Previous 1 2 3 Next 36 Replies Latest reply: Feb 25, 2010 12:56 AM by LMHKI
Ken_Edgar Level 1 Level 1
I successfully bound my test machine to Active Directory and can search using dscl and id. I can also su to my active directory user account an authenticate perfectly. All search bases are correct and everything else looks fine.

When I attempt to login from the login window as an AD user, the window shakes. Clicking under Mac OS X shows that "Network Accounts Available". Looks like the CLI tool "dirt" is now gone as well, although insecure it would possibly show something here.

Anyone else having issues after binding to AD? I bound using the Directory Utility gui... I have not tried using my leopard bind script yet.


Mixed environment, Mac OS X (10.6)
Reply by ben6073 on Aug 31, 2009 11:45 AM Helpful
Update:I was able to get logged in using my AD credentials. I found this: 7a?pli=1And followed these instructions specifically:by running the following commands-sudo /System/Library/CoreServices/ -n usernamesudo createhomedir -c -u username So it seems for me the issue was not that is wouldn't take my credentials, but that it didn't want to create the home directory. Anyways, I think it is a bug, but this is a decent work around. -Ben

All replies

  • MSL-ITmanager Level 1 Level 1
    I am having the exact same problem. Have you found a solution?
  • Ken_Edgar Level 1 Level 1
    No solution yet... I'm hoping someone from Apple reads this and has a solution. I wouldn't think they would deploy SL without first testing the AD plug-in functionality. However I know I'm not doing anything wrong as I've been binding machines to the same AD directory for a long time now.

    I also checked my ntp settings to make sure everything was within sync... and I had a dash in my hostname which I think I remember reading one time that that's bad. I unbound, removed the dash, and rebound with the same results.

    I find it interesting that I can su to my ad account just fine, and if I type "id someusername" I get account info returned to me. Using DSCL I'm able to get information back perfectly. Something with loginwindow that doesn't want to work with the AD plug-in I'm assuming.

    Message was edited by: Ken_Edgar
  • Ken_Edgar Level 1 Level 1
    Is anyone else out there trying to bind to Active directory... I'm interested to hear if it is working or not for you. On Monday I'll have to see if I can get a Kerb TGT or not.

  • Martin van Diemen Level 1 Level 1
    I've got the exact same problem.

    When I try to login with my AD account I get the error message "No home directory:".

    If you're at the login screen type in as username >console and hit enter (twice). Try to login with your AD account. You can also do this by opening a Terminal window.
  • _JB_ Level 1 Level 1
    I have pretty well the same problem. The machine was already bound to AD prior to upgrade. After could not login on with my account (jball). Can log on with other accounts from the same domain (we only have one AD domain). Can also su to jball in a terminal session. Can't access network resources with jball when I try to connect to a windows server through the finder, instantly comes up with bad username or password, doesn't even think about it.

    I have removed any copies of the home folder under either /Users or /Domain as I have had problems with that before. Have repaired permissions and unbind and bind the machine to AD. Have been at this all day now and no closer. Get these error messages in console:

    31/08/09 4:49:27 PM SecurityAgent[666] Could not get the user record for 'jball@domainname' from Directory Services

    31/08/09 4:49:27 PM SecurityAgent[666] User info context values set for jball@domainname

    31/08/09 4:49:27 PM SecurityAgent[666] unknown-user (jball@domainname) login attempt PASSED for auditing
  • Ken_Edgar Level 1 Level 1
    I have found that I can get a kerberos tgt if I first login as a local user, su to an active directory account, then use kinit. I will try logging in as a network user this morning again and look at the logs to see if the same types of entries JB wrote about show up.
  • ben6073 Level 1 Level 1
    I am also having this same issue.

    The Mac binds fine. The computer account is created fine in AD. I can see users and groups in the new "Allow Network Users to log in..." screen. But no matter what I can't authenticate. The log in screen just shakes it off.

    Has anyone been able to successfully log into AD?
  • ben6073 Level 1 Level 1

    I was able to get logged in using my AD credentials. I found this: 7a?pli=1

    And followed these instructions specifically:

    by running the following commands-

    sudo /System/Library/CoreServices/
    createmobileaccount -n username
    sudo createhomedir -c -u username

    So it seems for me the issue was not that is wouldn't take my credentials, but that it didn't want to create the home directory.

    Anyways, I think it is a bug, but this is a decent work around.

  • Joe Swenson Level 3 Level 3
    Are mobile accounts enabled?
    I can log in with AD accounts as long as mobile accounts aren't enabled. After that, forget it.
  • Ken_Edgar Level 1 Level 1
    This works! So we have figured out the why... I wonder when Apple will fix this.

    Thanks Ben!
  • A A P L Level 7 Level 7
    Using (have been using for months) with AD and no issues at all.
    One thing I have seen twice is a lack of a Kerberos ticket after login, which seems impossible - so I have a bug report with Apple that I'm working on.
    Functionally, it's been solid.
    Do any of you also use an OD Master (Apple Xserve/XSAN)?
    Were your Mac bindings new, or carry-overs from a Leopard install?
    If a carry-over, did you try removing the objects from Active Roles before binding again?

  • Jason_Scott Level 1 Level 1
    When I try the terminal commands I get a failure message that says "command not found" any thoughts?
  • Greg Plassmeyer1 Level 1 Level 1
    Thanks ben6073 for posting your solution. It worked for me as well.

    I did a clean install of SL, joined the machine to the domain using Directory Utility. Restarted and when the other user option finally came up in the login screen it would just shake after entering my credentials. As if I was using the wrong password. I then logged in with the local admin account and using the Directory Utility disabled the mobile account option. I then restarted and was able to log in using my credentials.

    MOBILE ACCOUNTS ARE BROKEN!!! At least for Active directory.

    Thanks ben6073 for the link to a fix.


    Message was edited by: Greg Plassmeyer1
  • ben6073 Level 1 Level 1
    I think your issue may be that you need to make them executable. Try doing this:

    cd /System/Library/CoreServices/

    then do:

    sudo ./createmobileaccount -n username


    sudo ./sudo createhomedir -c -u username

    the ./ makes the script executable.
Previous 1 2 3 Next