What is causing High Sierra to forget where my home directory is?
The initial problem
I have been encountering a sporadic problem where my Mac seems to "forget" where my home directory is.
The first clue (because this is something I do very frequently) is always that Google Chrome can't open a new tab. I get the "oh snap" error screen. This leads me to quit Chrome and restart it, which in turn leads to this error dialog, after which Chrome does not start:
Other symptoms
Many other things that require knowledge of the home directory also fail:
- When I open some Apple apps (e.g. Preview, Notes, Messages), I get prompted with a dialog that says it needs to repair my home directory and requires me to authenticate. Entering my password here causes
/var/empty/Library
's owner to be changed to me (which is bad in the long term, but allows some things to begin working). - Safari simply doesn't open when clicked -- it appears briefly in the dock and then disappears, with no Crash Report dialog (although I can't say whether the system in this state is aware of my preference to see those dialogs).
- Even after "repairing my Library", many apps cannot open:
- Preview: a Finder dialog appears: The application "Preview" can't be opened.
- Chrome: same error dialog as before, pictured above
- Notes: the dock icon appears and then disappears.
- After repairing my Library, some apps that couldn't open before now can, and many of these have forgotten my settings:
- Safari (which I'm using now to write this question while I research)
- BBEdit
- Pixelmator
- Notes
- Some apps appear to be unaffected regardless of the Library permissions:
- Console
- System Preferences
- Keychain Access
- I can't take screenshots unless I use Grab or hold Control to write the screenshot to the clipboard (because it doesn't have write access to
/var/empty/Desktop
, which is correctly owned by root). - In Open and Save dialogs, it doesn't show my home directory in the sidebar, nor any of the common destinations within (Desktop, Documents, etc).
- When the screen saver activates, the system default (Flurry) appears instead of my usual (Classic pointed at a directory of photos I've selected).
- Terminal uses default settings for color/font/etc instead of my customized settings.
Still other things appear to be working fine:
- Time Machine
- Spotlight
- Hot Corners
This has happened three times so far since upgrading my work machine to High Sierra a couple days after it was released.
The research
Research seems to indicate that macOS doesn't think my home directory is /var/empty
, but rather that it doesn't know that I have a home directory, and there's some fallback logic somewhere that causes the system to use /var/empty for any user who doesn't have a home directory. (Source: Is it possible to create a user without a home directory?)
Further research indicates that /var/empty exists as a "security jail" for users who shouldn't have access to anything (which is why it's bad to change permissions or symlink it elsewhere). (Source: https://serverfault.com/questions/116632/what-is-var-empty-and-why-is-this-directory-used-by-sshd)
Based on past occurrences, rebooting fixes the problem (until the next time it happens). Once I've submitted this question, I'm going to try disconnecting/reconnecting my network cable and logging out to see if either of those help; I'll come back and edit this paragraph accordingly. Update: I disconnected and reconnected my network cable, then restarted Finder. Chrome works again, and all other symptoms appear to have been resolved as well! This certainly reduces the pain when this issue occurs, but I would still very much like to understand and prevent the root cause.
Nothing I can see from Terminal seems to exhibit the problem:
Last login: Mon Nov 13 13:21:18 on ttys000
jrobb@oke-jrobb-mb: ~ % pwd
/Users/jrobb
jrobb@oke-jrobb-mb: ~ % cd /var/empty
jrobb@oke-jrobb-mb: /var/empty % ls -la
total 24
drwxr-xr-x 8 jrobb staff 256B Oct 20 16:32 ./
drwxr-xr-x 27 root wheel 864B Oct 20 14:49 ../
-rw-r--r--@ 1 root staff 10K Oct 20 16:32 .DS_Store
drwx------ 2 root staff 64B Oct 14 05:52 .ssh/
drwx------ 4 root staff 128B Oct 9 13:22 Desktop/
drwx------ 3 root staff 96B Sep 25 15:46 Documents/
drwx------ 3 root staff 96B Sep 25 15:46 Downloads/
drwx------+ 28 root staff 896B Nov 13 13:37 Library/
jrobb@oke-jrobb-mb: /var/empty % whoami
jrobb
jrobb@oke-jrobb-mb: /var/empty % echo $HOME
/Users/jrobb
jrobb@oke-jrobb-mb: /var/empty %
High Sierra's integrated logging makes Console.app a nightmare to peruse, but I've nonetheless spent a large amount of time looking for relevant messages. I found several that seem to be errors caused by the problem, but none that appear to be the problem. I suspect this is caused by the fact that you can't scroll the endless stream of all messages from all subsystems back to earlier than whenever you opened Console, and there is also no apparent way to search more than one file at a time, unless you want to search the aforementioned forward-only stream. I didn't have Console running when things went south, so I guess I'm out of luck? (I'd very much appreciate any help/advice here.)
I've seen a number of other cases where people have the same problem, going back as far as 2014 (10.9 Mavericks). Here are some links to other people experiencing the same or related problems, for which no satisfactory solution presents itself:
-
https://www.jamf.com/jamf-nation/discussions/22851/active-directory-user-home-directory-set-to-var-empty
- At least one Jamf user found the solution there (the "require confirmation before creating a mobile account" checkbox in Directory Utility was checked and the user had clicked No when presented with the confirmation dialog). Those checkboxes are checked on my system, but I've never seen (nor declined) such a confirmation dialog, so I don't think that's the case here. Nonetheless, this is not a shared machine, and so those boxes are now unchecked.
-
https://arstechnica.com/civis/viewtopic.php?f=19&t=1239175
- There were never any replies to this thread, so I took a chance and asked this user if they ever found a problem. No answer yet.
- https://superuser.com/questions/721623/could-not-create-directory-var-empty-ssh
It appears that, for those that have "solutions," they are really band-aids that expose significant security holes:
- symlink
/var/empty
to the correct home directory -
chown _user_ /var/empty
- and so on
The context
I'm using a Late 2013 iMac (Core i7 3.9GHz, 32GB RAM, 1TB SSD) running High Sierra (always the latest patched version; this began with 10.13.0 and is now affecting 10.13.1). It's a Jamf-managed device, and I authenticate to an Active Directory domain. My profile in the Users and Groups prefpane is labeled "Admin, Managed, Mobile".
We began using Jamf where I work right after I upgraded to High Sierra, so this could be a Jamf problem or a High Sierra problem (or, really, anything else).
There are numerous other Mac users, numerous other High Sierra users and numerous other Jamf users; to my knowledge, no other users are experiencing this problem. I am the only iMac user -- all other Macs here are laptops. (I struggle to imagine that my iMac is the problem -- just being thorough.)
This problem starts happening in the middle of a user session. Everything's fine, until suddenly it's not. As such, I don't think it has anything to do with login or Active Directory.
What I'm looking for
I'm looking for an answer which prevents macOS from getting into this state in the first place, and hopefully explains when and how it happens.
Solution 1:
Open a bug with Apple on this. I have an open case, but they need to hear from more people on this. I see this on rare occasion, but only on my computer connected to Active Directory with my managed, mobile account (so my guess is it's just another of the many AD bugs in 10.13 that remain unfixed.)
I find that if I generate a sysdiagnose (to update my case), the problem goes away while the sysdiagnose is generating, too.
But, it's nothing I can force to happen, so I don't know what causes this.
Solution 2:
The long term answer is to not bind any Mac to AD and get a tool to loosely couple the user permissions and leverage kerberos to authenticate.
- Apple Enterprise Connect - you pay for a professional services engagement to discover / configure and document the solution for your environment. https://www.apple.com/support/professional/
- NoMAD and/or NoMAD Pro - https://nomad.menu - open source tools with paid support and consulting options as well from the vendor.
Binding is painful, and that pain grows the longer you let it fester and constrict. Your question is solid and I hope someone has a quick fix for you, but I've seen several organizations walk (or run) away from the bind once they pilot NoMAD and commit to AEC or NoMAD at scale. Having JAMF Pro in place will really help you deploy either tool.
Solution 3:
I found the following to "correct" the issue.
- Open System Preferences > Users & Groups
- Unlock the pane
- Right click on the effected user account > Advanced Options...
- Next to Home directory: click Choose...
- Click Open
- Click OK
This seems to have re-written the home directory path and allowed functionality to return.
In my case, logging out and back in resulted in a black screen with a cursor - though after a soft reboot able to log back in, long progress bar then everything was back to normal.
Hope this helps! Good luck!