Centrify DirectControl on Mac OS X 10.6 and higher
Account Migration was performed on a local account on a Mac and the Mobility group policies have been enabled to allow it to sync with a network home folder as well.
However when trying to sync, the following error is shown:
- The sync could not complete because your network home at "(null)" does not allow writing
Accounts which were not migrated are working as expected.
How can migrated accounts be configured for home syncing as well?
- The following steps applies to accounts which have been migrated with agent versions 5.2.1 and lower.
- As of version 5.2.2, the account migration operation was modified to support Mobile Account creation and so no special configuration is needed other than what is normally needed for regular non-migrated AD users.
Accounts that were migrated with agent versions 5.2.1 and below cannot be used with Mobile Accounts for syncing since Account Migration overrides network home folders configured in ADUC (for Auto Zone systems) or in the DirectManage/DirectControl console (for Zone Mode systems)
For Mobile Home Syncs to work, the Mobile Accounts need to be configured with a network home folder so that the Mac systems know where to sync with.
However if Account Migration is used, then this component supersedes the home folder setting from AD and forces that particular Mac to see that migrated account as having a local home folder on that machine. This is why the error message reports that the network home is "null".
Please see the following KB for more information on this:
To get Home Syncs working with migrated (mapped) accounts, a forced a direct re-ownership of the local home folder needs to be performed instead:
- Log into the Mac as Local Admin and remove the link between the local account and AD account:
- System Preferences > Centrify > Account Migration > (Select target user) > Unlink
- Open the Terminal and run the following commands (Where ad_username is the username of the AD user):
- sudo adflush
- sudo chown -R ad_username /Users/ad_username
- (Note that this assumes that the local account that being migrated has the same username as the AD account it was mapped to. If not, then please first change the user's home folder in /Users/ to match the AD username of the user)
- After the above commands have been run, do an AD query on the user's home path to check that everything now matches up:
- adquery user -h ad_username
- This should now return a network path in UNIX format instead of /Users/ad_username:
- Once this is confirmed, the next time the user logs in - they should be able to sync the Mobile Account successfully.
For further reading on Mobile Accounts, please see the following KBs: