No solution yet... I'm hoping someone from Apple reads this and has a solution. I wouldn't think they would deploy SL without first testing the AD plug-in functionality. However I know I'm not doing anything wrong as I've been binding machines to the same AD directory for a long time now.
I also checked my ntp settings to make sure everything was within sync... and I had a dash in my hostname which I think I remember reading one time that that's bad. I unbound, removed the dash, and rebound with the same results.
I find it interesting that I can su to my ad account just fine, and if I type "id someusername" I get account info returned to me. Using DSCL I'm able to get information back perfectly. Something with loginwindow that doesn't want to work with the AD plug-in I'm assuming.
Message was edited by: Ken_Edgar
I have pretty well the same problem. The machine was already bound to AD prior to upgrade. After could not login on with my account (jball). Can log on with other accounts from the same domain (we only have one AD domain). Can also su to jball in a terminal session. Can't access network resources with jball when I try to connect to a windows server through the finder, instantly comes up with bad username or password, doesn't even think about it.
I have removed any copies of the home folder under either /Users or /Domain as I have had problems with that before. Have repaired permissions and unbind and bind the machine to AD. Have been at this all day now and no closer. Get these error messages in console:
31/08/09 4:49:27 PM SecurityAgent Could not get the user record for 'jball@domainname' from Directory Services
31/08/09 4:49:27 PM SecurityAgent User info context values set for jball@domainname
31/08/09 4:49:27 PM SecurityAgent unknown-user (jball@domainname) login attempt PASSED for auditing
I am also having this same issue.
The Mac binds fine. The computer account is created fine in AD. I can see users and groups in the new "Allow Network Users to log in..." screen. But no matter what I can't authenticate. The log in screen just shakes it off.
Has anyone been able to successfully log into AD?
I was able to get logged in using my AD credentials. I found this:
And followed these instructions specifically:
by running the following commands-
createmobileaccount -n username
sudo createhomedir -c -u username
So it seems for me the issue was not that is wouldn't take my credentials, but that it didn't want to create the home directory.
Anyways, I think it is a bug, but this is a decent work around.
Using (have been using for months) with AD and no issues at all.
One thing I have seen twice is a lack of a Kerberos ticket after login, which seems impossible - so I have a bug report with Apple that I'm working on.
Functionally, it's been solid.
Do any of you also use an OD Master (Apple Xserve/XSAN)?
Were your Mac bindings new, or carry-overs from a Leopard install?
If a carry-over, did you try removing the objects from Active Roles before binding again?
Thanks ben6073 for posting your solution. It worked for me as well.
I did a clean install of SL, joined the machine to the domain using Directory Utility. Restarted and when the other user option finally came up in the login screen it would just shake after entering my credentials. As if I was using the wrong password. I then logged in with the local admin account and using the Directory Utility disabled the mobile account option. I then restarted and was able to log in using my credentials.
MOBILE ACCOUNTS ARE BROKEN!!! At least for Active directory.
Thanks ben6073 for the link to a fix.
Message was edited by: Greg Plassmeyer1