Mac OS X Management – External Accounts Dissected
I’m going to take an in-depth look into Mac OS X Leopard’s new External Accounts feature…
Setting up External Accounts
Follow the instructions on pages 208-209 in the 10.5 Server’s User Management PDF.
Workgroup Manager > Preferences > Mobility > Account Creation > Options
Using External Accounts
When you log into a machine with Mobile/External Accounts enabled, you’ll be presented with the ‘Create a mobile account’ dialog box. If allowed, you can choose a disk and you’ll have an External Account.
OK, but what actually happens?
First off, the system creates a home folder for the user on the selected disk inĀ the root level folder Users (creating it if needed). This is obvious and makes sense – and its documented in the User Management PDF.
What you don’t see (because Finder hides it) is that another folder gets created at the root level of the drive. The system creates the following path on your External Account’s disk: /private/var/db/shadow/hash/ That folder contains hashes for the users’ passwords. It is what enables disconnected authentication or for the account to be used on a machine not bound to the same Open Directory master.
Now that’s a cool feature! You can plug your hard drive into any Mac running 10.5 at the loginwindow and you’ll be asked if you want to enable the external accounts for your system. You will need to authenticate with an administrator password (naturally), but if you enable logins and successfully log in, you’ll get full access to your External Account as if it were a regular account.
“How does that work,” you may ask. Well, the system creates another hidden file inside your External Account’s home folder named .account. It is a standard OS X plist file that contains all of the essential account info. That’s the magic.
I think that External Accounts are a great extension to the already excellent Mobile Accounts (synching is a great ability!) and they’re very interesting for portable users. Put your External Account on your startup disk, start into FireWire target disk mode, and connect to any 10.5 system and with administrator permissions, you can log in.
I’m sure some enterprising Mac admins out there will come up with creative ways to use this.
A note about security
You should take into account that the files stored on the external drive are protected by filesystem permissions and nothing stronger. I would advise keeping careful track of the drive and consider setting up FileVault for it as well.
Definitely FileVault.
This post has 7 comments
September 26th, 2008
Is it possible to create an external account without using Leopard SERVER? Can I do it with just my client 10.5 install?
Thanks!
Shawn
September 28th, 2008
@Shawn
I don’t believe it is possible to do external accounts without Mac OS X Server. Essentially the external account is a network account that has been set to be a mobile account (which allows for a local home folder to be created). Because of the wording of the checkbox that would enable this for a local-only system I don’t think it will work: “Create mobile account when user logs in to a network account”
When I tested, I was unable to get it to work. It may be possible to copy the user’s account into from the dslocal store into the user’s home folder and rename it- but I couldn’t get that would work, either. I was clearly missing something. Loginwindow recognized the account, but it wouldn’t take my password.
January 6th, 2009
Is it possible to create an account on an external hard drive without having to use a server?
January 8th, 2009
@Biron
Sadly, not as far as I can tell. I’ve tried and could never get it to work.
In theory, it should be possible, but I can’t figure out all of the details.
June 22nd, 2009
Hi Brett,
You seem clued on network accounts etc using OSX Server and you are into photography. So I got a question.
I know that Aperture doesn’t work as a multiuser tool.
What I want to achieve is that the Aperture settings stored in the users Library folder actually sit on the Network/Library folder. This is so that when different users log in they have the same settings and if the settings are changed everyone gets them.
It would be really useful, since even custom metadata views are “user” not “system”
Potentially it might be a symbolic link. Any advice would be most appreciated.
June 26th, 2009
Aperture seems to store its information in either the user’s home folder or in the Library file itself.
If you look at the files in ~/Library/Application Support/Aperture you can see that most of a user’s data is stored there. Keywords seem to be stored in the Library file itself.
You might be able to get away with a symlink onto a automounted file share or world-readable directory, but Aperture may behave erratically if it does not have read/write access to its preference files.
What I would recommend doing (depending on your scale) is using a launchd item that will copy the desired files into a user folder at login. You can also do this as a login item and enforce the settings using Apple’s client management architecture (if you have an OS X Server in place).
An AppleScript set as a login item (or placed in the Dock with the name ‘Aperture’ and Aperture’s icon…) would do this nicely. Simply copy the files from /Users/Shared/Aperture to ~/Library/Application Support/Aperture and many of the settings that you want to standardize on will be applied. Users will be able to change their settings but everything will revert the next time your script runs.
Here is an AppleScript that will do this:
May 7th, 2010
Sure you can. Run the following from Terminal.app:
/System/Library/Coreservices/ManagedClient.app/Contents/Resources/createmobileaccount -n USERNAME -p ‘PASSWORD’ -h /Volumes/EXTERNAL-VOLUME/Users/USERNAME
You could also encrypt the home directory with FileVault using the -e flag