Active Directory broken in Lion?
Just installed Lion on a network that authenticates users using Active Directory and it shows a red dot saying "network accounts are unavailable".
Does anyone have a workaround to make AD bind?
Apple Event: May 7th at 7 am PT
Just installed Lion on a network that authenticates users using Active Directory and it shows a red dot saying "network accounts are unavailable".
Does anyone have a workaround to make AD bind?
10.7.2 is a beta download from the ADC.
Interesting that command worked, they must have fixed something with mobile accounts.
I just installed the latest release 10.7.1, and I will test binding.
Thanks
So, the problem is not fixed with 10.7.1.
I'm not sure why Apple didn't incorporate the AD fixes into 10.7.1, but a new beta 10.7.2 (11C40), and AD does bind correctly. Expect 10.7.2 to be a hefty release, and I would expect it to be released by September 1st.
Issues reported with Lion are probably assigned different levels of severity/priority. Apple is likely concentrating on fixing issues that are more apparent to the average users. Those of us with more advanced configurations get to wait. It does kinda show though how little they care about integration with heterogenous enterprise environments. I am sure every shop out there running AD and Macs is experiencing these problems and putting Lion on hold as a result.... It's just not their market obviously...
My issue is that Network Home Folders (Augments to be exact) do not mount when a user logs in. When I log in under 10.7.1, I get the error:
"The home folder for <user> isn't located in the usual place or can't be accessed".
This never happened under 10.6.x, 10.5.x or 10.4.x. I am using 10.6.8 Snow Leopard Server. We do not use mobile accounts (we use Augments, with AD handling Authentication)
Here is an article Mac OS X Hints just posted.
Disabling IPv6 seems to solve the binding issue.
But, there is no way "Off" Choice the Network System preference for IPv6, so as per the Mac OS X Hints article, use the command line to turn it off:
You can disable IPv6 from the command line with:
networksetup -setv6off Ethernet
http://hints.macworld.com/article.php?story=20110805100012401
I haven't tested this yet, let us know if it works.
I've been getting bumped off AD, so I'm hoping this solves it.
Does anyone know if the AD binding that's fixed in 10.7.2 (according to the above, haven't tried myself), fixes the .local binding issue? That is, lion is completely unable to login to a domain ending in .local due to confict with bonjour.
Why apple decided to go with .local for bonjour i will never understand seeing as a huge percentage of windows small business and corporate domains end in .local.
It used to be that since Mac OS X uses the .local domain for Bonjour (link-local addressing), it would conflict with any .local AD domain. To get around this, you used to have to add .local to the search domain settings in the Network preference pane. All .local DNS queries would then be unicast to the DNS servers before being multicast to the network.
The use of .local hasn't been a problem since OS X v10.5.4. OS X clients recognize .local domains, and the addition of .local into the search domain settings is no longer necessary.
I finally got it to work by unchecking the option "allow administration" in active directory setup. Once I remvoed this in directory access I rebooted and then was able to create domain accounts.
and, on a related note:
Lion Directory Services security flaw makes cracking, changing passwords easier
Just when you thought AD binding was your biggest integration problem... ðŸ˜
Hi,
just wanted to let you guys know. It works well for me now by putting the \DOMAIN search path above \All Domains and by creating a mobile user account using
sudo /System/Library......./createmobileuseraccount -n username
while logged in as local administrator.
Regards,
somi
The 10.7.2 update didn't work for me. I still can't bind to our domain no matter what method I try.
Kent
Just discovered that by wiping the drive and doing a fresh install of Lion I can bind to our domain with no problem at all. And that's before installing the 10.7.2 update.
Kent
These issues were not solved with 10.7.2. I am still experiencing issues with authentication. It was the same thing with SL actually. Sometimes I get the green status for directory services and sometimes is red or yellow. I am running on a clean and well maintained Lion install and this is pretty random. The opedifectory logs always show an entry for 'failed to retrieve credentials for....'. I am not sure what causes it. My windows machines work great. I've gone through all sorts of configuration tweaks. eg. search paths, etc. it is an intrinsic problem with OSX. That said, I do run a .local domain. Starting with 10.6, OSX is supposed to take that into account for Bonjour but I am not sure anymore.
I'd be curious to know how many of you experiencing these problems are running .local domains and how many are not.
I'm on a .local domain but those problems were resolved many OS X versions ago.
After doing the clean install of Lion I joined the domain via the Login Options of Users and Groups. It displayed the long domain name. I then installed 10.7.2, rejoined the domain using Directory Services and now it shows two domain entries, the long name and the short name. I am still gettting the message "Some network accounts are available" with a yellow dot in the log-in screen. It still takes nearly a minute to log in but his is due to a documented IPv6 issue that started with 10.6.8. Hopefully when we get IPv6 pointers in our DNS the log-in will be faster.
Kent
I very much doubt this has anything to do with ipv6. I turned off ipv6 in lion and the issue remains. Do you have up ipv6 disabled?
Active Directory broken in Lion?