WORK IN PROGRESS — This procedure is not working yet — Use at your own risk! I have a Mac (OSX 10.5) & use a smart card. I wanted to use the Smart Card to access the Mac. I have gotten different parts to work at different times, but I think I finally have it. I wanted 3 things from the Smart Card: login, key-chain, and FileVault (FV). The basis for this is from a great write up from AppleMacGeniusVille:http://www.applemacgeniusville.com/2009/09/15/enabling-cac-login-and-creating-filevault-cac-user/WORK IN PROGRESS — This procedure is not working yet — Use at your own risk! But there were a couple of problems that I had:
- It did not cover moving an existing FV account.
- I could not get into the new FV account without the smart card. (What happens when the chip goes bad….)
Conventions:
- user = username for working user account
- # = command prompt as root (sudo su -)
- $ = command prompt as user
So here goes:
- MAKE A COMPLETE BACKUP
- clean up old account (get rid of big / unused files)
- login with an admin account that is not the one you are moving.
- open terminal & sudo su –
- save the original FV account
- # mkdir /Users/user.save
- # mv /Users/user/user.sparsebundle /Users/user.save/
- Remove the account (GUI Tool: System Preferences->Accounts)
- Remove any old smart card info from your account.myhost#
sc_auth remove -u current_user - make sure that FV Master password is set, if you have already used FV then should be. (GUI Tool: System Preferences->Security->FileVault)
- Create a new FV User with tokenadmin
- # tokenadmin create-fv-user -u user -l Long User Name -p tempPassword
- change the password on the new sparse image (this adds a user level password to the FV (sparse) image) — this should be the same password as the OLD user — it will use the SmartCard to authentincate and add a password (it also changed the NEW user password for me)
# hdiutil chpass -newstdinpass /Users/user.sparsebundle
- Mount the (new) FV User image
-
# hdiutil attach /Users/user/user.sparsebundle
-
- If you want to change the format of the sparsebundle, now is the time. (I wanted this to be case sensitive, while my OS disk is not – turns out that this REALLY is a pain -wasted a lot of time here!!!)*
- Open Disk Utility select the user.sparsebundle for the NEW user
- Select Partition
- Select Volume Scheme: 1 Partition
- Click Options & Select GUID Partition (If you use Apple partition here this utility creates a small partition that is not visible in most instances, but will screw up FileVault)
- set the name the your short username (example: user)
- Select the Format; for me: Mac OS Extended (Case-sensitive, Journaled)
- Click Apply & confirm by clicking: Partition
- Mount the OLD FV user
- # hdiutil attach /Users/user.save/user.sparsebundle
- Make links to identify the old and new
- # cd /Volumes
- # ln -s user new
- # ln -s “user 1” old
- Verify new is the new FV directory and old is the one with the data that needs to be saved. If not fix these links.
- Copy the files from the old to the new
- # cd /Volumes
- # rsync -av old/ new/
- remove the links
- # cd /Volumes
- # rm new old
- unmount the old sparse bundle
- # hdiutil unmount /Users/user.save
- set the login keychain to unlock with smartcard:
- # systemkeychain -T /Volumes/user/Library/keychains/login.keychain
- unmount the new sparse bundle
- # hdiutil unmount /Users/new_user
Comments:* Macs & Case Sensitive file systems are a PAIN!!! There are several Mac applications that do not work with case sensititve file systems. Examples include Adobe products, antivirus products, and I am sure there are others. But if you work in UNIX world then there are times that you need case sensitivity… so you have to come up with numerous workarounds…