Laptops are complicated computing resources because their network connectivity is unreliable. Many schools simply avoid the hassle of network services on laptops by using local accounts. Of course, there are many disadvantages to using local accounts, so we use a bit of a hybrid system.
Apple introduced “mobile accounts” to in essence mimic a Windows-based environment: a user is authenticated by a server and that server looks for a local copy of the user’s profile and either creates one if it doesn’t exist or synchronizes the one on the server with the local copy and logs the user in. This allows users to log in to that laptop later, even if they aren’t connected to the network because a local account has been created to mimic the network account. The network/local account will be synchronized later when network connectivity is restored. Sounds great, right? The problem with Apple’s mobile accounts are that they are incredibly slow in practice, so much so, that I consider them to be unusable. If you don’t use local or mobile accounts, your user’s computing environment will freeze anytime they lose network connectivity, which is also an unworkable solution in my opinion. Many schools will choose to setup mobile accounts to only synchronize certain folders of the user’s network profile (like Documents), but I have found it still too slow to warrant the convenience, as well as potentially being a bit deceptive for the user (what if the user doesn’t save the file in Documents?).
At the beginning of the year, we tried using mobile accounts with synchronization turned completely off. In essence, this would mean that local accounts are created for each user as they log in for the first time, but those local accounts are never synchronized with the server account, so the user has to make sure to save to their mounted server home directory. In theory, this system works well, but in reality, it doesn’t. For our older clients (G4 iBooks 1.33ghz, 512 RAM, 10.4), the login times were horrendous (~1-5 min) and completely unreliable (half of the time, the mobile account creation wasn’t executed and the user logged in as a regular network user). The system seemed to work fine (though still slower than expected) for our newer clients (2.4ghz macbook, 2 gb RAM, 10.5). I’m not sure how much of the reliability issue was related to 10.4 vs 10.5 or speed of the client, but the solution was unworkable for our 10.4 iBooks.
Thus, we have reverted back to our original hybrid network/local system. This system is based on a design from another website/blog that I can no longer find to credit. If you know who it is, please comment. We used this system with our laptops back before we switched over to an Apple server from a Linux LDAP/NFS file server. Here’s how it works:
- The client is setup to authenticate to our 10.5 server using open directory. The mappings for NFShomedirectory and apple-home-dir are changed to point to a local alias:
#/Users/networkUser
- A startup script is run to copy a local user template to the folder /Users/NetworkUsers/<username>-local and then point the alias /Users/networkUser to that folder
#!/bin/tcsh -f # script to change the ownership of the default profile to the user logging in and to mount network shares set localAdmin = admin set localUser = local ### Debug/testing sanity check ### if ( $#argv < 1 ) then echo "No user specified!" exit 1 endif if ( $1 != $localAdmin ) then if ( $1 != $localUser ) then if ( ! -d "/Users/NetworkUsers/${1}-local" ) then `mkdir -m 700 /Users/NetworkUsers/${1}-local` `/usr/bin/ditto -rsrcFork "/System/Library/User Template/Non_localized" "/Users/NetworkUsers/${1}-local"` `/usr/sbin/chown -R ${1}:staff /Users/NetworkUsers/${1}-local` endif `rm -R /Users/networkUser` `ln -fs "/Users/NetworkUsers/${1}-local" /Users/networkUser` `/usr/bin/osascript /Library/Management/networkMounts.scpt ${1}` endif endif ### Always exit with 0 status exit 0 - To make the startup script run during login, you have to set the login hook (this command assumes you named the script “reset-homedir-startup.sh” and placed it in the folder /Library/Management/
sudo defaults write com.apple.loginwindow LoginHook /Library/Management/reset-homedir-startup.sh
- At the end of the login script, an applescript is run to mount the network shares automatically. Right now, the script is hard coded to obtain the group id number and convert that to a folder name so that a shortcut directly to the user’s home directory can be made and placed on the desktop and sidebar (this could be made more elegant). AFP cannot mount a specific folder, thus you have to create a symbolic link to the user’s folder instead. Apple has the option to automatically include this folder in the dock, but not in the Finder or the Desktop (thus it is kind of worthless because users can’t browse to the Dock when saving inside of a program). The home share and group share AFP mounts are included in the Login Items preferences section of each group. You cannot use Apple’s default “mount home directory automatically” option in workgroup manager because it will try to mount the home directory under /Users/networkUser. Thus, simply tell it to mount the AFP share you want manually. The profile template that is setup for the network users includes a sidebar item that points to a symbolic link (that is created from the applescript) in an administration folder (/Library/Management/) that links to the users home directory. When you are first setting up this sidebar item in the user template, just make a folder /Library/Management/home and give everyone read/write permissions. Then drag that folder to the user’s sidebar. When the login script runs, it will replace this folder with a symbolic link and the sidebar item will automatically update (and change names to the user’s home directory name). The applescript is below:
- A screenshot is provided below to highlight how the user’s network home directory is placed in both the sidebar and the desktop.sd
- The video below details how to create a local template and set up proper permissions, etc.
on run argv
set user to item 1 of argv
set groupid to do shell script "id " & user & " | awk
'{ print substr($2,5,4)}'"
if groupid = "1025" then
set group to "faculty"
else if groupid = "1027" then
set group to "class2010"
else if groupid = "1028" then
set group to "class2011"
else if groupid = "1029" then
set group to "class2012"
else if groupid = "1030" then
set group to "class2013"
else if groupid = "1031" then
set group to "class2014"
else if groupid = "1032" then
set group to "class2015"
else if groupid = "1033" then
set group to "class2016"
else if groupid = "1034" then
set group to "class2017"
else if groupid = "1035" then
set group to "class2018"
else if groupid = "1036" then
set group to "class2019"
else if groupid = "1037" then
set group to "class2020"
end if
set group1 to group
do shell script "rm -R /Library/Management/home"
do shell script "ln -sf /Volumes/home/" & group1 & "/" & user & "/Library/Management/home"
do shell script "ln -sf /Volumes/home/" & group1 & "/" & user & "/Users/networkUser" & "/Desktop/" & user
end run
