Active Directory broken in Lion?
Just installed Lion on a network that authenticates users using Active Directory and it shows a red dot saying "network accounts are unavailable".
Does anyone have a workaround to make AD bind?
Just installed Lion on a network that authenticates users using Active Directory and it shows a red dot saying "network accounts are unavailable".
Does anyone have a workaround to make AD bind?
Apple wrote:
Improve binding and login speed for Active Directory users in a domain whose name ends in ".local"
I just installed it on a clean Lion setup, added it to the domain and, so far, it is working perfectly. Mounting smb and afp volumes is much faster than with the Likewise plug-in. This is good news!
Will keep testing.
Kent
I am unable to give automatic admin rights to Domain Users or even Domain Admins. I have everything set up identical to the way it works in Snow Leopard under the Administrative tab in the Active Directory settings but no go. Anyone else?
I noticed the same thing right after I posted my previous message.
Kent
You can give the user admin rights, however.
It appears to work best to join the domain via the Users & Groups panel rather than through the Directory Services utility. I can join via Directory Services but I get a yellow dot in the log-in screen that says "Some directory accounts are available." This does not happen when I join in Users & Groups.
Kent
It's still not creating mobile accounts at log-in.
Kent
I reverted the centify workaround (leaving the LOCAL DNS zone in place on my DNS server) and so far it seems to work, 4 days and counting. Mobile accounts are also being created succesfully. I am not experiencing an issue granting administration privileges to domain groups - that is, I am still able to grant access to domain admins. I do notice a delay in logon times. Also slight delays when launching terminal (while logged on with a domain account). None of this was present with the centrify workaround so I think there is still room for improvement.
I filed a bug report with Apple about the mobile accounts and the AD admin problems. They claim they've not heard of either problem.
If you're experiencing these problems please file a bug report.
Kent
Interesting.
I followed this guide and it fixed my authentication problem;
http://www.macwindows.com/TIP-Lion-dot-local-AD-disable-multicast.html
Bonus - I'm not in a .local domain.... I'm not asking questions but I have 100% authentication (after about 30 seconds of waiting) by disabling multicastDNS and adjusting a time out setting.
Let's see what happens.
that was part of the same workaround published by centrify. I am confused though, you say you are NOT in a .local domain so why would you even have to apply this fix? the issue AFAIK only affects .local domain clients.
Hello
I'm on a .local domain - AD 2008 R2.
We specified for many users (mac mini users) the same local home folder in the active directory profile - home folder - Local path : /Users/homeAD.
it does not work any more since 10.7.
We manage the rights with login and logout scripts.
Have you a solution ?
It must be with just .local...
I rebooted for messenger beta and I had login **** for a while.
Had to pull machine off / back on domain a few times, permission repair, etc.
Regarding turning off ipv6, it's best not to manually edit the preferences plist, because that may be overwritten by cache later. To properly disable ipv6, use the networksetup command or System Preferences. For example, sudo networksetup -setv6off "Ethernet 1"
You'd replace the "Ethernet 1" name with the name of your active service(s). To get the names of the services use networksetup -listallnetworkservices
You are correct that there have been reoccurring issues with .local DNS and Mac OS X before. Unfortunately, the replacement of the DirectoryService subsystem with opendirectoryd may have reintroduced some of these Leopard era problems. You can simply disable the Bonjour service in Mac OS X by unloading its launch daemon...
launchctl unload -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist
In regard to the "cannot store password" error, I should note that Lion employs a new method for storing the password of the machine account that it uses to connect to Active Directory. In Snow Leopard and earlier (probably all the way back to Panther), the machine account password was scrambled and stored as a value for an attribute in the ActiveDirectory.plist file. File permissions on this were such that nobody had access to it except for the root account.
In Lion, the AD password is stored in the system keychain instead. You can view the corresponding entries by viewing the /Library/Keychains/system.keychain file in the Keychain Utility. Sometimes those entries must be cleared for a successful bind following several failed ones. Or you can clear and reset the whole system keychain with this command...
sudo systemkeychain -fcCv
Active Directory broken in Lion?