limavadyhigh

Q: Network users won't log in

Hi folks! With help from YouTube videos and community members I've successfully set up Server 4.1.5 to manage a small Mac suite, using Profile Manager to control most of the changes. One thing I've noticed, and can't understand, is sometimes network users won't log in to a client machine. The username/password field just shakes. It's strange considering the Macs have the proper DNS records and are bound to the Mac server (albeit not authenticated binding, for some reason the option to do that doesn't appear). The Server has a few 'dummy' network accounts, some with 'local only' home folders and others set as 'services only'. Profile Manager has Login window settings ensuring name/password fields are displayed, enabled external accounts, and all access ticked. Mobility settings ensure mobile accounts are created at login, with confirmation based on a local home template saved in the startup volume. Accounts don't expire and nothing gets synced. With all that in mind I still struggle to get network accounts logging into local machines. Would any of you have any ideas on how to resolve this or perhaps where the logs would be located? Thanks, Chris

Messages, OS X Server

Posted on Aug 27, 2015 7:46 AM

Close

Q: Network users won't log in

  • All replies
  • Helpful answers

Previous Page 2
  • by Grant Bennet-Alder,

    Grant Bennet-Alder Grant Bennet-Alder Sep 4, 2015 11:19 AM in response to lutraruud
    Level 9 (61,185 points)
    Desktops
    Sep 4, 2015 11:19 AM in response to lutraruud

    The requirement is that the workstation be able to look up, both forward and reverse, the IP Address of the Server, typically with its symbolic name.myexample.com address. Any way that works consistently meets the requirements for Server to operate.

     

    The well trod path is NOT using anything that ends in .local or .private, and setting up a simple DNS Service in your Server that handles the local requests directly, then refers additional DNS requests off to the Internet. This requires each WorkStation to look to the Server's DNS FIRST.

     

    MrHoffman has a substantial article on the subject on his consulting web site:

     

    DNS Tips: Establishing a DNS Server on Mac OS X Server 10.6 - 10.9+


    .

  • by MrHoffman,

    MrHoffman MrHoffman Sep 5, 2015 10:30 AM in response to Grant Bennet-Alder
    Level 6 (15,637 points)
    Mac OS X
    Sep 5, 2015 10:30 AM in response to Grant Bennet-Alder

    Grant Bennet-Alder wrote:

     

    This requires each WorkStation to look to the Server's DNS FIRST.

     

    Only.  Not first.   Unfortunately, the order of DNS server selection is less than predictable.   Different devices and even different OS X versions will process multiple DNS server records... differently.  The local DNS server(s) will generally be the only DNS server(s) to have local DNS records and will be the only DNS server(s) that has matching reverse translations for a NAT'd network, you'll want to query only your local DNS server(s), and allow those servers to query the remote (external or public) DNS servers.

     

    In short, with a NAT'd network and local DNS server(s), only reference your local DNS server(s) from your explicitly-configured clients and via the DNS server address(es) configured within your local DHCP server(s) settings.

  • by Grant Bennet-Alder,

    Grant Bennet-Alder Grant Bennet-Alder Sep 5, 2015 5:35 PM in response to MrHoffman
    Level 9 (61,185 points)
    Desktops
    Sep 5, 2015 5:35 PM in response to MrHoffman

    only reference your local DNS server(s) ... and allow those servers to query the remote (external or public) DNS servers.

    so the local WorkStations get ONLY the reference to the local DNS Server. and that is OK as long as your DNS server has "Forwarding Servers" specified in DNS Services page:

    Screen Shot 2015-09-05 at 8.32.11 PM.png

     

    .

  • by MrHoffman,

    MrHoffman MrHoffman Sep 6, 2015 11:02 AM in response to Grant Bennet-Alder
    Level 6 (15,637 points)
    Mac OS X
    Sep 6, 2015 11:02 AM in response to Grant Bennet-Alder

    Grant Bennet-Alder wrote:

    ...so the local WorkStations get ONLY the reference to the local DNS Server. and that is OK as long as your DNS server has "Forwarding Servers" specified in DNS Services page:....

     

    Correct, and preferably with more than one local DNS server, for reliability.    Replication is trivial to set up with BIND9.

     

    Key here is to have the local NAT'd network DNS translations managed locally, and to have all translations performed via DNS servers that have these local NAT'd address translations. 

     

    DNS forwarding servers are not what I was addressing with my comments.

     

    DNS forwarding servers are effectively caches of translations maintained by some upstream provider (ISP, Google, etc).   The local DNS server itself also caches DNS translations, subject to the translation timeouts and the available memory in the local server.  This means that if you have a translation request for a DNS translation that's not already cached locally but is cached in the forwarding server, you'll skip the rest of the DNS translation process.  If not, then you'll still be using either the root servers or whatever the caching server itself uses as a forwarding server; the forwarding server will have to ask its own upstream for the translation.  If the local DNS server already has the translation cached, then it won't need to access the forwarding server nor the root servers.  If the local DNS server does not have the translation cached and does not have any DNS forwarding servers configured, it'll query the appropriate DNS root servers directly.

     

    In short, DNS forwarding servers might optimize your first translation for a given DNS string.   If the forwarding server has it cached.

Previous Page 2