Bosco1983

Q: User home drive not disconnecting on logout - El Cap / SAN / SMB

10.10.5 clients managed by server 5.1 / 10.11.4 Server and Profile Manager

 

We have recently moved to a new SAN.  Our old SAN (EMC) used to go nuts if we enabled SMB 2 when connecting with our Macs.  We forced SMB 1 protocol on our clients and this stopped file corruption and the SAN from going bananas.

 

New SAN (HP) supports SMB 3.  Migrated all user data and found that Mac folders (Movies, Music, Pictures, Library etc) had funny permissions.  The "Everyone" group was set to "Deny" and either removing this, or just refreshing the perms on a folder allowed the correct users access. 

 

When using SMB 1 on our new SAN, it was slow as dirt so we've enabled SMB 3.  Much faster.  Our problems are as follows :

 

1 - When a new user is created, and they login for the first time they get their "Mac" folders created.  These are made with the funny perms which prevent users saving into these folders.  We have got around this for new users by creating a folder template for them BEFORE login which contains the correct permissions.  We tided up current users by running a monster script to strip and refresh perms.

 

2 - When a user logs out of a networked Mac client, their network home folder doesn't seem to disconnect properly, leaving it open which means if they login to another machine their Keychain can go nuts.

 

Anyone here got experience with Macs and SANS and dodgy permissions?!

Mac mini, OS X Server

Posted on Apr 19, 2016 12:57 AM

Close

Q: User home drive not disconnecting on logout - El Cap / SAN / SMB

  • All replies
  • Helpful answers

  • by John Lockwood,Solvedanswer

    John Lockwood John Lockwood Apr 19, 2016 3:04 AM in response to Bosco1983
    Level 6 (9,309 points)
    Servers Enterprise
    Apr 19, 2016 3:04 AM in response to Bosco1983

    Bosco1983 wrote:

     

    1 - When a new user is created, and they login for the first time they get their "Mac" folders created.  These are made with the funny perms which prevent users saving into these folders.  We have got around this for new users by creating a folder template for them BEFORE login which contains the correct permissions.  We tided up current users by running a monster script to strip and refresh perms.

     

    Roughly speaking the permissions should be that the owner can access the folders and contents but everyone should be listed as denied. As the user creates the folder they should the listed owner.

    Bosco1983 wrote:

     

    2 - When a user logs out of a networked Mac client, their network home folder doesn't seem to disconnect properly, leaving it open which means if they login to another machine their Keychain can go nuts.

     

    Yes sadly network home directories have lots of issues. This is something I and others have seen along with various other issues. I have I feel resolved this by setting up a logouthook script which runs as the name suggests when the user logs out and checks and if needed disconnects any left over mount of the users home directory. Below is my logouthook script.

     

    #!/bin/bash
    # Kill secd processes left running after user logs out
    killall -9 secinitd
    killall -9 secd
    logger "LogoutHook killed processes"
    # Unmount network home directory share if left mounted after user logs out
    mountpath=`mount | grep /Network | awk '{print $3}'` 
    if [ "$mountpath" != "" ] 
    then 
      umount -f $mountpath 
      logger "LogoutHook unmounted network home"
    fi
    # Delete old stuff from /private/var/folders - mainly cache files after user logs out
    # more as a security measure but also helps clear any bad stuff
    find /private/var/folders/* -type d -mtime 1 -exec rm -rf {} \;
    exit
    

     

    As you will see it actually does three different things - I believe there are probably at least five different network home directory related issues not all of which have workarounds like these.

  • by Bosco1983,

    Bosco1983 Bosco1983 Apr 19, 2016 3:04 AM in response to John Lockwood
    Level 1 (61 points)
    Servers Enterprise
    Apr 19, 2016 3:04 AM in response to John Lockwood

    Hi John,

    thanks for the quick and detailed reply.  Thats awesome. 

    This may sound like a rookie question, but how do I implement this logout hook?  Shall I create a script file using your text and then upload to the "logout" section of profile manager?

    I'll have to edit the login.window plist also - is the best way to do this via ARD and send out terminal commands to update the required fields?

  • by John Lockwood,Helpful

    John Lockwood John Lockwood Apr 19, 2016 4:53 AM in response to Bosco1983
    Level 6 (9,309 points)
    Servers Enterprise
    Apr 19, 2016 4:53 AM in response to Bosco1983

    Yes that's right if you have Profile Manager setup the easiest way is to upload my script to the logout option.

     

    I pre-configure the com.apple.loginwindow options as part of my build process but ARD and running a Unix command to do defaults set is another way.

     

    I personally prefer and recommend the Profile Manager route as it is possible to control via Profile Manager which Macs use this script but another approach would be to create an Apple Installer package with my script as a payload and a post-install script which turns on the logout hook options in com.apple.loginwindow

  • by Bosco1983,

    Bosco1983 Bosco1983 Apr 19, 2016 3:48 AM in response to John Lockwood
    Level 1 (61 points)
    Servers Enterprise
    Apr 19, 2016 3:48 AM in response to John Lockwood

    Ace thanks, i'll certainly add this to my build with Deploystudio and then as a logout script on PM. 

     

    I'll go figure out the terminal command to update the local login.window plist and let you know how I get on.

     

    Thanks again, really appreciate it.

  • by Bosco1983,

    Bosco1983 Bosco1983 Apr 19, 2016 4:19 AM in response to John Lockwood
    Level 1 (61 points)
    Servers Enterprise
    Apr 19, 2016 4:19 AM in response to John Lockwood

    Sorry to mither, but want to make sure I edit the correct loginwindow file

     

    is the correct one found under

    /private/var/root/Library/Preferences/

     

    I dont see the com.apple.loginwindow file here.  I do see it under /Library/Preferences but I assume this isnt the correct one?

     

    thanks.

     

     

    UPDATE

     

    Ignore that, i was looking on a unmanged 10.11 machine but when looking at a managed 10.10 machine I can see the file in var/root/library/preferences

     

    thanks

  • by John Lockwood,

    John Lockwood John Lockwood Apr 19, 2016 4:25 AM in response to Bosco1983
    Level 6 (9,309 points)
    Servers Enterprise
    Apr 19, 2016 4:25 AM in response to Bosco1983

    Yes here are my commands

     

    /usr/bin/defaults write /var/root/Library/Preferences/com.apple.loginwindow EnableMCXLoginScripts -bool true

    /usr/bin/defaults write /var/root/Library/Preferences/com.apple.loginwindow MCXScriptTrust -string Anonymous

     

    Some people may use a stronger security option for the second.

  • by Bosco1983,

    Bosco1983 Bosco1983 Apr 19, 2016 4:56 AM in response to John Lockwood
    Level 1 (61 points)
    Servers Enterprise
    Apr 19, 2016 4:56 AM in response to John Lockwood

    Mr Lockwood, you are a superstar - thank you!

     

    saving the script as a .sh and running CHMOD 777 on it and then uploading to profile manager worked like a boss as soon as I ran your commands on the client and gave it a reboot.

     

    Looking on our file server we can see that when the user now logs out, it is NOT keeping files open as it was before (and causing issues).  Our FS does still show that a session is active, but doesnt have any files attached to it.

     

    REALLY appreciate your help - thank you.