Previous 1 2 Next 20 Replies Latest reply: Apr 2, 2012 9:27 AM by rslygh Go to original post
  • theReal_banawalt Level 1 Level 1 (0 points)

    I have had this issue since I purchased two new mac minis a month or so ago.  Happened on 10.7.1 and 10.7.2.  Our domain contains .local so this might be complicating the issue for me.  No matter what I tried, the login process either would not work at all, or it would take 10+ minutes and multiple login attempts to work.  All my other macs (OS 10.5) work just fine logging in with domain accounts.  I found plenty of things other people tried with success, but nothing worked for me.  This article http://support.apple.com/kb/TS4041 started me in the correct direction finally, but it alone didn't work.  Combined with several other articles and information, I finally got something together that appears to be working for me.  I have now been able to successfully and repeatedly log in with domain accounts in under 5-10 seconds with one login attempt.  I have tested it on both mac minis with numerous restarts, shutdowns, and different domain users.  If you are on a domain with .local in it, this might help you.  I unfortunately do not know exactly which part of the following solution worked the magic, but here is what I did:

     

    -I enabled IPv6 on my two windows server 2003 DCs. 

    -I ran ipconfig on both DCs to get their IPv6 addresses.  You want the IPv6 attached to your network adapter,  not the IPv6 on the tunnel adapters or whatever other interfaces you might have.  It will most likely be the IPv6 in the same group/adapter section as your current IPv4 address.

    -I added a forward lookup AAAA record for both the w2k3 DCs into my domain.local DNS forward lookup zone (put your domain name in place of domain) with their respective IPv6 addresses.

    -I ensured the new AAAA records were updated in my domain and reachable from a vista box that already had IPv6 enabled (local link addresses).

    -I logged into the mac mini with local admin, then opened the /etc/hosts file for editing, you will need to sudo into your favorite editor, I used vi. e.g. at terminal prompt> sudo vi /etc/hosts

    -in /etc/hosts add the following lines at the bottom of the file:

    127.0.0.1     domain.local

    ::1               domain.local

    DC1_IPv6_address     fqdn_of_DC1.domain.local

    DC2_IPv6_address     fqdn_of_DC2.domain.local

    DC1_IPv4_address     fqdn_of_DC1.domain.local

    DC2_IPv4_address     fqdn_of_DC2.domain.local

     

    -save your edits, restart your machine and hopefully your domain login actually works now.  It does for me.  You do need to already be bound to the domain of course. 

     

    *fqdn_of_DCx.domain.local = the fully qualified domain name of your domain controller(s).  Replace domain with your domain name. e.g. if your DC is named DCserver and your domain is mydomain you would have DCserver.mydomain.local 

    *DCx_IPv6 = the IPv6 address of your domain controller(s).

    *DCx_IPv4 = the IPv4 address of your domain controller(s).

     

    Additional information:

    -mac minis OS 10.7.2:

    --set to use DHCP for IPv4 and Automatically for IPv6.

    --do not have anything set in the network DNS search domains (have seen that suggested)

    --bound to AD using the Open Directory Utility button not the + button (dont know if it makes a difference)

    --have domain.local in the active directory domain box in the afore mentioned utility

    --not using mobil accounts

    --have IPv4 address of one DC in Prefer this domain server: (and box is checked)

    --have Allow administration by: checked with default domain admins and enterprise admins in there

    --do not have Allow authentication from any domain in the forest box checked

    --only have /Active Directory/DOMAIN/domain.local in the authentication search policy path, so using the example domain referenced above = /Active Directory/MYDOMAIN/mydomain.local  (also has /local/default)

    --have Display login window as: Name and Password selected

     

    I cant think of any other settings that I have messed with in trying to get this to work, but with all those things set, I can now log into the mac minis on my .local domain with domain accounts and do not have issues anymore.  At one point I had messed with so much stuff on one of the minis that is was borked.  I reformatted the drive, reinstalled 10.7.1, installed 10.7.2 patch and all other mac software updates, bound the mac to the domain, then made the changes above.  The other mac was as received from the retailer with only 10.7.2 update and all other patches applied.  After dealing with this broken login crap for over a month, I am tired of it and just glad it is finally working.  Hopefully this might help some of you.

  • plexusIT Level 1 Level 1 (0 points)

    Hello,

     

    I have followed the steps and confirmed that we are getting login time around 40 seconds to the desktop including the dock loaded. Login times were 3mins prior to the changes. Removed the host file entries to test and makes the login times about 1 min 30 secs.

     

    Thanks for post very helpful!

  • crapple95 Level 1 Level 1 (0 points)

    A combination of statically assigning the hosts in the host file and the fixes reccomended in the "centrify" document has sucessfully worked around the issue for me. My domain log in time is now 10 seconds from the login prompt!

     

    The problem is .local domain names, which we all know. Please see this post as well which got me going in the end :https://discussions.apple.com/thread/3198558?start=60&tstart=0

     

    I will reproduce the instrcuctions that i wrote below. Please note that in addition to this, i have also done the following:

    Port 119 fix on the windows DHCP server as detailed here:  http://www.mattzuba.com/2011/03/windows-2008-rc2-dhcp-server-option-119/

    LOCAL dns zone in the forest (no entries, it just needs to be created and athoritative)

     

    --- instructions follow (HOPEFULLY IT DOESNT GET TOO MESSED UP) --

     

    to get lion which is buggy onto a .local domain

     

     

     

    1.) install OSX

    2.) go into directory utility and go to join the computer.

    3.) make sure that the domain server is DOMAINCONTROLLER.domain.local . Turn off "search all domain controllers"

    4.) join to domain. After join, open the console and run the following command:

    sudo dscl /Search -append / CSPSearchPath "/Active Directory/DOMAIN/domain.local"

    this will add the main domain.

    5.) in the search list, make sure that "/Active Directory/DOMAIN/All Domains" is at the top (just below local/local or whatever, the default)

    6.) perform the following steps to manually get it talking reliably to the domain:

     

     

    Workaround

    The following steps require root or sudo privileges. Important: Save a backup of the original files in another location, to provide a means of recovering from any mistakes made in editing.

     

    Mac 10.7 always does both an IPv4 and IPv6 query. We can configure IPv6 to be disabled and that will improve performance.

    Unfortunately, you cannot disable IPv6 from System Preferences, and so you need to

     

    7.)  manually edit the /Library/Preferences/SystemConfiguration/preferences.plist on the Mac.

     

    Find the network adapter (Ethernet or Airport) under NetworkServices key, and then edit the IPv6 setting, changing the config method to __INACTIVE__:

     

    --------------------------------------

    <plist version="1.0">

    <dict>

    <key>CurrentSet</key>

    <string>/Sets/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX</string>

    ... ...

    <key>NetworkServices</key>

    <dict>

    <key>XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX</key>

    <dict>

    ... ...

    <key>IPv6</key>

    <dict>

    <key>ConfigMethod</key>

    <string>__INACTIVE__</string>

    </dict>

    --------------------------------------------------

     

    8.) There's no way to change the DNS lookup order, but you can reduce the multicast DNS timeout by editing mdns_timeout, located here:

    /System/Library/SystemConfiguration/IPMonitor.bundle/Contents/Info.plist

     

    The default setting is 5. Set mdns_timeout to 0 as shown below.

     

    -------------------------------------------

    <key>mdns_timeout</key>

    <integer>0</integer>

     

    -------------------------------------------

     

     

    9.) If you set mdns_timeout to 0, then you won't be able to ping any ".local" host/domain, but other apps such as Finder and Apple's Active Directory plugin work well (it can resolve a .local hostname). You can login as a network home user very quickly.

    If you try to mount a SMB share in the Finder, you can ignore the prompt that says there's a problem connecting to the server. If you wait for several seconds and retry, it will eventually connect. This prompt can be removed by adding the machine that hosts the DNS server and Windows share into /etc/hosts file on the Mac:

     

     

    10.0.0.14     DOMAINCONTROLLER.domain.local

    10.0.0.19     ANYOTHERHOSTYOUNEEDACCESSTO.domain.local

     

    Note: Because you cannot ping domain.local, adclient will stay in disconnected mode for up to 60 seconds after start (which means you need to wait for more than 1 minute after reboot). Adding domain.local into /etc/hosts solves the disconnect issue.

    10.)

    Reboot the Mac after performing steps 1) through 4).

    11.)

    Login to the Mac

     

     

    After all that it should work. I also had to add a local zone to DNS as well as adding a DHCP option 119 on the dhcp server.

  • rslygh Level 1 Level 1 (0 points)

    This issue appears to be fixed in the 10.7.3 update.

  • MrVas Level 1 Level 1 (0 points)

    Wrong thread.

  • rslygh Level 1 Level 1 (0 points)

    How so? This issue appears to be fixed. The "network accounts unavailable" message still appears, but it's only showing when it's supposed to be when the machine initially boots and also when it's offline. If you have mobile accounts setup the system allows you to login regardless of that message, assuming you've logged in with the account at least once before. I haven't seen that behavior in either of the previous updates, at least not without some workarounds.

Previous 1 2 Next