Users unable to logon - "Logging in to the account failed because an error occurred."

Question

Users unable to logon - "Logging in to the account failed because an error occurred."

After upgrading from Lion Server to Mountain Lion with OS X Server, my users are unable to logon.

The user gets the following error displayed:

You are unable to login to the user account "abcdefg" at this time.
Logging in to the account failed because an error occurred.

Looking at the logs, Kerberos authenticates correctly, as does Password Service Server Log.

User's can also get mail via their iDevices, so authentication does work... only logon to macs seems to be an issue.

Looking at Open Directory Log, I see the following (highlighted the problem areas - I think - in red):

2012-07-26 22:28:48.171731 JST - opendirectoryd (build 197.11.16) launched...

2012-07-26 22:28:54.575839 JST - Logging level limit changed to 'error'

2012-07-26 22:28:54.616629 JST - Initialize trigger support

2012-07-26 22:28:54.618039 JST - Registered node with name '/Active Directory' as hidden

2012-07-26 22:28:54.618248 JST - Registered node with name '/Configure' as hidden

2012-07-26 22:28:54.618466 JST - Discovered configuration for node name '/Contacts' at path '/Library/Preferences/OpenDirectory/Configurations//Contacts.plist'

2012-07-26 22:28:54.618473 JST - Registered node with name '/Contacts'

2012-07-26 22:28:54.618651 JST - Registered node with name '/LDAPv3' as hidden

2012-07-26 22:28:54.640168 JST - Registered node with name '/Local' as hidden

2012-07-26 22:28:54.640866 JST - Registered node with name '/NIS' as hidden

2012-07-26 22:28:54.641101 JST - Discovered configuration for node name '/Search' at path '/Library/Preferences/OpenDirectory/Configurations//Search.plist'

2012-07-26 22:28:54.641108 JST - Registered node with name '/Search'

2012-07-26 22:28:54.684561 JST - Discovered configuration for node name '/LDAPv3/127.0.0.1' at path '/Library/Preferences/OpenDirectory/Configurations/LDAPv3/127.0.0.1.plist'

2012-07-26 22:28:54.684603 JST - Registered subnode with name '/LDAPv3/127.0.0.1'

2012-07-26 22:28:54.728350 JST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/legacy.bundle'

2012-07-26 22:28:54.730495 JST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/search.bundle'

2012-07-26 22:28:55.733121 JST - '/Search' has registered, loading additional services

2012-07-26 22:28:55.733128 JST - Initialize augmentation support

2012-07-26 22:28:55.755096 JST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/SystemCache.bundle'

2012-07-26 22:28:55.759836 JST - Successfully registered for Kernel identity service requests

2012-07-26 22:28:55.759852 JST - Adjusting kernel ID cache (100 -> 250) and membership cache (100 -> 500)

2012-07-26 22:28:55.777863 JST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/PlistFile.bundle'

2012-07-26 22:28:55.816348 JST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/FDESupport.bundle'

2012-07-26 22:28:55.945915 JST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/ConfigurationProfiles.bundle'

2012-07-26 22:28:55.946415 JST - Registered subnode with name '/Local/Default'

2012-07-26 22:28:55.954233 JST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/ldap.bundle'

2012-07-26 22:28:55.993617 JST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/AppleODClientLDAP.bundle'

2012-07-26 22:28:55.995550 JST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/AppleODClientPWS.bundle'

2012-07-26 22:28:56.832509 JST - 41.18 - Client: opendirectoryd, UID: 0, EUID: 0, GID: 0, EGID: 0

2012-07-26 22:28:56.832509 JST - 41.18, Module: AppleODClientLDAP - unable to create LDAP connection context - no server specified

2012-07-26 22:28:56.832519 JST - 41.18 - Client: opendirectoryd, UID: 0, EUID: 0, GID: 0, EGID: 0

2012-07-26 22:28:56.832519 JST - 41.18, Module: AppleODClientLDAP - unable to open connection to LDAP server - unable to create connection context

2012-07-26 22:29:01.008167 JST - 41.909 - Client: opendirectoryd, UID: 0, EUID: 0, GID: 0, EGID: 0

2012-07-26 22:29:01.008167 JST - 41.909, Module: AppleODClientLDAP - unable to create LDAP connection context - no server specified

2012-07-26 22:29:01.008174 JST - 41.909 - Client: opendirectoryd, UID: 0, EUID: 0, GID: 0, EGID: 0

2012-07-26 22:29:01.008174 JST - 41.909, Module: AppleODClientLDAP - unable to open connection to LDAP server - unable to create connection context

2012-07-26 22:29:06.009509 JST - 41.1011 - Client: opendirectoryd, UID: 0, EUID: 0, GID: 0, EGID: 0

2012-07-26 22:29:06.009509 JST - 41.1011, Module: AppleODClientLDAP - unable to create LDAP connection context - no server specified

2012-07-26 22:29:06.009516 JST - 41.1011 - Client: opendirectoryd, UID: 0, EUID: 0, GID: 0, EGID: 0

2012-07-26 22:29:06.009516 JST - 41.1011, Module: AppleODClientLDAP - unable to open connection to LDAP server - unable to create connection context

2012-07-26 22:30:27.507078 JST - 425.3430 - Client: Finder, UID: 0, EUID: 0, GID: 0, EGID: 0

2012-07-26 22:30:27.507078 JST - 425.3430, Module: SystemCache - Misconfiguration detected - Failed to insert key 'untitled_1@OD1.DOMAIN.CA' for entry '0x7f81aeb00fd0' into hash 'Kerberos' as 'non-authoritative'

2012-07-26 22:31:31.381246 JST - 708.4663 - Client: local, UID: 0, EUID: 27, GID: 0, EGID: 27

2012-07-26 22:31:31.381246 JST - 708.4663, Module: SystemCache - Misconfiguration detected - Failed to insert key 'untitled_1@OD1.DOMAIN.CA' for entry '0x7f81aeb00fd0' into hash 'Kerberos' as 'non-authoritative'

2012-07-26 22:42:58.557202 JST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/configure.bundle'

2012-07-26 22:42:58.598857 JST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/keychain.bundle'

2012-07-26 23:00:44.776740 JST - 714.8072 - Client: auth, UID: 214, EUID: 214, GID: 6, EGID: 6

2012-07-26 23:00:44.776740 JST - 714.8072, Module: SystemCache - Misconfiguration detected - Failed to insert key 'untitled_1@OD1.DOMAIN.CA' for entry '0x7f81aec019e0' into hash 'Kerberos' as 'non-authoritative'

2012-07-26 23:00:44.777807 JST - 714.8072 - Client: auth, UID: 214, EUID: 214, GID: 6, EGID: 6

2012-07-26 23:00:44.777807 JST - 714.8072, Module: SystemCache - Misconfiguration detected - Failed to insert key 'untitled_1@OD1.DOMAIN.CA' for entry '0x7f81aec019e0' into hash 'Kerberos' as 'non-authoritative'

Does anyone have a solution for this? I'm scratching my head here.

OS X Server-OTHER, OS X Mountain Lion

Posted on Jul 26, 2012 7:38 AM

Reply

Answer 1

DenisF

Level 2

153 points

Jul 28, 2012 2:50 PM in response to jonathanfrom佐倉市

I had the same error message.

Even if you are probably more experts than me, have a look to my post:

TIPS: OS X server installation lessons learnt (for non Guru)

Reply

Answer 2

Jul 29, 2012 8:28 AM in response to jonathanfrom佐倉市

Essentially, I realized DNS was at fault here. there were some other things involved as well, so I decided best was to reinstall... ensure a perfect DNS and then go forward.

That did the trick. One thing I also realized I forget was to turn off SSL before the upgrade. That likely broke stuff too.

Reply

Answer 3

epoc1000

Level 1

11 points

Jul 30, 2012 12:09 PM in response to jonathanfrom佐倉市

I ran into the same problem. I had to revert back to old 10.7, because the Open Directory was completly broken. Anyone has another solution then reinstall?

Reply

Answer 4

Sep 18, 2012 3:02 PM in response to epoc1000

You have to make sure that the Net Directory Folder where all the user have their home folder is reachable by the user that is logging in. In fact, it has to be reachable to all the users that has an account with their home folder on the server. Make sure the access for Everyone else is set to read only. If by any means Everyone else is set to No Access. Users wont be able to logon.

Reply

Answer 5

mspritch

Level 1

5 points

Dec 13, 2012 8:53 AM in response to Think Touch

We just had a similar issue here.

On the MacBook Pro, we needed a new user to log in. Existing MBP users were fine, new users no chance, although administrator accounts were OK. OSX 10.7.4, same issue with 10.7.5.

What we did to fix it was this:-

Ensure the Mac will create a local folder for new user accounts (top tick-box)

In AD, turn off the Z: drive mapping to the home folder (or whatever drive you use) for that particular user

On the Mac, log in and let it create the local home folder

In AD, turn the drive mapping back on and respecify the home folder path

The account should now continue to work as it's already created the local home folder.

Admin accounts worked because we don't map the home folder for those. Originally we were mapping using a logon script, which is why we didn't have an issue when setting up the other users initially. What probably doesn't help is that we use DFS, and the Macs don't like talking to DFS (we have to map to the \\servername\share instead of \\domainname\dfs-share for those).

Hope this helps. Many thanks to "Think Touch" above for providing the clues.

Reply

Answer 6

mspritch

Level 1

5 points

Jun 9, 2014 11:10 AM in response to mspritch

Following on from my earlier post, I've just upgraded three Mac Pros and a MacBook Pro to 10.9.3.

One of the Mac Pros is happy to let users log in first time and create a mobile profile, no need to meddle with the AD profile and delete home folder mappings.

The other two Mac Pros and the MacBook are having none of it. Try it once and "an error has occurred". Try a second time and you're stuck with a pinwheel until you hold down the power button to force a shutdown.

I've checked dsconfigad -show, the settings on both Mac Pros are IDENTICAL in all but Computer Account and are as follows (some bits ***'d out):-

Active Directory Forest = p***c.local

Active Directory Domain = p***c.local

Computer Account = ck8*****1bj$

Advanced Options - User Experience

Create mobile account at login = Enabled

Require confirmation = Disabled

Force home to startup disk = Enabled

Mount home as sharepoint = Enabled

Use Windows UNC path for home = Enabled

Network protocol to be used = smb

Default user Shell = /bin/ba*h

Advanced Options - Mappings

Mapping UID to attribute = not set

Mapping user GID to attribute = not set

Mapping group GID to attribute = not set

Generate Kerberos authority = Enabled

Advanced Options - Administrative

Preferred Domain controller = llw-***-01.p***c.local

Allowed admin groups = domain admins,enterprise admins

Authentication from any domain = Enabled

Packet signing = allow

Packet encryption = allow

Password change interval = 14

Restrict Dynamic DNS updates = not set

Namespace mode = domain

As before, users with no home directory path specified in their AD profile can log in anyway. If it's specified then only one of the Mac Pros will let them in.

DFS now seems to resolve properly in 10.9.3 (\\domainname.local\dfs-share works) so it shouldn't be that.

Any suggestions? I suspect an OSX rather than AD issue otherwise why would one of the machines work OK? Also, "Net Directory Folder" shouldn't come into it as there is no OSX Server involved here (we don't have one).

Reply