Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Ken_Edgar
Ken_Edgar Author
User level: Level 1
30 points

Unable to login @ login window with Active Directory User

I successfully bound my test machine to Active Directory and can search using dscl and id. I can also su to my active directory user account an authenticate perfectly. All search bases are correct and everything else looks fine.

When I attempt to login from the login window as an AD user, the window shakes. Clicking under Mac OS X shows that "Network Accounts Available". Looks like the CLI tool "dirt" is now gone as well, although insecure it would possibly show something here.

Anyone else having issues after binding to AD? I bound using the Directory Utility gui... I have not tried using my leopard bind script yet.

Thanks,
Ken

Mixed environment, Mac OS X (10.6)

Posted on Aug 28, 2009 1:16 PM

Reply
36 replies
User profile for user: Ken_Edgar
Ken_Edgar Author
User level: Level 1
30 points

Aug 28, 2009 2:06 PM in response to MSL-ITmanager

No solution yet... I'm hoping someone from Apple reads this and has a solution. I wouldn't think they would deploy SL without first testing the AD plug-in functionality. However I know I'm not doing anything wrong as I've been binding machines to the same AD directory for a long time now.

I also checked my ntp settings to make sure everything was within sync... and I had a dash in my hostname which I think I remember reading one time that that's bad. I unbound, removed the dash, and rebound with the same results.

I find it interesting that I can su to my ad account just fine, and if I type "id someusername" I get account info returned to me. Using DSCL I'm able to get information back perfectly. Something with loginwindow that doesn't want to work with the AD plug-in I'm assuming.

Message was edited by: Ken_Edgar
Reply
User profile for user: _JB_
_JB_
User level: Level 1
0 points

Aug 31, 2009 12:07 AM in response to Ken_Edgar

I have pretty well the same problem. The machine was already bound to AD prior to upgrade. After could not login on with my account (jball). Can log on with other accounts from the same domain (we only have one AD domain). Can also su to jball in a terminal session. Can't access network resources with jball when I try to connect to a windows server through the finder, instantly comes up with bad username or password, doesn't even think about it.

I have removed any copies of the home folder under either /Users or /Domain as I have had problems with that before. Have repaired permissions and unbind and bind the machine to AD. Have been at this all day now and no closer. Get these error messages in console:

31/08/09 4:49:27 PM SecurityAgent[666] Could not get the user record for 'jball@domainname' from Directory Services

31/08/09 4:49:27 PM SecurityAgent[666] User info context values set for jball@domainname

31/08/09 4:49:27 PM SecurityAgent[666] unknown-user (jball@domainname) login attempt PASSED for auditing
Reply
User profile for user: ben6073
ben6073
User level: Level 1
5 points

Aug 31, 2009 11:45 AM in response to ben6073

Update:

I was able to get logged in using my AD credentials. I found this:

http://groups.google.com/group/macenterprise/browse_thread/thread/2c2502b08bb84c 7a?pli=1

And followed these instructions specifically:

by running the following commands-

sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/
createmobileaccount -n username
sudo createhomedir -c -u username

So it seems for me the issue was not that is wouldn't take my credentials, but that it didn't want to create the home directory.

Anyways, I think it is a bug, but this is a decent work around.

-Ben
Reply
User profile for user: A A P L
A A P L
User level: Level 7
21,746 points

Aug 31, 2009 12:00 PM in response to Ken_Edgar

Using (have been using for months) with AD and no issues at all.
One thing I have seen twice is a lack of a Kerberos ticket after login, which seems impossible - so I have a bug report with Apple that I'm working on.
Functionally, it's been solid.
Do any of you also use an OD Master (Apple Xserve/XSAN)?
Were your Mac bindings new, or carry-overs from a Leopard install?
If a carry-over, did you try removing the objects from Active Roles before binding again?

Scott
Reply
User profile for user: Greg Plassmeyer1
Greg Plassmeyer1
User level: Level 1
0 points

Aug 31, 2009 12:47 PM in response to ben6073

Thanks ben6073 for posting your solution. It worked for me as well.

I did a clean install of SL, joined the machine to the domain using Directory Utility. Restarted and when the other user option finally came up in the login screen it would just shake after entering my credentials. As if I was using the wrong password. I then logged in with the local admin account and using the Directory Utility disabled the mobile account option. I then restarted and was able to log in using my credentials.

MOBILE ACCOUNTS ARE BROKEN!!! At least for Active directory.

Thanks ben6073 for the link to a fix.

G

Message was edited by: Greg Plassmeyer1
Reply

Unable to login @ login window with Active Directory User

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up