Macs at home; Part 5: Portable Home Directories
See the introduction to this post.
At the end of Part 4 Rebecca’s account details were stored only in LDAP and her home directory lived on an NFS share. I had an LDAP account with the same UID and GID as that on my MacBook Pro and separate home directories on the laptop and on the network.
With OS X 10.4 you can set up Portable Home Directories. Roaming profiles. It’s really quite easy. First you log on as a network user. Then you open System Preferences and go to Accounts. You select the user you just logged in as, click the lock and authenticate as a local admin, then check Create mobile account. Finally log out and log back on again.
Upon relogging, the contents of the network home will be copied to /Users and a user will be create in NetInfo with an AuthenticationAuthority of LocalCachedUser. The system will launch MirrorAgent (the same app used to synchronise your iDisk) which will synchronise the local and network accounts at login, after logout and every 20 minutes (configurable) while the account is logged in.
I created a test user called mac to test this out.
$ dscl localhost -read /NetInfo/Users/mac
AuthenticationAuthority: ;LocalCachedUser;/LDAPv3/ldap.iain.cx:mac:
NFSHomeDirectory: /Users/mac
OriginalHomeDirectory: /Network/Servers/files/home/mac
OriginalNFSHomeDirectory: /Network/Servers/files/home/mac
OriginalNodeName: /LDAPv3/ldap.iain.cx
Update 2007-10-31: With Leopard the command is:
$ dscl localhost -read /Local/Default/Users/mac
But wait! Don’t rush off and do this just yet!
If you Google Portable Home Directories you will find more detailed discussion on the caveats I will now present.
Gotchas
I’d read that you need to create an LDAP mapping of HomeDirectory to apple-user-homeDirectory (ie the same as we mapped NFSHomeDirectory). This is so MirrorAgent can figure out the user’s original home directoy and hence know where to sync from. Update 2007-09-16: I don’t think this is actually true. I have mobile users working without this, and I think HomeDirectory is supposed to be an AFP URL anyway.
By default MirrorAgent won’t sync ~/Library which sucks because there are useful things stored in there. But you don’t want to sync all of it because some of the contents are specific to the local machine.
Before logging in as the mobile user, edit /System/Library/CoreServices/mcxd.app/Contents/Resources/CinchDefaults.plist as root. I set it to this:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>excludedAlways</key>
<array>
<dict>
<key>comparison</key>
<string>fullPath</string>
<key>value</key>
<string>~/.mcxlc</string>
</dict>
<dict>
<key>comparison</key>
<string>fullPath</string>
<key>value</key>
<string>~/.Spotlight-V100</string>
</dict>
<dict>
<key>comparison</key>
<string>fullPath</string>
<key>value</key>
<string>~/.TemporaryItems</string>
</dict>
<dict>
<key>comparison</key>
<string>fullPath</string>
<key>value</key>
<string>~/.Cleanup At Startup</string>
</dict>
<dict>
<key>comparison</key>
<string>startsWith</string>
<key>value</key>
<string>.afpDeleted</string>
</dict>
</array>
<key>excludedItems</key>
<array>
<dict>
<key>comparison</key>
<string>fullPath</string>
<key>value</key>
<string>~/.Trash</string>
</dict>
<dict>
<key>comparison</key>
<string>fullPath</string>
<key>value</key>
<string>~/Library</string>
</dict>
</array>
<key>excludedPrefItems</key>
<array>
<dict>
<key>comparison</key>
<string>fullPath</string>
<key>value</key>
<string>~/Library/Application Support/SyncServices</string>
</dict>
<dict>
<key>comparison</key>
<string>fullPath</string>
<key>value</key>
<string>~/Library/Caches</string>
</dict>
<dict>
<key>comparison</key>
<string>fullPath</string>
<key>value</key>
<string>~/Library/Logs</string>
</dict>
<dict>
<key>comparison</key>
<string>fullPath</string>
<key>value</key>
<string>~/Library/Caches</string>
</dict>
<dict>
<key>comparison</key>
<string>fullPath</string>
<key>value</key>
<string>~/Library/Mirrors</string>
</dict>
<dict>
<key>comparison</key>
<string>fullPath</string>
<key>value</key>
<string>~/Library/Preferences/ByHost</string>
</dict>
<dict>
<key>comparison</key>
<string>fullPath</string>
<key>value</key>
<string>~/Library/Printers</string>
</dict>
<dict>
<key>comparison</key>
<string>fullPath</string>
<key>value</key>
<string>~/Library/Safari/Icons</string>
</dict>
<dict>
<key>comparison</key>
<string>startsWith</string>
<key>value</key>
<string>IMAP-</string>
</dict>
<dict>
<key>comparison</key>
<string>startsWith</string>
<key>value</key>
<string>Mac-</string>
</dict>
</array>
<key>syncedFolders</key>
<array>
<dict>
<key>path</key>
<string>~</string>
</dict>
</array>
<key>syncedPrefFolders</key>
<array>
<dict>
<key>path</key>
<string>~/Library</string>
</dict>
</array>
</dict>
</plist>
That is, I added ~/Library to syncedPrefFolders and deleted everything starting ~/Library/Preferences from excludedPrefItems.
MirrorAgent seems to want to sync in two passes. First the directories listed under syncedFolders, excluding those in excludedItems, then those listed under syncedPrefFolders, excluding those in excludedPrefItems. Thus the path of least resistance leading to a sync of almost everything including Library is to add Library as a prefItem and delete the Preferences exclusions.
After editing this file you should ensure that Library/Preferences/com.apple.HomeSync.plist does not exist either on the network share or the mobile user’s local home. It will be created as a copy of CinchDefaults.plist and hence do The Right Thing.
It should be possible to flag an account as being mobile on all machines. This would probably be done by setting something in apple-user-mcxsettings. I would need to see an example from a real OS X Server or find more documentation before learning how to do this. For now I have to create the mobile account manually on each machine. Well that actually works out well for me, since I only want to roam on the laptop!
It seems like the difference between a syncedFolder and a syncedPrefFolder is that a syncedPrefFolder is only synced at login and logout; not periodically while the session is active.
This means that if you wanted to change your sync preferences (perhaps to exclude a local scratch directory) you’d have to log out and back in again for the change to take effect.
Comment by iain — 2007-09-04 @ 19:19:56