Users Homedirs and AFP

[gnolte]

Hi All,

I'm quite new to MacOS X and this forum.

My problem:

OS: MacOS X 10.4.3
Server HW: Xserve

The server runs openldap for user authentication and should serve users home directories
via AFP. Using workgroupmanager the canonical way the server exports the volume containing user homedirs.

Logging into a client computer the first user
gets it's homedirectory mounted very well. A second user logging in simultanously
(via sh for example) will be authenticated
but will not have access to it's homedir because the volume containing homedirs is mounted by first user with first users privileges.

Is there any way to overcome this problem?

Maybe export every user's directory individually? But how should user's entry in
ldap be configured to mount this directory automatically at login?

Any other suggestions?

Thanks in advance
Gerhard

 

[sourcehound]

You've definately got a permissions error. Different users should be the owners of their own home directories. If you have problems with simultaneous logins with the same user, then you need to check the "allow simultaneous login on managed computers option"

Hi All,

I'm quite new to MacOS X and this forum.

My problem:

OS: MacOS X 10.4.3
Server HW: Xserve

The server runs openldap for user authentication and should serve users home directories
via AFP. Using workgroupmanager the canonical way the server exports the volume containing user homedirs.

Logging into a client computer the first user
gets it's homedirectory mounted very well. A second user logging in simultanously
(via sh for example) will be authenticated
but will not have access to it's homedir because the volume containing homedirs is mounted by first user with first users privileges.

Is there any way to overcome this problem?

Maybe export every user's directory individually? But how should user's entry in
ldap be configured to mount this directory automatically at login?

Any other suggestions?

Thanks in advance
Gerhard

 

[gnolte]

You've definately got a permissions error. Different users should be the owners of their own home directories. If you have problems with simultaneous logins with the same user, then you need to check the "allow simultaneous login on managed computers option"

The problem is the straight forward configuration with workgroup manager
exports the complete volume containing (all) users homedirs. On a client this volume is mounted by the first user (here qaz)

afp_003JsV3BwyPK001Eic06SdO0-1.2c000006 on /private/Network/Servers/SERVER.NAME.DE/Volumes/home (nodev, nosuid, automounted, mounted by qaz)

with home dir of qaz

/private/Network/Servers/SERVER.NAME.DE/Volumes/home/qaz

The next user qwe is authenticated at this client but gets the message

Welcome to Darwin!
shell-init: could not get current directory: getcwd: cannot access parent directories: Permission denied
-bash: /Network/Servers/SERVER.NAME.DE/Volumes/home/qwe/.bash_profile: Permission denied

A directory listing shows

ls -al /Network/Servers/SERVER.NAME.DE/Volumes/home
job-working-directory: could not get current directory: getcwd: cannot access parent directories: Permission denied
ls: .: Permission denied
total 131120
drwxr-xr-x 3 root wheel 102 Dec 8 16:33 ..
drwxrwxrwt 3 root admin 264 Dec 19 14:40 .TemporaryItems
d-wx-wx-wt 2 root admin 264 Jan 3 14:54 .Trashes
-rw-r----- 1 root admin 67108928 Jan 5 11:10 .quota.user
drwxr-xr-x 13 1029 staff 398 Nov 15 15:55 DefUser
-rw-r--r-- 1 root admin 1024 Dec 7 12:09 Desktop DB
-rw-r--r-- 1 root admin 2 Dec 5 14:09 Desktop DF
....
drwxr-xr-x 16 qaz staff 500 Jan 5 11:41 qaz
drwxr-xr-x 16 qwe staff 500 Jan 5 11:48 qwe
drwxr-xr-x 10 root admin 296 Jan 4 14:14 root

So qwe seems not to have the permission to access the ...../Volumes/home
directory, because it ist automounted by user qaz

My question is:

How do I configure export / automount / homedir settings in ldap to
- export every users home dir as it's own share
- automount this user specific share at login (even login with ssh)
- define this mounted dir as login directory

Thanks in advance
Gerhard

 

[sourcehound]

OK, the error message says that the automount process can't access the parent directories. Make sure that the /home directory which contains the users' home directories has read access turned on for everyone. The group should be admin and the owner should be root. And don't worry, that's not a security risk as the home directories below /home are secured.

The problem is the straight forward configuration with workgroup manager
exports the complete volume containing (all) users homedirs. On a client this volume is mounted by the first user (here qaz)

afp_003JsV3BwyPK001Eic06SdO0-1.2c000006 on /private/Network/Servers/SERVER.NAME.DE/Volumes/home (nodev, nosuid, automounted, mounted by qaz)

with home dir of qaz

/private/Network/Servers/SERVER.NAME.DE/Volumes/home/qaz

The next user qwe is authenticated at this client but gets the message

Welcome to Darwin!
shell-init: could not get current directory: getcwd: cannot access parent directories: Permission denied
-bash: /Network/Servers/SERVER.NAME.DE/Volumes/home/qwe/.bash_profile: Permission denied

A directory listing shows

ls -al /Network/Servers/SERVER.NAME.DE/Volumes/home
job-working-directory: could not get current directory: getcwd: cannot access parent directories: Permission denied
ls: .: Permission denied
total 131120
drwxr-xr-x 3 root wheel 102 Dec 8 16:33 ..
drwxrwxrwt 3 root admin 264 Dec 19 14:40 .TemporaryItems
d-wx-wx-wt 2 root admin 264 Jan 3 14:54 .Trashes
-rw-r----- 1 root admin 67108928 Jan 5 11:10 .quota.user
drwxr-xr-x 13 1029 staff 398 Nov 15 15:55 DefUser
-rw-r--r-- 1 root admin 1024 Dec 7 12:09 Desktop DB
-rw-r--r-- 1 root admin 2 Dec 5 14:09 Desktop DF
....
drwxr-xr-x 16 qaz staff 500 Jan 5 11:41 qaz
drwxr-xr-x 16 qwe staff 500 Jan 5 11:48 qwe
drwxr-xr-x 10 root admin 296 Jan 4 14:14 root

So qwe seems not to have the permission to access the ...../Volumes/home
directory, because it ist automounted by user qaz

My question is:

How do I configure export / automount / homedir settings in ldap to
- export every users home dir as it's own share
- automount this user specific share at login (even login with ssh)
- define this mounted dir as login directory

Thanks in advance
Gerhard

 

[Whitehill]

Permissions look right on server, not on client.

On my server ,
$ cd /Users
$ ls -ld
drwxrwxr-x 9 root admin 306 Jan 5 12:49 .
$ ls -l
total 0
drwxrwxrwt 5 root wheel 170 Jan 4 15:15 Shared
drwxr-xr-x 11 admin staff 374 Dec 22 00:58 admin
drwxr-xr-x 12 trouble staff 408 Jan 4 16:43 trouble

On my client,
# cd ~trouble
# pwd
/private/Network/Servers/home.net/Users/trouble
# ls -ld .
dr-xr-xr-x 12 root unknown 364 Jan 4 16:43 .
# ls -ld ..
dr-xr-xr-x 9 root unknown 264 Jan 5 12:49 ..
# touch hello
touch: hello: Permission denied
# cd
# su trouble
shell-init: could not get current directory: getcwd: cannot access parent directories: Permission denied

 

[pedz]

(via sh for example)

This is the part I don't understand. Did you mean ssh? How do you log *into* a system using just sh? You either need login, rlogin, ssh, ... something.

 

[Whitehill]

See my post earlier in this thread. I tried the same experiment on another Mac and - it worked! The only difference between these clients is NetInfo. It is enabled on the Mac where I had problems, disabled where it worked. That is, in the Directory Access utility under Services, NetInfo is not ticked.

Back to where it is ticked, I can't remember why it ever got enabled. Are there any dangers in just disabling it?

 

[gnolte]

See my post earlier in this thread. I tried the same experiment on another Mac and - it worked! The only difference between these clients is NetInfo. It is enabled on the Mac where I had problems, disabled where it worked. That is, in the Directory Access utility under Services, NetInfo is not ticked.

Back to where it is ticked, I can't remember why it ever got enabled. Are there any dangers in just disabling it?

It depends on how you want to make authentications. If you do all that
via ldap (or locally) then it shud be fine to disable netinfo (the network wide
netinfo directory. The local one is used nevertheless).

Did you try to login with different users at the same time at the same server
and that worked?

In my environment it doesn't work at all.

Gerhard