62695 Views Previous 1 2 3 Next 36 Replies Latest reply: Feb 25, 2010 12:56 AM by LMHKI Go to original post
I just wanted to clarify to everyone that is having issues with AD and login in. I currently Login into AD under a single domain with multiple forests. I have no issue what so ever using Tiger, Leopard, Snow Leopard.
<---Note: Setup a new network profile---><---Call it HOME, WORK, SCHOOL, etc.----->
<---Note2: Do not rely on Automatic for all your directory auth. needs---->
<---Note2b: If your current network config is on automatic with no entries, you'll never auth. against the directory server. and the status of your domain will be marked "red" or the multiple settings will be marked "red"
*Imperative to have: Make sure your DNS address in your network configuration is pointing to your DC, and the other DNS address for your internet.
*You should be good from here.*
There is no need to mod any core services!!!!!!
<----you you read this and if you need help, I'll be more than happy to help---->
APPL I see you have no problem, caused your pointed to your DC using the correct DNS settings.
The command lines used above are exactly what I am using to get around this. Unfortunately we won't be able to deploy Snow Leopard until this mobile account problem is fixed, although there should be a fix by the time we've finished ironing out exactly what else we need to do to manage machines with 10.6 installed.
Just wanted to add one more thing. I love that Snow Leopard will warn you that your Active Directory password will soon expire, but this feature doesn't seem to work when using mobile accounts. I'm hoping that when the login problem is fixed that this will also be fixed, but please retain this functionality with mobile accounts as well.
We seem to be experiencing slightly different results. Existing local users cannot log into AD. (get the shake as if password is wrong) Newly created AD accounts can log into AD.
(both with the mobile account creation turned off)
The userid in AD is the same as the local mac userid. Is this creating some new kind of conflict perhaps?
lundejd - this is a regular problem... what happens is that the local LDAP database is queried first and finds a matching user account. The password most likely is not the same between the local account and the network account. Authentication then fails with the account from the local database and it does not go any further.
You will need to remove the local user account... if you want to use the same home folder, you may need to "chown -R username /Users/username/"
When I try the first command, it says, "command not found", but if I make it executable after browsing to the directory, it works.
However, I have a question; if I wanted to keep the home directory local to the computer, do I need to run the second "createhomedir" command for things to function properly? Just running the first command to create the mobile account has allowed me to log in with an AD account and the local home directory is there.
I had the same issue of not being able to login to a mobile AD account
I was able to though if I did one of the below.
1. Set AD account to have a blank local path for the home folder.
2. Snow Leopard > directory utilty > AD > Advanced options > tick UNC path from AF to derive network home location. Also change Network protocol to smb.
3. Or do the command line mobile user creation as previously stated in post.
On September 21, 2009 Apple has added this document to their knowledge base:
As a workaround:
Remove the Home folder path specified in Active Directory for the user.
Log in to the Mac OS X v10.6 client.
Create the mobile account when prompted.
Specify the home folder path in Active Directory for the user.
The user should now be able to log in to the Mac OS X v10.6 client."
This is ridicules! This worked in 10.3, 10.4 and 10.5 so why won't this work for 10.6.
This workaround is definitely helpful, but it is only taking me part of the way there because the mobileaccount that gets created seems to be only half-baked in that the GID doesn't stick. This triggers hash mismatch errors which I can only cure by resetting the GID which allows me to get in once but the user environment never works properly. The mobibleaccount user cannot even re-set the background image even though I have given that person and the groups the person is in administrative access to the computer.
Any suggestions? I sure wish that Apple would fix this. I tried all the other workarounds, but yours is the only one that at least started to allow me to progress.
Thanks so much,
Anyone happen to see this issue even with "Create mobile account at login" and "Force local home directory on startup disk" unchecked? I have been able to create mobile accounts manually as noted by ben6073 and successfully login, but with the sheer amount of users that will be logging into to the 3 machines that I have this issues with, its very inefficient to do for every user. Also worth noting, I also get the errors stating that "Could not get the user record for 'user' from Directory Services". Finally, removing the home directory path in the AD profile didn't work for me here. I'm also going to post a new topic as well. Thoughts?
My experience was that I could originally bind to the AD. Then I could immediately logoff and logon as the AD user. But I could do nothing. And on reboot I could not logon anymore as that user. And I would no longer have connection to the domain. I would have to unbind and then rebind to logon again but still no network access.
I did get it to work eventually by binding, logging on as the AD user then logging off and logging on as the local admin. Then run the below in terminal and I was able to correctly logon to the domain and access network resources.
sudo ./createmobileaccount -n username
sudo createhomedir -c -u username
For the curious, yes our domain ends in .local. I didn't set it up this way I just maintain it. And the mobile accounts were turned off in the directory utility.
I will look deeper at node927's suggestion if I ever decide to upgrade our other mac to 10.6.
I finally had a chance to try your workaround, and the commands you provided do the trick.
Is there anything that can be done to get Apple to incorporate a fix into 10.6.2 or 10.6.3? Why is it necessary to resort to a workaround? It seems to me that Snow Leopard is a tremendous improvement as far as binding is concerned and that they are very, very close to getting AD login to work correctly if mobileaccount creation were to be fixed.
Thank you very much!