Active Directory bound Macs give users the 'shake-off'

Hi

Eliminate the usual culprits:

Kerberos timestamps its tickets so time synchronization is important between Server & Clients. All nodes need to be using the same NTP Server. In your environment I'm guessing this would be the DC?

SMB Digital Packet signing (Server & Client Side) is not supported so make sure in the Local, Domain & Group Security Policies those two settings are Disabled. Interestingly I have noticed since 10.5.4 this seems less of an issue. However it's something else to eliminate - just in case.

Home Folder Permissions. Make sure users have full access.

On the login window below where it says Mac OS X should be some gray wording. You can click on this and cycle through basic information. One of them should say Network Accounts available or unavailable. When you get the problem what does it say?

Finally DNS. Make sure the client can resolve the serve hosting their home folder on both pointers. It's also a good idea to check if the reverse entry for that client reflects the correct hostname. I have seen issues where the DNS Reverse Zone displays an incorrect hostname to the assigned IP address.

Perhaps your issue relates to the built image? Have you seen this article?

http://support.apple.com/kb/HT3192
http://support.apple.com/kb/TS1245

Tony

Directory Search Order. Make sure clients are bound to AD first and OD second. Make sure OD is not being used for Authentication. Make sure both nodes are listed in the Search Policy. AD first followed by OD.

Tony

Hi

+I downgraded the smbfs.kext and smb.fs+

That could be it? For 10.5.6. the version should be 1.4.6.

+it stopped a huge problem with kernel panics and endless hanging at logout+

AFAIK and in my experience, kernel panics on logout was caused by MS Office installing fonts in the /Users/Home/Library/Fonts folder. Deleting these or making sure they're installed in /Libary/Fonts cured in the 'problem' in all the cases that I saw it reported. I don't even think it was all the fonts. As I recall Arial and Times New Roman were the main culprits?

There are a number of threads regarding the logout kernel panics and from what I can see removing the Fonts stopped the problem.

Although important DNS Resolution for the Mac Server is not really what I meant. I meant for the clients. Can they resolve named servers locally? Can they resolve themselves locally?

Tony

Hi

Not sure if this helps but I don't have either of those other files you've mentioned: smb.fs or smbfs.fs.

Tony

I have this same issue on every Mac running 10.5.5 and 10.5.6. (If the new hardware would run 10.4 I would not be upgrading).

My issue is far more inconsistent than 12 - 24 hours. I had one machine do this yesterday and then again today. Other machines will go months before they fail.

I see this issue on clean installs of the OS as well as a cloned image I have made. I have removed all the computer specific files prior to building the image. The local kdc is reset prior to any server authenticated user login. The cloned image was created on the same HW as the clients are receiving (though this shouldn't matter).

All of my users have an AD authenticated account. No user accounts or home directories are on the OD server. The OD server is used for a file share and I am beginning to set it up for MCX control.

Once a machine stops allowing authentication of network users I can dscl to the AD domain and still read the user. This proves to me that the AD bind is still functioning. It just isn't allowing authentication.

logging in as a local admin, unbind and bind corrects the issue, temporarily.

Any next steps in determining where this failure is occurring and how to resolve would be greatly appreciated.

Unfortunately I can't force this to fail and I don't have a dev box to work on at this moment.

I have always heard and bound my machines in this order. However, recently I read that if you are using an OD Server for client permissions that it should be the first bound machine followed by the authentication server. Have you had any experience with this? In my case it would cause me to bind to OD then AD. On my test boxes I haven't seen this cause any problems.

Did you find any explanation for this?

I've just now been hit with this exact same scenario. Login worked yesterday (after full clean rebuild), worked this morning, then at some time today it failed. Going to dscl and looking in /Active Directory/All Domains/Users and doing an 'ls' gives me the undefined error you originally posted.

Unbinding/rebinding kicked things back in shape.

My specs: 10.5.7 client. Also in AD/OD triangle, AD is listed first in search policy.

I've tried rebuilding the LKDC, and make sure to do dscacheconfig -flushcache, but the problem returned.

Nothing outstanding in system.log.