6 Feb 2011

The different types of Open Directory users

So you have a snow leopard server and you have set up Open Directory and a reverse DNS entry for the server and you're other computers have joined the domain. Well done on getting that far. Now you want to decide how to set up your user account(s) so that it works the best for you. How do you configure them and what is fastest or most practical? This is a guide to help you figure out exactly how you want your Open Directory (OD) set up and then give you some tips for migration.

Local, Remote, or Mobile?
There are 3 main types of account you can have on OS X when attached to an Open Directory server (not including administrative and restricted user, a status which can apply to any of these 3 accounts). Each type of user has benefits and drawbacks.

A local account
is probably what you have now. Accounts created in the accounts pane on an OS X computer are local accounts and they can be administrative or restricted or managed by parental controls whether on the local computer or on a remote computer. You can run a local account in an OD setup no problems. If there is an account on the server with the same short name as on your local computer then Snow Leopard on your client machine is smart enough to be able to pick that up and ask if you want to set up the services that have been provided for you.

Pretty sweet. This type of user can also get kerberos tickets from the server, but you'll have to do it manually every login. Either with a kinit command in Terminal or by tricking iCal to store your Kerberos credentials in your Keychain. (it then automatically kinits for you). But that kinda defeats the point of "Single sign on" if you have to change the kerberos password in your keychain every time you have to change your actual password.

Another problem is that this user will not be affected by managed preferences set up with workgroup manager. I like using managed preferences to auto mount network shares and setting up some common settings for every computer I log in to, and even some for all users on the network. Look into managed preferences and you'll be considering the switch of account type to one of the others...

A remote account
is an account that lives entirely on the server. You add the account on the server and set a home directory for the account and then you can log in with the same user environment on all computers attached to your directory. Perfect if you have multiple computers and want to move, seamlessly, between them. You get your Kerberos ticket automatically at login so you are truly in a single sign on environment. You can also manage the preferences of the remote users so you can add stuff to the dock or auto mount shares from your server and loads of other cool things in Workgroup Manager. Great! 

The drawbacks can be quite large. As your home directory typically exists on the network the speed of your computer is limited by the speed of your network. AirPort users beware, you'll really want to be hooked up by ethernet for anything more than document editing, which I have done successfully over an AirPort connection. You can be sneaky and set up a remote account's home directory to point to /Users/ in Workgroup Manager. 
Look at that. A local directory for a remote account!? Whoda thunk it.

This then creates a home directory on each of the computers you log in to. You do lose that same environment on every computer you log into, but you get Single sign on and the speedup is great. The only other major issue is that you will still need to be able to access your server to log in. This isn't great for portable computers. And so enter the

Mobile Account!
These accounts are designed to be the "best of both worlds" between local and remote accounts. The remote account that you take with you. Configure an account (or computer) in workgroup manager to be able to set up a mobile account and you're away. Your computer makes a copy of the user information in your Open Directory and keeps it in sync whenever it can. You get a kerberos ticket automatically at login and you can log in from outside the reach of your directory server.

Your data is all stored on your local computer and you have the option to sync it back your network home directory. This can be a pain to set up and can add extra time to logins and logouts so it depends on how much you want to trade off the convenience of having all your data everywhere vs login and logout times. Mobile accounts also refresh their managed preferences whenever you log in within sight of your directory server.

For me, personally, I run a mobile account with home syncing off. I think its the perfect balance between the nice benefits of SSO and being part of a directory with the ability to use my laptop as a laptop. I use managed preferences to set up my user environment the way I like it for when I log on to other machines and when I change my password on my computer it propagates to the server and changes it everywhere. 

The best thing is that you can easily convert your current home directory to a mobile account directory. Simply backup (always backup first), then delete your user on your local machine. When it gives you the option you want to select "Don't change the home folder". Your home folder is then renamed to user.old. Log in with your mobile account. This will create your mobile account on your local computer and make a new home directory. Then log out and replace the newly created home directory with your old one, remembering to reset the ownership of all the items to your new user. (even though the users might have the same name they may have a different UID, and certainly a different UUID. The permissions need changing)

If you have any questions about local, remote or mobile accounts please leave them in the comments. It can be quite confusing at first but figure out what you want from your snow leopard server and then pick the account type to suit.


Daniel van Flymen said...


Can you please provide details how one can set up remote accounts?

The Admin said...

I'm planning on doing a start to finish guide for Lion Server soon.