Skip navigation

Active Directory broken in Lion?

69654 Views 98 Replies Latest reply: Sep 2, 2012 10:34 AM by Dave.Maltby RSS Branched to a new discussion.
1 2 3 ... 7 Previous Next
Hat-Rack Calculating status...
Currently Being Moderated
Jul 22, 2011 3:21 AM

Just installed Lion on a network that authenticates users using Active Directory and it shows a red dot saying "network accounts are unavailable".

 

Does anyone have a workaround to make AD bind?

  • TheFishyFew Calculating status...
    Currently Being Moderated
    Jul 22, 2011 5:30 AM (in response to Hat-Rack)

    I'm also seeing this. Did it on two computers with same results. When I try to bind I get a "Can't store password" error message near the end.

  • Kenzooo Calculating status...
    Currently Being Moderated
    Jul 24, 2011 4:54 AM (in response to Hat-Rack)

    Same situation here. Thankfully I only upgraded one redundant machine so we can still keep working on other machines.  Love to find a fix but I suspect this will only come as a point release!!

  • fsck! Level 1 Level 1 (30 points)
    Currently Being Moderated
    Jul 25, 2011 7:52 AM (in response to Hat-Rack)

    Same here I'm afraid.  Rebinding to my 2K3 R2 domain corrected the issue for a while but it is still flaky (I get network accounts unavailable or active directory inaccesible from time to time). 

     

    To rebind:

     

    1- delete Lion machine account from AD (and force replication if you have multpiple DCs)

    2- logon to Lion with a local admina account (do not use the domain/mobile account you already have)

    3- unbind, reboot, rebind to AD, reboot

    4-  Check AD tool in Lion, make sure all of the search paths for directory services are there.  If you click the  + sign you may find there is one path missing.

     

    Again, rebinding got me past the initial issue where it would not see my AD environment whatsoever BUT, the problems are not fixed.  Looking at the console while you troubleshoot this may give you some clues.   Can't wait for apple to start issuing patches.....

  • combsbj Calculating status...
    Currently Being Moderated
    Jul 26, 2011 9:54 AM (in response to TheFishyFew)

    I think I fixed my "can't store password" problem by runnign fix permissions in disk utility.  Also, had to click bind almost a dozen times before it got a reply from the AD in time.  I think maybe the timeout is rediculously short..?

  • bartron Level 1 Level 1 (5 points)
    Currently Being Moderated
    Jul 27, 2011 11:34 PM (in response to Hat-Rack)

    Try the folowing:

     

    open terminal

    Type these two commands (may need to sudo)

     

    dsconfigad -packetsign require

    dsconfigad -packetencrypt require

     

    reboot.

  • lmadden Level 1 Level 1 (0 points)
    Currently Being Moderated
    Jul 29, 2011 7:34 AM (in response to Hat-Rack)

    I just posted similar question. I have only upgraded one mac so far as a test.  I cannot bind to AD at all.  I get to point where it is "getting AD domain info" and then it eventuall fails with "Authentication server could not be contacted."

     

    I've tried several times.  When I look inside the Directory Service directory, there is nothing there.

     

    I will try some of the suggestions above to see if this helps, but I sure hope Apple comes out with a patch as I really do not want to be removing and readding over 400 computers to AD and rebinding them!!

     

    Lisa

  • mwfischer Calculating status...
    Currently Being Moderated
    Aug 2, 2011 5:01 PM (in response to Hat-Rack)

    There are a ton of threads on the Googles about this problem.  For giggles I'm going to call Applecare tomorrow. 

     

    A script in this thread might be promising, but I haven't tried it.

    http://www.afp548.com/forum/viewtopic.php?showtopic=29175

  • aaron-wy Calculating status...
    Currently Being Moderated
    Aug 5, 2011 9:59 AM (in response to Hat-Rack)

    same trouble, this was the only fix I found only works until machine is rebooted:

     

     

     

    1. unbind machine

    2. rename machine

    3. reboot

    4. login as local user

    5. in directory utility go to services

    6. enter active directory name

    7. check create mobile and require confirm (optional)

    8. check prefer this domain controller, enter full primary domain controller

    9. check allow auth for any domain in forrest

    10. enter ad name

    11. bind

    12. logout (network login will be unavailable)

    13. login local admin

    14. go to search policy

    15. make for custom path - click + add /active directory/domain

    16 move /active directory/domain up above /active directory/domain/all domains

    17. click + then cancel out of that

    18. it will now be able to login to network --- but don't reboot.

     

    Called enterprise support on this, they are well aware of the problem, and have been since day 1 of the official release.  Their response "We are looking into this matter....".

     

    Gee thanks apple.  Now we know why lion upgrade was selling for $25.

  • joey jo jo Calculating status...
    Currently Being Moderated
    Aug 9, 2011 7:49 AM (in response to Hat-Rack)

    I have successfully added my systems to AD with no issues. But at the login screen I get a message bubble with the following error "Network Accounts Unavailable". In System Pref. I have a green dot show AD is up and running but at the login screen it's red with the error message. Anyone else having this issue?

  • mwfischer Level 1 Level 1 (0 points)
    Currently Being Moderated
    Aug 9, 2011 8:08 AM (in response to joey jo jo)

    Joey,

     

    Are you able to log in with a domain user?

    This is the same problem we were having. 

     

    Luckily I'm in a position where I can work directly with Apple sw engineers on diagnosing the problem.

     

    Here's the main issue.

     

    The green light in that window means the computer can see a domain controller as a valid address.

    The login screen is active negociation.

     

    aaron-wy is correct in pointing out that you need to use Directory Utility to manually add your search path.  If you look at your opendirectoryd log files in Console you'll see timeouts to /ALL DOMAINS/.

     

    When you hit the + button, you'll see your actual domain there instead the generic catch-all. 

     

    Add it, give the priority, and apply it.  Give it about a minute for the computer to realize what just happened.  Try a quick user switch and you should be able to authenticate (and encounter the next bug shortly after).

     

    You'll authenticate and if you active quick user switching you'll be listed as your user name in all caps.  If you log out and log back in, even with quick user switch, you'll log in as your display name.  Lion sees this as two different accounts but the same home folder.  No programs will launch (1 bounce then instant close) and Safari will launch slowly.  You need to restart and hope you can login to the correct account (user name not display name). 

  • ptrondsen Calculating status...
    Currently Being Moderated
    Aug 9, 2011 1:32 PM (in response to Hat-Rack)

    FYI: 10.7.2 Combo Update fixes this.

     

    I was having the same issue in the final release and the GM.

    Whatever I tried, I could not bind to AD.

     

    So, I downloaded the beta 10.7.2, and it solved the issue.

     

    Hopefully i will be released soon.

  • joey jo jo Level 1 Level 1 (0 points)
    Currently Being Moderated
    Aug 9, 2011 2:23 PM (in response to mwfischer)

    Thank You for your help mwfischer and aaron-wy.

     

    I added the search path and I got it to work. But, the only small issue I found now is that our AD domain admin accounts can no longer be administrators to the computers without checking the "Allow to administer computer" check box. With Snow Leopard our domain admin accounts were able to administer the computers without further tweaking. This is small issue and I can work around it by creating a local admin account or enabling root. But if anyone knows a fix please share. Thanks again.

  • Gerrit DeWitt Level 4 Level 4 (3,900 points)
    Currently Being Moderated
    Aug 9, 2011 4:23 PM (in response to Hat-Rack)

    I've had pretty good luck by resetting the directory services configuration. Typically, this involves deleting the whole OpenDirectory folder in /Library/Preferences, rebooting, then binding again with dsconfigad or Directiry Utility. By the way, the syntax fir dsconfigad has changed a bit in Lion. The advantage of using it instead if Directory Utility us that you get more detailed error messages.

     

    Note that if you're running Lion Server, you'll need to rebind to your shared LDAP (OpenDirectory master) domain as well. Your LDAP database, password server store, and KDC should be just fine, but your server won't be able to contact them as it should until you rebind.

  • lmadden Level 1 Level 1 (0 points)
    Currently Being Moderated
    Aug 11, 2011 8:29 AM (in response to Gerrit DeWitt)

    Hi Everyone,

     

    Well, once Apple releases the update 10.7.2 this should fix the AD bind issue.  It is only in preview for ADC members right now, but I loaded it and was able to create my domain account and mobile account.  Rebooted system, and was able to log back in with same domain account.

     

    It aso seems to fix the SMB share connection issue.  Yay.

     

    Another oddity in case you have not noticed but in /Users/<user ID>, the /Library directory is invisible!

     

    Lisa

1 2 3 ... 7 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (5)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.