Network Account Cannot Log On

Question

Network Account Cannot Log On

New, fresh install of 10.8.2 OS X Server. DHCP, DNS, Open Directory, File Sharing all working. Server hostname is set to myserver.private. Two users are created:

test1 (and other accounts) has a network home, on AFP-shared Users, enabled for Home Directories
test2 home is set to Local Only

On an MBP 10.8.2, successfully joined to myserver.private, I try to log-in with those two network accounts. One works, the other does not:

test2 is able to log-on without a problem, log-out, and log-on, and so on,
test1 seems to authenticate, but cannot log on, displays message "You are unable to log in to the user account "test1" at this time. Logging in to the account failed because an error occurred."
After failing with test1, test2 will also produce the same error, until I log-in and log-out successfully with a local MBP account, or it has been rebooted.

The only error related to test1 that I can see in the Console logs is:

authorizationhost[1197]: ERROR | -[HomeDirMounter mountNetworkHomeWithURL:attributes:dirPath:username:] | PremountHomeDirectoryWithAuthentication( url=afp://myserver.private/Users, homedir=/Network/Servers/myserver.private/Users/test1, name=test1 ) returned 64

Now, if I change test1 home directory setting (using Server.app) to "Local Only", I will be able to log-in on the MBP, however no home directory is provided (it serves the root of the local file system). If I log-out, and then use the Server.app to change it back to the previously set network home, I will be able to log-in with this account on the MBP with test1, but not with any other accounts that have a network home directory.

Any ideas why I am getting the "You are unable to log in" error in the first place? Many thanks for any hints...

Mac mini, OS X Mountain Lion (10.8.2), OS X Server

Posted on Jan 5, 2013 7:33 PM

Reply

Answer 1

Best reply

Rafal Lukawiecki Author

Level 1

0 points

Jan 6, 2013 4:27 AM in response to Rafal Lukawiecki

I know the issue. Little Snitch 3.0.2 was running on the MBP. When I disable it, the problem goes away and the users can log-on. Unfortunately, I am not sure what rule to create for LS to allow the log-on. I have logged a query with developers to find out the workaround rule. In the meantime, disabling LS works fully.

Reply

Answer 2

Apr 24, 2013 1:03 AM in response to Rafal Lukawiecki

It seems that the problem is that LS cannot prompt you for connection requests during the very early login stage, ie. when you are still at the login window, so the connection gets rejected and the login fails.

If you disable the LS then upon first login you will get a dialog from LS saying that there were connection attempts during login, and allow you to verfiy them, I tried it now on the second mac, and it seems that all that matters is the NetAuthSysAgent - allow outgoing connections to domain yourdomainname, but this is a rule of the user you are logging into!

Reply

Answer 3

Nov 15, 2015 8:53 AM in response to Zsolt Magyar

Thanks for the insight. As for Little snitch, simply add a rule for "system" that permits out going to "mountNetworkHomeWithURL"/ "your.doman.com" and it works great.

We run OS X portables with Little Snitch on for network accounts bound to an OD server via a OS X VPN. work well.

Warwick

Hong Kong

Reply

Answer 4

Ravi1066

Level 1

4 points

Dec 9, 2016 1:38 PM in response to Warwick Teale

Thank you for the invaluable tip.

What "system" owned process do I select to add the above rule in LS? I'm not able to find a process for "mountNetworkHomeWithURL".

Could you please provide the rule for LS? Much appreciated.

Reply