10.5.3: Can't Create Mobile Account

I am seeing this problem as well, same setup. I havent been able to get it to work at all. I have tried using filevault, not using filevault, etc...

I will let you know of any progress I make.

I have the same thing going on with my user's account. I cant create a mobile account for them. Any word of this is a known issue?

Robert - Did you get this issue resolved? We've got the same problem

Has Apple support been any help or are they claiming there isn't a problem?

I have this problem as well, and even the root password does nothing.

NO SOLUTION BUT HERE IS A WORK AROUND - Go to Directory Access under your AD advanced settings. Pick "Create a Mobile User", save, log off and then log on as the user. The user will then be a Managed Mobile User. Log off, log back on as Admin, go to directory access and un-check the Create Mobile User config, log off and back on as the user and they will be a local mobile user. I still have a ticket out with Apple and hopefully the issue will be resolved in an upcoming release.

Hi Robert

On the Active Directory Server SMB Digital Signing Requirements (there are two: Server and Client) need to be disabled. It's not enough to leave them undefined. Once that has been done make sure client clocks are within 5 minutes of the server's time clock. In the Network Preferences Pane make sure the mac is using the AD DC for resolving internal DNS Services and the Search Domain field is filled in with the appropriate AD Domain Name. It's also advisable to fill in the WINS Tab with the relevant information for the AD..

Launch Directory Utility and select the Services Icon (click Show Advanced Options to see this). Select the Active Directory plug-in and click the disclosure triangle to show Advanced Options. Leave everything as the default and select 'Create Mobile Account at Login'. Fill in the Active Directory Domain field with the relevant information. For example if the AD's FQDN is adserver.addomain.com then the information should be addomain.com. Now click Bind. In the resulting window key in authentication details for an account that has authority for the AD Domain. Typically this would be the AD admin account name and password. What follows next will be a 5 step process. Depending on how well the AD has been configured this should take anything from 5-10 seconds and possibly 1-2 minutes. If it takes a short time this will be a good sign as to the 'health' of internal DNS Services as well as the AD configuration. The longer it takes the more the likelihood of problems.

By the way there is no magic fix for integrating/binding mac clients to an AD Server. Over 90% of how well this goes will rest with how well the AD is configured.

If the bind has been successful you should see a Kerberos TGT (ticket granting ticket) has been created in /Library/Preferences. It will be a file called edu.mit.Kerberos. You can inspect this and it should show the relevant details regarding the KDC (Kerberos Distribution Center). If you now log out you should see the Log in window display the local admin user as well 'Other'. It should look like a shadowed head and shoulders in front of a star field. Select this and supply your AD name and password. Provided the AD admin has defined a UNC path in the Profiles tab for your account on the AD Server for home folder creation and that you have full read/write privileges for that folder then you should be logging into your locally created home folder that also gets created at the same time on the AD.

Its best if you sync when logging out as there have been problems syncing at other times. Mileage may vary.

Hope this helps, Tony

I have the same problem.

UPDATE! - Apple tier three support has been able to duplicate the issue in the lab. This is a true code problem and will be resolved in an upcoming release. In the interim, here is another way to configure the mobile accounts at the user level. Good luck!

1. Delete the old user if that user exists on the client system.


2. Test to make sure the system is properly bound to Active Directory.


3. Login as the local admin and run the following command in the
Terminal:


sudo
/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileac count
-n userid -v


Remember this will require a password and will not return any visual
output when the keys are pressed.


4. Log out the local admin.


5. Log in as the Network user.


6. To configure the syncing service go to System Preferences >
Accounts and click on the Settings button. This will be grayed out
with users who are not set up with a network home directory.


The only difference with the procedure of making a mobile account with
System Preferences and this workaround is that the user login
credentials are not cashed. They will have to login at least once on
the network to cache these credentials.

I have a slightly different question. I can create a mobile account on 10.5.4 and it's running fine. (I made use of our corporate imaging installation package.) That is until I try to turn on FileVault. Once I do this, any attempt to log on using my AD account name tries to logon then returns with the same prompt to enter logon and password. The prompt isn't wiggling so I know it isn't saying my password is wrong. I keep entering the logon and password and it never does anything. To add one more gotcha, I'm also not on my internal network at the moment. Since I haven't logged on, I can't start up my VPN client. When I imaged the system, I was on-site and was able to properly bind to the AD domain and get my Kerberos ticket. As far as I know, my credentials are being properly cached. When I turned FileVault on, I used my AD password (twice).

I'll start a new thread if my situation isn't compatible with everyone else's.

I just got off the phone with Apple support for this exact same issue. The support rep pointed me to a document that they have published.

http://docs.info.apple.com/article.html?path=ServerAdmin/10.5/en/c7od45.html

It fixed my problem once I made the changes.