Centrify Identity Service, Mac EditionProblem:
- Mac users log in with Mobile Accounts and Mobile Home Syncing is enabled.
- At first, Home Syncs work with no problem - users sync with their own network home folders correctly.
- At an undetermined time later, the sync path somehow changes to the parent share of the network homes and all Mobile Accounts sync into the same network location.
- When Home Sync is working correctly, the users sync to:
- smb://server.domain.com/UserHomes/ [username] /Desktop/
- smb://server.domain.com/UserHomes/ [username] /Downloads/
- When the issue occurs, users suddenly start syncing to:
- Looking in System Preferences > Users & Groups > Mobile Settings will display folders one level above the user's original network home.
In all environments that exhibited this issue, it was discovered that Parallels had also been installed (not necessarily on the Mac itself). Whenever a user logged into their Parallels environment, it modified one of the user's AD attributes to an unexpected value and in turn causes OS X's Mobile Home Sync mechanism to sync to the parent of the originally specified home folder: Technical Information:
- A user's home folder path is stored in the "OriginalHomeDirectory" attribute.
- In OS X, the format of this path differs depending on if the user is an AD Account, or a Local Account:
- AD Account:
- OriginalHomeDirectory: <home_dir><url>smb://server.domain.com/UserProfiles/username</url><path>/</path></home_dir>
- Local Account:
- OriginalHomeDirectory: <home_dir><url>smb://server.domain.com/UserProfiles</url><path>username</path></home_dir>
- When Mobile Accounts are created - this attribute should not change.
- However it was discovered that whenever Parallel runs, no matter in the foreground or background (i.e. elsewhere in AD), it triggers a Network User Login event.
- This event causes OS X's ManagedClient process to copy the AD account's OriginalHomeDirectory attribute to the local account, resulting in it being stored in the wrong format.
- This is NOT a Centrify-related issue.
- The same results can also be reproduced when setting up a system with a Mobile Account under Apple's own AD plugin and Parallels installed (no Centrify on the system)
- Parallels does NOT have to be installed on the Mac itself - just present in the domain.
" attribute can be placed in the user's "preserved_attributes
" array to prevent it from being modified. This can be achieved using the following steps:
- Download the attached login script to the following location on the AD server:
- \\ [domain.com] \ SYSVOL \ [domain.com] \ scripts \ preserve_originalhome.sh
- Enable the following GP:
- User Configuration / Centrify Settings / Mac OS X Settings / Scripts / "Specify login scripts"
- "Run with root user privileges": Enabled
- Go to affected Mac systems, login as Local Admin, go to System Preferences > Users & Groups and delete the affected Mobile Accounts from the system.
- If there is unsynced data in the user's home folder - make sure to choose "Don't change the home folder" at the user deletion options.
- This data can then be copied back from the /Users/ folder after the Mobile Account gets re-created.
- Logout and log back in as the AD users.
- When they get converted back to Mobile Account status (either via GP or manually) - the login script will ensure their "OriginalHomeDirectory" attribute is preserved and prevented from being overwritten.
- The workaround script above should only be used on Mac systems where Network Accounts are to be immediately converted to Mobile Accounts.
- Do NOT use this script on a Mac system where regular Network Accounts are to be used and Home Sync is not needed.
- If the script is already in place and Network Accounts are no longer able to login, please see the following KB:
Please contact Apple for further assistance. (Apple Bug ID #15801756)
For additional information not covered in this guide or troubleshooting assistance, please review the Centrify Online Help
or Customer Support Portal