Can’t login as AD user when network is connected

Question

Can’t login as AD user when network is connected

I recently observed this problem: I can no longer log in as my mobile (Active Directory) user, or perform any action that requires authorization, if the network is connected. Authorization works fine if I simply unplug the ethernet cable before entering my password.

The Active Directory password has not expired; I can log in just fine using this username and password from Windows computers in the AD domain. The AD password is exactly the same as the password that works just fine locally when the Mac is disconnected.

I do not know what precipitated this problem. It may have originated when my AD account became locked and was subsequently unlocked by the domain administrator. Or it may have popped up when I changed my AD user’s password.

I experienced this problem once before, and eventually solved it only by moving my user data out of the way and letting the OS create a new mobile user on the Mac for this AD account. Obviously that is not something I want to do again unless absolutely necessary.

Is there a local password/credentials cache, or a place that stores the current state of synchronization between the local computer and the AD domain? Perhaps there’s a way to reset this.

I would be much obliged if anyone has suggestions for how to troubleshoot or fix this problem.

Best Regards,
Michael Lowry
mlowry.blogspot.com

MacBook Pro (unibody, 1st gen.), Mac OS X (10.5.7)

Posted on Jun 22, 2009 1:57 AM

Reply

Answer 1

tcsadmin

Level 1

31 points

Jun 22, 2009 12:36 PM in response to Michael Lowry

I've got almost the same problem.

A user was able to log in to her iMAC shortly after I set it up on our AD network. Then, a couple days later, she couldn't.

I created a LOCAL user account with the same username and credentials as the network logon and the iMAC successfully transferred her desktop settings and all to the new account. However, how that account is having trouble with receiving Apple Mail (connected to our Exchange server), although she can send mail.

(Hmmm...that's a DNS problem isn't it? At least every problem I read where you can send, but can't receive is DNS. I'll look into that.)

Anyhow, she can access her network folders, but there is at least one application that she can't get to because of permissions issues which I think are related.

And of course, there's the Apple mail issue, which, BTW, ANOTHER user has just told me he is having...again, can send, but can't receive.

I'm SURE that all this will go away when we transition to Open Directory and get rid of AD.

Maybe this will bump the topic and get an answer from someone.

John Orban
System Administrator
The Country School

P.S. I should have mentioned I can't login either and my account has not been logged out, so I KNOW it's got something to do with the LOCAL machine.

Message was edited

Reply

Answer 2

tcsadmin

Level 1

31 points

Jun 25, 2009 8:46 AM in response to tcsadmin

Well, I resolved my issues by disconnecting from AD and then reconnecting. User was able to log in fine then.

Reply

Answer 3

Brett F.

Level 1

5 points

Aug 7, 2009 9:28 AM in response to tcsadmin

Did you disconnect in the Directory Utility or somewhere else? Could you please elaborate?

Reply

Answer 4

Sep 1, 2009 3:24 AM in response to Michael Lowry

Well, Snow Leopard fixed this.

After upgrading to Mac OS X 10.6 Snow Leopard, I did the following:
1. I re-joined the domain.
2. I attempted to change my user’s password on the Mac to what it was in the domain. At this point, Snow Leopard did something that Leopard never did: it told me that the password I had selected was insufficiently complex to meet the standards set by the domain administrator.
3. I selected a more complex password, and it was accepted. This password now works on the domain, and on my Mac when it is disconnected. It also functions to unlock my login keychain.

Thanks for the fix, Apple.

Reply