7 Replies Latest reply: Feb 18, 2013 5:19 PM by Strontium90
krdell00 Level 1 (0 points)

I am able to successfully bind a client machine to our AD domain but am not able to successfully get a network account to login to it using 10.8.  We have had no problems in the past with Macs until 10.8....anyone else have this issue?  Thanks in advance

  • Strontium90 Level 4 (3,770 points)

    Try going into Directory Utility and editing your AD configuration.  Click the Show Advanced Option arrow and on the User Experience tab, uncheck the "Use UNC path from ...." Save the config, reboot the machine, and try loging in again with an account that you have not tried on the machine before.  If this is successful, try the original account.

  • krdell00 Level 1 (0 points)

    Hi, thanks but I'd already tried this without success

  • Strontium90 Level 4 (3,770 points)

    Are you getting any error at the login window that can be of assistance?  If not, have you tried enabling SSH on the suspect machine?  Then ssh into this machine from another systems and monitor the actions of the login.  Recall that OpenDirectory can provide a debug log if enabled (sudo odutil set log debug).  Then tail the debug log file from the monitoring machine and watch what happens during an attempted login.


    Are you on a .local domain?  By any chance does the user already exist on the machine in short name form?  Can you confirm domain access via id or dscl?

  • krdell00 Level 1 (0 points)

    Thanks for your reply.  No error message at login just get the shaky screen.  We are not using a .local domain and can confirm domain access via the GUI and dsconfigad.  I checked the console and the message I see for that log is


    SecurityAgent: Unknown user "user" login attempt PASSED for auditing

    SecurityAgent: User info context values set for user


    User does not exist at all on machine but when attempting to is the user on the domain it says no such user.  This happens on any 10.8 machine, clean install just bound to the domain using the gui.  No problem with any 10.7 machines in my organization.  Thanks in advance for any assistance

  • Strontium90 Level 4 (3,770 points)

    Hmm.  Ok, so try this:


    Let's assume you have a user named John Doe and he has a domain shortname of jdoe.  On the bound Mac, try this command in Terminal (obviously replacing the name of the example user with a valid domain user):


    id jdoe


    Do you get a truncated result from the domain?

  • krdell00 Level 1 (0 points)

    No, it says user not found so even though I am showing that I am bound to our domain I cannot actually id users in it

  • Strontium90 Level 4 (3,770 points)

    Ok.  That is a start.  If the unit is claiming to be bound but you are unable to ID users, then you may have failed the device trust.  Try this.


    1: Unbind the Mac, if possible, from Directory Utility.

    2: Connect to the DC and make sure the computer record has been removed from the domain.  Manually delete it if it lingers.

    3: Force a replication to ensure the record is purges across all DCs (if you have more than one).


    Ok, with the environment cleaned up, confirm that all the SRV records are in place on the DC.  This can be done with (let's assume your domain is krdell.com) the following lookups.  Use terminal and enter the commands below (replacing with your valid domain).


    host -t SRV _ldap._tcp.krdell.com

    host -t SRV _kerberos._tcp.krdell.com

    host -t SRV _kerberos._udp.krdell.com

    host -t SRV _kpasswd._tcp.krdell.com

    host -t SRV _kpasswd._udp.krdell.com

    host -t SRV _gc._tcp.krdell.com


    Next, make sure that you have your Mac's time synchronized to the DC or a mutually accepted time server.  Go into System Preferences > Date & Time and set the time server address to the proper value. Once done, stop and start time services but unchecking and checking the box.  What about 30 seconds to a minute and then run this command in Terminal to confirm you are syncing your time:


    ntpq -p


    With DNS and time correct, then try and bind again.  After binding, run the id command against a domain user again and let's see if you get a result.





    try binding the device to the domain again.