Applies to: All versions of Centrify DirectControl on Mac OS X
The Mobility GPs have been set up and network home folder permissions have all been verified to be correct.
The AD user is able to login and the mobile account is correctly created.
However, when initiating a Home Sync it fails on certain folders with the error below:
Most of the folders are correctly synced to the network home, the sync failures seems to affect most frequently with the Documents and Downloads folders.
This can be replicated consistently when the Mac is joined in Zone mode.
Home Sync works fine when Mac is joined in Auto Zone mode or with the Apple AD Plugin.
The problem happens only to users with "auto private group" configured as their Primary Group in their UNIX Zone Profile.
Users with normal zone groups configured are not affected.
Most folders in the user's home folder are copied directly from the local skeleton folder to the user's network home before creating the mobile account, which means they are not created by the initial sync process.
However, the Documents and Downloads folder are not included in the skeleton folder.
They are created after the user logs in, and should be synced to server.
These two folders have the ACL settings:
drwx------+ 3 testuser staff 102 Mar 1 22:30 Downloads
0: group:everyone deny delete
It was found that if all the following conditions are met, then the folder sync will produce an error:
1. User has auto private group.
2. The folder has ACL configured.
3. The folder is not empty.
This appears to be a bug in the OS X FileSyncAgent and the way it resolves group IDs.
The Documents and Downloads folder can be entered into the skeleton folder on the Mac before creating the mobile account.
To configure this, login as Local Admin and run at the Terminal:
mkdir -p "/System/Library/User Template/English.lproj/Documents"
mkdir -p "/System/Library/User Template/English.lproj/Downloads"
These commands will pre-create the folders in the default skeleton template so that they will be part of the structure when the mobile account is created.
** They can also be configured to be run automatically via Group Policy by entering them into:
Computer Configuration / Centrify Settings / Common UNIX Settings / "Specify commands to run"
Manually create the folders on the network home share that are prompting the errors.
Home Sync will succeed when these folders are already present.
None as the FileSyncAgent is maintained by Apple.