Creating Home Directories
This section explains how to create different types of home directories for a Mac computer.
Understanding Home Directories
Whenever an Active Directory user logs in to a Mac computer, a home directory is created for the user. Mac provides three styles of home directory, which can be configured by an administrator to fit the type of user who will be using the computer, the type of computer, and the use to which the computer will be put. Auto Zone supports each of these styles:
- Local home directory — The user’s home directory is created on the local computer in the Users folder with the user’s login name (
/Users/username
). - Network shared directory — The user’s home directory is created on a network share.
- Portable home directory — The user’s home directory is created on a network share and copied and synchronized to the local computer. This type of directory is also called a mobile home directory.
When you join a computer to a domain by connecting to Auto Zone, the home directory is created based on the following:
- Active Directory user settings; for example, an administrator can specify a network home directory in the Profile for an Active Directory user.
- Auto Zone default values; by default, Auto Zone is configured to support the creation of home directories in the Users folder on the local computer.
- Auto Zone parameters set in the configuration file,
/etc/centrifydc/centrifydc.conf
by an administrator or by a group policy. See the Configuration and Tuning Reference Guide for a description of all Auto Zone parameters.
The following sections explain in detail how to set up each type of user home directory.
Configuring a Local Home Directory
In general, you do not need to explicitly configure local home directories for your Active Directory users because Auto Zone is configured to work for Active Directory users exactly as if they were local users. That is, by default, an Active Directory user who logs in to a Mac computer that is joined to a domain through Auto Zone is given a local home directory at /Users/username
. For example, for a user, Glen Morris, whose login name is gmorris, the local home directory is set to: /Users/gmorris
.
Although it isn’t necessary to explicitly configure the agent for local home directories, in some situations you might want to do so. For example, if a Windows user has a local home directories defined in their Active Directory profile, that home directory will be assigned when the user attempts to log in and may prevent the user from logging in. The agent provides a configuration parameter (auto.schema.use.adhomedir
)that you can set to ignore home directories in an Active Directory profile and always set the home directory to the default (/Users/username
).
To explicitly configure a computer for local home directories:
-
On the Mac computer, edit the configuration file,
/etc/centrifydc/centrifydc.conf
. -
Add the following two parameters:
auto.schema.use.adhomedir: false
auto.schema.homedir: /Users/%{user}
-
Setting
auto.schema.use.adhomedir
to false configures the local computer to ignore any home directories that are set for users in Active Directory. This parameter is set to true by default. -
Setting
auto.schema.homedir: /Users/%{user}
configures the local computer to set the home directory to/Users/username
, where username is the user logon name defined in the user’s Active Directory account. Note that this parameter is set to this value by default on all Mac computers.If you plan to configure network-home or portable-home directories for this computer, you must set
auto.schema.use.adhomedir
to true, the default value, otherwise, the agent will ignore the network home directories that you specify for users in Active Directory.
-
-
Save and close the file.
Configuring a Network Home Directory
For each user whom you want to have a network home directory, you must specify the location in Active Directory.
In earlier releases you had to first create a network home directory for a user if you planned to also create a portable home (mobile home) directory for that user. With the current release, you can create portable home directories for users without first creating network home directories for those users.
To configuring a network home directory for a user connected to Auto Zone:
-
Create a network share to host the home directory.
For example, on the dc-demo server (
acme.com
domain), create a network share called MacUsers.You must assign appropriate permissions to the network shared directory so the Active Directory account is able to write to the user’s home directory. One way to do this is to assign read/write permissions to Authenticated Users on the network share. Each home directory that is created inherits permission from the network share so the account of the logged-in user is granted write permission its network home directory. See Setting Shared Directory Permissions for more details about properly setting and fine-tuning network share permissions.
-
On a domain controller in the forest to which the Mac OS computer is joined, open Active Directory Users and Computers.
-
Select Users, select the user, then right-click the user and click Properties.
-
Click the Profile tab, then under Home folder select Connect.
-
In Connect...To type the location of the share you created in Step 1 by using the following format:
//*Server/share/path
For example:
//dc-demo.acme.com/MacUsers/rdavis
-
Click OK to save the user profile.
-
(Optionally) By default, the agent is configured to use the Active Directory home folder if one is specified in a user’s profile. However, to be explicit, you can edit the configuration file and add the following parameter:
auto.schema.use.adhomedir: true
Save and close the file.
-
Specify the type of share to mount for the network home directory on the Mac computer, SMB, or AFP.
By default, the Mac computer will attempt to mount an SMB share for the network home. If you specified an AFP share, you must set the following parameter in the configuration file:
auto.schema.remote.file.service:AFP
Or enable the Computer Configuration > Policies > Centrify Settings > DirectControl Settings > Adclient Settings > Auto Zone remote file service group policy to specify SMB (the default) or AFP for all Mac computers.
-
Optionally, if you want the network home directory to be mounted automatically on the user’s computer, enable the following group policy: User Configuration > Policies > Centrify Settings > Mac OS X Settings > Automount Settings > Automount user’s Windows home.
When the specified user next logs onto the Mac computer, the home directory will be created on the specified share. On the Mac computer, you should see the server and share under SHARED in the Finder.
Configuring a Portable Home Directory
You can create a portable home directory for a user and synchronize that directory with the share defined in the user’s Centrify Profile. You can synchronize to /SMB/
, /AFP/
, or /Network/Servers
(NFS) shares.
Advantages of a Portable Home Directory
- If a user does not have a portable home directory and the computer becomes disconnected from the domain controller (and therefore disconnected from Active Directory), the user can log in with Active Directory credentials only if the user’s information exists in the Centrify cache. If there is any issue with the Centrify cache (for example, if the adflush --force command was issued to flush the cache immediately before the computer was disconnected from the domain), Active Directory users cannot log in unless they have portable home directories.
-
Active Directory users without portable home directories are required to log in at least once in connected mode to populate their account information in the Centrify cache. If the computer is not connected to the domain controller, the Centrify cache is not updated with the initial set of Active Directory user data, and Active Directory users cannot log in.
You use group policies to configure synchronization. These group policies perform the same function as the Mobility preferences that you can manage through Workgroup Manager.
The following sections describe the process of specifying the options for creating mobile accounts, and for specifying the options for synchronizing mobile accounts with the network home directory.
Before you begin you should have the following in place:
- A Group Policy Object that applies to a domain or OU that includes Mac users.
- A good understanding of the synchronization rules that you want to apply. The procedures in the following sections explain the group policies and options that you can enable, but you should consult the Mac OS X Server documentation for strategies about which options to apply.