Since 10.7.2 isn't actually out yet I thought I'd add a workaround that worked for me concerning mobile accounts in Lion.
WORKAROUND for "Error: The home folder for user "ActiveDirectoryUser" isn't located in the usual place or can't be accessed. The home or Users folder may have been moved or deleted. If the home...."
I was able to "Fix" the Mobile Account issue above in Lion -for now. (Valid as of 8/18/11 on Lion 10.7.1)
- In Directory Utility -> Active Directory -> Advanced Options, I unchecked "Create mobile account at login" and left "Force local home directory on startup disk" checked
- Log out then back in as a networked user, -A local home directory will be created under /Users but will not be accessible if network is offline (non-mobile)
- Open Terminal
--- Type: cd /System/Library/CoreServices/ManagedClient.app/Contents/Resources/
--- Type: ./createmobileaccount -n username
The username you specify with the createmobileaccount command will turn it from a standard account into a mobile account.
This fixes Active Directory mobile accounts for the time being so now its on to Open Directory which refuses to stay bound after a reboot.
Issues reported with Lion are probably assigned different levels of severity/priority. Apple is likely concentrating on fixing issues that are more apparent to the average users. Those of us with more advanced configurations get to wait. It does kinda show though how little they care about integration with heterogenous enterprise environments. I am sure every shop out there running AD and Macs is experiencing these problems and putting Lion on hold as a result.... It's just not their market obviously...
My issue is that Network Home Folders (Augments to be exact) do not mount when a user logs in. When I log in under 10.7.1, I get the error:
"The home folder for <user> isn't located in the usual place or can't be accessed".
This never happened under 10.6.x, 10.5.x or 10.4.x. I am using 10.6.8 Snow Leopard Server. We do not use mobile accounts (we use Augments, with AD handling Authentication)
Here is an article Mac OS X Hints just posted.
Disabling IPv6 seems to solve the binding issue.
But, there is no way "Off" Choice the Network System preference for IPv6, so as per the Mac OS X Hints article, use the command line to turn it off:
You can disable IPv6 from the command line with:
networksetup -setv6off Ethernet
I haven't tested this yet, let us know if it works.
I've been getting bumped off AD, so I'm hoping this solves it.
Does anyone know if the AD binding that's fixed in 10.7.2 (according to the above, haven't tried myself), fixes the .local binding issue? That is, lion is completely unable to login to a domain ending in .local due to confict with bonjour.
Why apple decided to go with .local for bonjour i will never understand seeing as a huge percentage of windows small business and corporate domains end in .local.
It used to be that since Mac OS X uses the .local domain for Bonjour (link-local addressing), it would conflict with any .local AD domain. To get around this, you used to have to add .local to the search domain settings in the Network preference pane. All .local DNS queries would then be unicast to the DNS servers before being multicast to the network.
The use of .local hasn't been a problem since OS X v10.5.4. OS X clients recognize .local domains, and the addition of .local into the search domain settings is no longer necessary.
and, on a related note:
Lion Directory Services security flaw makes cracking, changing passwords easier
Just when you thought AD binding was your biggest integration problem...
These issues were not solved with 10.7.2. I am still experiencing issues with authentication. It was the same thing with SL actually. Sometimes I get the green status for directory services and sometimes is red or yellow. I am running on a clean and well maintained Lion install and this is pretty random. The opedifectory logs always show an entry for 'failed to retrieve credentials for....'. I am not sure what causes it. My windows machines work great. I've gone through all sorts of configuration tweaks. eg. search paths, etc. it is an intrinsic problem with OSX. That said, I do run a .local domain. Starting with 10.6, OSX is supposed to take that into account for Bonjour but I am not sure anymore.
I'd be curious to know how many of you experiencing these problems are running .local domains and how many are not.
I'm on a .local domain but those problems were resolved many OS X versions ago.
After doing the clean install of Lion I joined the domain via the Login Options of Users and Groups. It displayed the long domain name. I then installed 10.7.2, rejoined the domain using Directory Services and now it shows two domain entries, the long name and the short name. I am still gettting the message "Some network accounts are available" with a yellow dot in the log-in screen. It still takes nearly a minute to log in but his is due to a documented IPv6 issue that started with 10.6.8. Hopefully when we get IPv6 pointers in our DNS the log-in will be faster.