Q: User home drive not disconnecting on logout - El Cap / SAN / SMB
10.10.5 clients managed by server 5.1 / 10.11.4 Server and Profile Manager
We have recently moved to a new SAN. Our old SAN (EMC) used to go nuts if we enabled SMB 2 when connecting with our Macs. We forced SMB 1 protocol on our clients and this stopped file corruption and the SAN from going bananas.
New SAN (HP) supports SMB 3. Migrated all user data and found that Mac folders (Movies, Music, Pictures, Library etc) had funny permissions. The "Everyone" group was set to "Deny" and either removing this, or just refreshing the perms on a folder allowed the correct users access.
When using SMB 1 on our new SAN, it was slow as dirt so we've enabled SMB 3. Much faster. Our problems are as follows :
1 - When a new user is created, and they login for the first time they get their "Mac" folders created. These are made with the funny perms which prevent users saving into these folders. We have got around this for new users by creating a folder template for them BEFORE login which contains the correct permissions. We tided up current users by running a monster script to strip and refresh perms.
2 - When a user logs out of a networked Mac client, their network home folder doesn't seem to disconnect properly, leaving it open which means if they login to another machine their Keychain can go nuts.
Anyone here got experience with Macs and SANS and dodgy permissions?!
Mac mini, OS X Server
Posted on Apr 19, 2016 12:57 AM
Bosco1983 wrote:
1 - When a new user is created, and they login for the first time they get their "Mac" folders created. These are made with the funny perms which prevent users saving into these folders. We have got around this for new users by creating a folder template for them BEFORE login which contains the correct permissions. We tided up current users by running a monster script to strip and refresh perms.
Roughly speaking the permissions should be that the owner can access the folders and contents but everyone should be listed as denied. As the user creates the folder they should the listed owner.
Bosco1983 wrote:
2 - When a user logs out of a networked Mac client, their network home folder doesn't seem to disconnect properly, leaving it open which means if they login to another machine their Keychain can go nuts.
Yes sadly network home directories have lots of issues. This is something I and others have seen along with various other issues. I have I feel resolved this by setting up a logouthook script which runs as the name suggests when the user logs out and checks and if needed disconnects any left over mount of the users home directory. Below is my logouthook script.
#!/bin/bash
# Kill secd processes left running after user logs out
killall -9 secinitd
killall -9 secd
logger "LogoutHook killed processes"
# Unmount network home directory share if left mounted after user logs out
mountpath=`mount | grep /Network | awk '{print $3}'`
if [ "$mountpath" != "" ]
then
umount -f $mountpath
logger "LogoutHook unmounted network home"
fi
# Delete old stuff from /private/var/folders - mainly cache files after user logs out
# more as a security measure but also helps clear any bad stuff
find /private/var/folders/* -type d -mtime 1 -exec rm -rf {} \;
exit
As you will see it actually does three different things - I believe there are probably at least five different network home directory related issues not all of which have workarounds like these.
Posted on Apr 19, 2016 3:04 AM