I have the need to migrate users on a Mac OS X from a local account to an AD Mobile account. I had no problem doing this in 10.6 and 10.7 prior to enforcing MCX.
I have a script that deleted the local account dscl entry and sets the users home folder to the proper permissions. The user only needs to login and update their keychain password.
However after I started enforcing MCS settings on my lab Macs I have been getting an error when attempting to login with network credentials for the first time: "Unable to create mobile account There was a problem creating your mobile account"
I found this in system.log:
Feb 7 08:22:01 atosmcsmbp17M99 SecurityAgent[7696]: User info context values set for luser Feb 7 08:22:01 atosmcsmbp17M99 SecurityAgent[7696]: Login Window login proceeding Feb 7 08:22:01 atosmcsmbp17M99 ManagedClient[7695]: MCXCCacheGraph(localhost, dsRecTypeStandard:Computers): The record "localhost" (dsRecTypeStandard:Computers) interferes with the computer cache. Delete this record to resume caching. Feb 7 08:22:01 atosmcsmbp17M99 com.apple.loginwindow[7688]: 2012-02-07 08:22:01.826 ManagedClient[7695:1803] MCXCCacheGraph(localhost, dsRecTypeStandard:Computers): The record "localhost" (dsRecTypeStandard:Computers) interferes with the computer cache. Delete this record to resume caching. Feb 7 08:22:01 atosmcsmbp17M99 ManagedClient[7695]: MCX.getComputerInfoFromStartup: MCXCCacheGraph() == -2 (MCXCCacheGraph(localhost, dsRecTypeStandard:Computers): The record "localhost" (dsRecTypeStandard:Computers) interferes with the computer cache. Delete this record to resume caching.) Feb 7 08:22:01 atosmcsmbp17M99 com.apple.loginwindow[7688]: 2012-02-07 08:22:01.826 ManagedClient[7695:1803] MCX.getComputerInfoFromStartup: MCXCCacheGraph() == -2 (MCXCCacheGraph(localhost, dsRecTypeStandard:Computers): The record "localhost" (dsRecTypeStandard:Computers) interferes with the computer cache. Delete this record to resume caching.) Feb 7 08:22:04 atosmcsmbp17M99 ManagedClient[7695]: MCXCCacheMCXRecordAndGraph(): [localNode createRecordWithRecordType:dsRecTypeStandard:Users name:"luser"] == 4102 (Could not create the record because one already exists with the same name.) Feb 7 08:22:04 atosmcsmbp17M99 com.apple.loginwindow[7688]: 2012-02-07 08:22:04.596 ManagedClient[7695:1803] MCXCCacheMCXRecordAndGraph(): [localNode createRecordWithRecordType:dsRecTypeStandard:Users name:"luser"] == 4102 (Could not create the record because one already exists with the same name.) Feb 7 08:22:04 atosmcsmbp17M99 ManagedClient[7695]: MCXCCreateMobileAccount(): Failed to create account. Error = 4102 (MCXCCacheMCXRecordAndGraph failed). Cleaning up mobile account record. Feb 7 08:22:04 atosmcsmbp17M99 ManagedClient[7695]: MCXCDeleteAccount(): Trying to delete user id = 0 Feb 7 08:22:04 atosmcsmbp17M99 ManagedClient[7695]: MCX.createMobileUserAccount: MCXCCreateMobileUserAccount( luser, /Users/luser ) == 4102 (Could not create the record because one already exists with the same name.) Feb 7 08:22:04 atosmcsmbp17M99 com.apple.loginwindow[7688]: 2012-02-07 08:22:04.662 ManagedClient[7695:1803] MCXCCreateMobileAccount(): Failed to create account. Error = 4102 (MCXCCacheMCXRecordAndGraph failed). Cleaning up mobile account record. Feb 7 08:22:04 atosmcsmbp17M99 com.apple.loginwindow[7688]: 2012-02-07 08:22:04.662 ManagedClient[7695:1803] MCXCDeleteAccount(): Trying to delete user id = 0 Feb 7 08:22:04 atosmcsmbp17M99 com.apple.loginwindow[7688]: 2012-02-07 08:22:04.663 ManagedClient[7695:1803] MCX.createMobileUserAccount: MCXCCreateMobileUserAccount( luser, /Users/luser ) == 4102 (Could not create the record because one already exists with the same name.)
I have a admin account that I can ssh to, so I tried to crete the mobile account manually using this command: /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -vn luser /Users/luser
however I get the same error:
bash-3.2# /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -vn luser -h /Users/luser createmobileaccount built Dec 8 2011 21:19:30 verbose output on. user name = "luser" home path = "/Users/luser" user password = "(null)" prompt for password = FALSE encrypt new home = FALSE create as external account = TRUE home sync new account = FALSE Feb 7 08:38:25 atosmcsmbp17M99.local createmobileaccount[9427] : 3891612: (connectAndCheck) Untrusted apps are not allowed to connect to or launch Window Server before login. 2012-02-07 08:38:26.713 createmobileaccount[9427:1203] MCXCCacheMCXRecordAndGraph(): vproc_swap_integer(NULL, VPROC_GSK_PERUSER_SUSPEND, &(uid=64058026), NULL) == 0x908e8a7c 2012-02-07 08:38:26.717 createmobileaccount[9427:1203] MCXCCacheMCXRecordAndGraph(): [localNode createRecordWithRecordType:dsRecTypeStandard:Users name:"jgriss"] == 4102 (Could not create the record because one already exists with the same name.) 2012-02-07 08:38:26.783 createmobileaccount[9427:1203] MCXCCacheMCXRecordAndGraph(): vproc_swap_integer(NULL, VPROC_GSK_PERUSER_RESUME, &(uid=64058026), NULL) == 0x908e8a7c 2012-02-07 08:38:26.784 createmobileaccount[9427:1203] MCXCCreateMobileAccount(): Failed to create account. Error = 4102 (MCXCCacheMCXRecordAndGraph failed). Cleaning up mobile account record. 2012-02-07 08:38:26.784 createmobileaccount[9427:1203] MCXCDeleteAccount(): Trying to delete user id = 0 * mobile account could not be created: 4102 (Could not create the record because one already exists with the same name.)
Remediation:
I verified the local account DSCL entry was deleted
I have tried flushing MCS settings as noted in Apple's KB: http://support.apple.com/kb/HT3540
I've also tried removing the MCX management settings. rm -Rf "/Library/Managed Preferences"
Creating luser from System preferences, then deleting the user again (leaving the home folder intact) does allow the mobile account to be created properly the next login. However I need to be able to script this process.
I feel like I'm missing something obvious, any advise would be appreciated.
Thank you!
