Library/Keychains/Hardware-UUID in my users' home directories, but they don't seem to cause any problems (but see comment below) in my context. I believe (but don't know) that they are only things like Bluetooth and WiFi passwords that one would expect to be client specific. The login keychain is still in ~/Library/Keychains/login.keychain.

You may have overlooked this comment:

I do, however, use login/out scripts that kill off the user processes that stay running otherwise. One of these (securityd from memory) is a real nuisance if it is not stopped.

I had all seven shades of keychain-related misery before doing this. The cure was a login-hook to restart secd. Refer to this thread for the background:

Mavericks Server Keychain not properly storing information network users.

For killing processes at logout, which also cause issues for network homes, look for a post by Georgy Karageogiev in this thread:

Stray processes after a user logout

These solutions were developed for 10.10.5. OS X 10.11.1 seems to be better in some respects so I'm not sure to what extent these remedies are still needed. They're like my dragon repellent - it may not be strictly necessary but neither am I being troubled by dragons.

C.

Reply