OS X needs to repair your Library to run applications

[Ict Manager]

i gave up on hosting the mac home folders on a mac, and have gone for the simplest AD binding i can - AD server, server hosted home directories and profiles, AD based profile and home folder redirection.

i've run into a problem i can't solve, i was wondering if anyone here has come across it or fixed it.

some users can log into windows and macs fine - correctly seeing all their files etc on both systems. some users can log into the PC side of things fine, but when logging into an AD bound mac get this error: "OS X needs to repair your Library to run applications". no amount of agreeing to this fixes the problem.

i thought it might be an issue with having copied and re-owned home folders form our outgoing mac system, but the issue appears on some new users too. quite baffled.

[Pete Mundy]

Hi!

This sounds like the sort of side effect that I've observed in the past when trying to host Mac users' home-folders on an SMB share rather than an AFP share (or local HFS+ volume). It has to do with the limitations of the SMB 'filesystem' and storage of resource forks, access control list information and other Mac OS X 'extended attributes' metadata on files.

Adobe software is particularly problematic, but other stuff does in weird ways too.

Similar things happen for similar reasons when using Mac OS X 'external accounts' and storing their with home folders on FAT formatted filesystems (eg USB sticks).

Doesn't help much I know, but at least it explains why it's occurring on newly created homes too.

Pete

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Patrick Dunford]

What version of OSX is running on the clients.

Which system are you using to bind to a domain.

Which version of Windows Server is running on your domain controller.

[flow in]

windows server 2008 (not R2)
mavericks 2.9.5 client
simple AD binding. no extensions, no further OD binding. Document and profile redirection via group policy. 

some AD users are fine, some have that error. can't find any consistency. new AD users may or may not work. makes no difference if home folders are made in AD through assigning in profile, or through PC logon. MAC logon never works if done first.

apparently it is a thing - as of late october lots of people are seeing the same issue from virgin installs. i was hoping someone here might have already solved it. 

--

Flow In, MA hons Cantab, MSc | ICT Technician | WESTLAND HIGH SCHOOL

Phone: 03 755 6054 | Cell: 022 027 5107 | Fax: 03 755 6269 | i...@westlandhigh.school.nz
PO Box 154, 140 Hampden Street, Hokitika 7842
http://www.westlandhigh.school.nz/

WHAKATERE I Ā TĀTOU HAERENGA - NAVIGATING OUR JOURNEYS

This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.

--
You received this message because you are subscribed to a topic in the Google Groups "Techies for schools" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/techies-for-schools/7G2zElz0GO0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to techies-for-sch...@googlegroups.com.

[Patrick Dunford]

There are I believe a number of bugs since Apple switched to their own AD implementation from Samba but Apple doesn't seem to be fixing them. We aren't seeing that particular issue with Mountain Lion clients but have had other issues with the network login. The main fix I have tried, which seems to work, is to disable the machine password change interval on the clients. 

To unsubscribe from this group and all its topics, send an email to techies-for-schools+unsub...@googlegroups.com.

[flow in]

" is to disable the machine password change interval on the clients. " care to share how to do that? (before i get lost in endless google/rabbit holes) :)

--

Flow In, MA hons Cantab, MSc | ICT Technician | WESTLAND HIGH SCHOOL

Phone: 03 755 6054 | Cell: 022 027 5107 | Fax: 03 755 6269 | i...@westlandhigh.school.nz
PO Box 154, 140 Hampden Street, Hokitika 7842
http://www.westlandhigh.school.nz/

WHAKATERE I Ā TĀTOU HAERENGA - NAVIGATING OUR JOURNEYS

This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.

To unsubscribe from this group and all its topics, send an email to techies-for-sch...@googlegroups.com.

[Tracy Briscoe]

This is probably not the cause as the symptoms are different, but just in case it helps…

 

A one of the schools I was supporting a few years back, most students couldn’t log in on the new Macs (running a newer version of OS X) but could on the Windows computers and older Macs.  The cause turned out to be that because we had contacts and users with the same common name (CN) [but in different OUs], OS X was trying to login using the contact rather than the user!  The solution was to rename the contacts so they had a different name to the users.  I reported the bug to Apple, but have no idea if they fixed it.

 

Regards,

 

-Tracy Briscoe

 

 

From: techies-f...@googlegroups.com [mailto:techies-f...@googlegroups.com] On Behalf Of Patrick Dunford
Sent: Tuesday, 18 November 2014 5:25 p.m.
To: techies-f...@googlegroups.com
Subject: Re: [techies-for-schools] Re: OS X needs to repair your Library to run applications

 

There are I believe a number of bugs since Apple switched to their own AD implementation from Samba but Apple doesn't seem to be fixing them. We aren't seeing that particular issue with Mountain Lion clients but have had other issues with the network login. The main fix I have tried, which seems to work, is to disable the machine password change interval on the clients. 

On Thursday, November 6, 2014 10:43:57 AM UTC+13, Ict Manager wrote:

windows server 2008 (not R2)
mavericks 2.9.5 client
simple AD binding. no extensions, no further OD binding. Document and profile redirection via group policy. 

some AD users are fine, some have that error. can't find any consistency. new AD users may or may not work. makes no difference if home folders are made in AD through assigning in profile, or through PC logon. MAC logon never works if done first.

 

apparently it is a thing - as of late october lots of people are seeing the same issue from virgin installs. i was hoping someone here might have already solved it. 

 

--

Flow In, MA hons Cantab, MSc | ICT Technician | WESTLAND HIGH SCHOOL

Phone: 03 755 6054 | Cell: 022 027 5107 | Fax: 03 755 6269 | i...@westlandhigh.school.nz
PO Box 154, 140 Hampden Street, Hokitika 7842
http://www.westlandhigh.school.nz/

WHAKATERE I Ā TĀTOU HAERENGA - NAVIGATING OUR JOURNEYS

This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.

 

On 6 November 2014 10:31, Patrick Dunford <kahuk...@gmail.com> wrote:

What version of OSX is running on the clients.

Which system are you using to bind to a domain.

Which version of Windows Server is running on your domain controller.

On Tuesday, November 4, 2014 2:11:42 PM UTC+13, Ict Manager wrote:

i gave up on hosting the mac home folders on a mac, and have gone for the simplest AD binding i can - AD server, server hosted home directories and profiles, AD based profile and home folder redirection.

 

i've run into a problem i can't solve, i was wondering if anyone here has come across it or fixed it.

some users can log into windows and macs fine - correctly seeing all their files etc on both systems. some users can log into the PC side of things fine, but when logging into an AD bound mac get this error: "OS X needs to repair your Library to run applications". no amount of agreeing to this fixes the problem.

 

i thought it might be an issue with having copied and re-owned home folders form our outgoing mac system, but the issue appears on some new users too. quite baffled.

 

Note: This communication may contain privileged and confidential information intended only for the addressee named above. Any views or opinions presented are solely those of the author. If you have received this message in error, we request you delete the message and notify the sender. Please do not distribute, copy or disclose any information. This e-mail has been scanned for viruses but all liability for viruses or similar in any attachment or message is excluded.

St Peter's School, Cambridge, New Zealand
Telephone: 647 827 9899 Fax: 647 827 9812
Website: www.stpeters.school.nz

Please consider the environment before printing this email

[Patrick Dunford]

If you open the terminal window there is a command you can run, I think it is dsutil

Put that in and see what options it comes up with. You may need to run as root or su.

 

From: flow in

Sent: Tuesday, November 18, 2014 6:04 PM

To: techies-f...@googlegroups.com

You received this message because you are subscribed to the Google Groups "Techies for schools" group.

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.

[Keith Craig]

dscl (directory service command line)

Most command from there are like navigating Unix file structure. 

Your connection to AD will probably be listed under LDAP (away from the office and working from memory)

To check details on a user you need to "read username"

Keith Craig

Systems Administrator

Dilworth School

Mob: +64 21 541549

Office: +64 9 5231060 x843

Sent from my iPhone

[Kevin Whelan]

Had the same issue and  other strange issues when clients with existing home folders containing a OSX "library" folder logged on to client machines running newer software.
There are big differences in the way different OSX versions assign home folder permissions especially on windows servers and the mavericks system is very very  broken. Basically OSX screws the security settings of the windows home folders up particularly the "library" folder and a couple of crucial subfolders. Only fix is from windows server to regain administrator rights to the user account and manually reset the users home folder permissions and sub folders with the user account having full or modify right thru their home folder and once done it seems to then stick ok.Pay particular attention to the "Library" folder permissions and I usually delete everything in there and let OSX recreate them at next logon once you have the library folder permissions set correctly it seems to work.
Any new users you will need to repeat the process and as mentioned by others if they don't actually log on to a windows client and create a normal windows home folder on the server before logging on to a mac it will be even worse.

Some accounts actually get jammed up again at various times particularly with printing and adobe products preference files and the only fix is from your  windows server to manually delete the library folder contents from the user account and check/reset the permissions.When you go to delete the library folder contents it will complain about permissions and you will see some of the weird settings that have been applied. Especially with printers.

On Tuesday, November 4, 2014 2:11:42 PM UTC+13, Ict Manager wrote:

[Mike Etheridge]

So what do you reckon Library should be? 775?

Cheers.

Mike

[flow in]

its more complex than that - since it is a smb share, with ntfs ACLs. 
the best i've found so far is to have deny delete/change ownership for the named user for the base level directories, full control for admins/creator owner. full control for everyone on the shares and then a small subset of permissions for named groups in security. (read/traverse create/list i think). access based enumeration is ok.
it gets tricker as i've been using powershell and none of MS's commands (set-acl, cacls, takeown, subinacl etc) work consistently or effectively. (simple things like passing filneames are fraught, can't even rely on get-acl)
i've got it going ok with new accounts now, if i build the folders and acls before hand by script, but i'm still struggling with transferring old accounts from my afp share.

--

Flow In, MA hons Cantab, MSc | ICT Technician | WESTLAND HIGH SCHOOL

Phone: 03 755 6054 | Cell: 022 027 5107 | Fax: 03 755 6269 | i...@westlandhigh.school.nz
PO Box 154, 140 Hampden Street, Hokitika 7842
http://www.westlandhigh.school.nz/

WHAKATERE I Ā TĀTOU HAERENGA - NAVIGATING OUR JOURNEYS

This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.

[Mike Etheridge]

Ok, that's helpful. Fortunately I don't have to deal with Windows servers or network users so I don't have that complication, and am able to stick with AFP for the time being. Even with all OSX (clients and servers), the Library gets broken by the recent OSs, So if you work on say a 10.9 client, then go back to an older client you get the Library problem when trying to use some apps (e.g. Sibelius).

Mike

You received this message because you are subscribed to the Google Groups "Techies for schools" group.

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.

[Kevin Whelan]

It works better if you do it from windows server thats hosting the share drive,just apply the same as any windows desktop user, admin= full and owner ,username =modify

[flow in]

do you have that working consistently for mavericks clients?  it works well from the gui, but i'm loath to do that for 400 accounts - i'm looking for a scriptable method. which is the problem, i guess, as powershell falls over with filesystem stuff. which exact 'modify' do i pick? there's a lot of choices in there....

--

Flow In, MA hons Cantab, MSc | ICT Technician | WESTLAND HIGH SCHOOL

Phone: 03 755 6054 | Cell: 022 027 5107 | Fax: 03 755 6269 | i...@westlandhigh.school.nz
PO Box 154, 140 Hampden Street, Hokitika 7842
http://www.westlandhigh.school.nz/

WHAKATERE I Ā TĀTOU HAERENGA - NAVIGATING OUR JOURNEYS

This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.

[Kevin Whelan]

I think your overcomplicating things trying to do it with osx and acls
the reason the windows commands arn't working is because of the completely illegal mess that osx has done to the existing folders.which is why it becomes a manual go into each user folder and manually brute force the permissions,sometimes after taking ownership it still won't let you actually work on subfolders and its a case of deleting and continuious brute force of subfolder and individual file permissions to get them back to a usable state in windows.
Took a couple of days working through our students that used macs, luckily not the whole school but touchwood it has stuck and is working ok now.
Not sure what will happen next near with new students,fun times again i suspect.
its so bad that windows cannot even regain ownership of some folders,mavericks like everything mac now seems to be a consumer based single operator with admin privileges system

To unsubscribe from this group and all its topics, send an email to techies-for-schools+unsub...@googlegroups.com.

[flow in]

overcomplicating! funny. i was trying to simplify it by using scripts on the PC server. who knew that that idea would be an endless rabbit hole of complication in itself.

i did find that brand NEW user account also did not work out of the box. i had to manually create the OSX file structure first, then set the deny delete/changeownership ACLs on the root folders to stop mac osx breaking it everytime that the user logged in. i'm running server 2008 - what are you using?

--

Flow In, MA hons Cantab, MSc | ICT Technician | WESTLAND HIGH SCHOOL

Phone: 03 755 6054 | Cell: 022 027 5107 | Fax: 03 755 6269 | i...@westlandhigh.school.nz
PO Box 154, 140 Hampden Street, Hokitika 7842
http://www.westlandhigh.school.nz/

WHAKATERE I Ā TĀTOU HAERENGA - NAVIGATING OUR JOURNEYS

This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.

To unsubscribe from this group and all its topics, send an email to techies-for-sch...@googlegroups.com.

[Kevin Whelan]

I had the same thing originally with you, after setting up a new room of mavericks and then students logging into another room with mountain lion destroyed the home folder permissions for mavericks users.
that certainly added to the confusion and forced me to apply mavericks to every student mac in the end to fix. You have to wonder how well tested these systems are before being released in the wild every 12 months. I was a huge apple fan until I found that profile manager can't do half that workshop manager profiles have done so well for so long. ARD has big dns problems now, and setting up default userprofiles and copying them is just terrible and fraught with permission issues that arn't apparent until you open certain apps like preview with its autosave features etc.

[Kevin Whelan]

2012 but I don't think that makes a difference ,I think if you try to navigate permissions on some of the user subfolders you will see quite quickly that the permissions are so scrambled that even windows can't understand them let alone change them. hence the script problems
Ive had students leave and had no end of trouble just trying to delete their user folders at times,be very wary of OSX writing very illegal long filenames on the windows home folder especially safari caches, they can be painful to remove. printing seems to be very guilty as well of corruption
and yes NEW users thats another known bug
it makes extremez-ip look very attractive
Im currently moving to yosemite and that seems to be better, so far.
To be fair once I got everybody on mavericks and repaired all our art/music and media users permissions (they are the dual platform students) it has kept going in a fairly normal manner
My issue now is that all our macs wake to a network logins are not available and can take 20 mins with multiple restarts to actually let someone logon

To unsubscribe from this group and all its topics, send an email to techies-for-schools+unsubscribe...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[flow in]

i had the deletion issue, and found that the macs were not dropping network mounts - which invisibly locked their home directories - logout scripts fixed that. this is all so frustrating! 10.6.8 was a smooth wonder.

--

Flow In, MA hons Cantab, MSc | ICT Technician | WESTLAND HIGH SCHOOL

Phone: 03 755 6054 | Cell: 022 027 5107 | Fax: 03 755 6269 | i...@westlandhigh.school.nz
PO Box 154, 140 Hampden Street, Hokitika 7842
http://www.westlandhigh.school.nz/

WHAKATERE I Ā TĀTOU HAERENGA - NAVIGATING OUR JOURNEYS

This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.

To unsubscribe from this group and all its topics, send an email to techies-for-sch...@googlegroups.com.

[Patrick Dunford]

Sounds like we should be in no hurry to update from Mountain Lion then.

 

From: flow in

Sent: Thursday, November 27, 2014 3:21 PM

To: techies-f...@googlegroups.com

Subject: Re: [techies-for-schools] OS X needs to repair your Library to run applications

[Patrick Dunford]

dsconfigad

To unsubscribe from this group and all its topics, send an email to techies-for-schools+unsubscribe...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "Techies for schools" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/techies-for-schools/7G2zElz0GO0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to techies-for-schools+unsub...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

 

--

You received this message because you are subscribed to the Google Groups "Techies for schools" group.

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsub...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to the Google Groups "Techies for schools" group.

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsub...@googlegroups.com.