User profile for user: CharitonIosifides
CharitonIosifides Author
User level: Level 1
0 points

I have converted an Active directory network account to a mobile one and now I can't login at all

it is an imac with El Capitan 10.11.1. We connected it to the network and bound it to our Active Directory Server (Windows Server 2008 R2) so that users could login with their active directory credentials with a local home directory. The we had to use it while it was disconnected from the network ( and the AD server) and we got the message "network accounts unavailable". We converted the network account to a mobile one and now when ever we try to login with that user the wheel keeps turning indefinitely and we cant login. Network user that were not converted can still login (when connected to the network).


I do not have any experience with macs but I am the IT guy saddled with this one. It is the only mac in our organisation. I have a local admin user to do stuff on the mac. I have access to the AD server if I need it. I have searched this forum and the web and I can't find a solution.


Thanks in advance

Chariton

iMac, OS X El Capitan (10.11.1)

Posted on Nov 20, 2015 1:52 AM

Reply
5 replies
User profile for user: MarathonMacAdmin
MarathonMacAdmin
User level: Level 1
13 points

Jan 16, 2017 11:24 AM in response to Strontium90

Reid,


I know it is much later, but I am having almost the identical issue as this guy was having. I posted this thread late last week with no replies (Mobile Account Sync/AD Home Folder Question). I've been working in IT for this company since 2009. Its a large enterprise company with thousands of users and computers...all Windows-based PC's and servers. I used to work for the managed workstation team which supported hardware inventory, software delivery and the standard OS image used by all PC's and users.


I've always been a Mac guy outside of work and took a position for a retiree who introduced Macs to the Graphic Services dept some 25+ years ago. She was a Designer trying to be an IT person. Everything done currently is with local admin accounts where users have to access everything on the network manually. This is causing file permission issues, you name it!


Based on the thread above and the similarity to the issue you replied to here, any chance I might be able to contact you outside of here by some means to go over what I'm trying to do and what I need to ask IT for in order to make this setup work?

Reply
User profile for user: Strontium90
Strontium90
User level: Level 5
5,505 points

Nov 23, 2015 12:50 AM in response to cdhw

AD integration is generally one of the easiest configurations for Macs. However, as cdhw put it, your relationship is only as good as the AD domain. Bad data in, bad data out.


Now, here are a few items that are commonly overlooked.


1: Make sure all devices agree on time. Yes, time. If the time on the Mac is not within a specific delta of the domain controller, authentication will fail. Best advice is to point the Macs at the DC as it is likely running time services already. Test your time skew from the Mac with:


ntpq -p


2: DNS is vitally important. Your AD domain should have all the SRV, A, and PTR records defined. But, it can't hurt to confirm. OS X relies on the ldap, global catalog, and kerberos SRV records to locate services. Also, if you are on a .local domain you may be dealing with other issues.


3: Disable "Use UNC path from Active Directory to derive network home location" under the options in Directory Utility. You can also use the dsconfigad command to disable this feature also. (dsconfigad -useuncpath disable) There is a chance that an attribute in AD is pointing to a home sync location for Windows users. This can cause issues with Macs. Disable the feature to test the initial login.


4: What do you mean by:


We converted the network account to a mobile one and now when ever we try to login with that user the wheel keeps turning indefinitely and we cant login.


Did you define a network home folder path on the AD account? Were your users true network home folder accounts? If you no longer want that you must edit the AD record and remove the path under Profile > Home Folder > Connect.


I assume you checked the "Create mobile account at login" box in the AD config in Directory Utility.


5: What happens when you login to the machine with a user who never used the machine before?


Reid

Apple Consultants Network

Author "El Capitan Server – Foundation Services" :: Exclusively available in Apple's iBooks Store

Author "El Capitan Server – Control & Collaboration" :: Exclusively available in Apple's iBooks Store

Author of Yosemite Server and Mavericks Server books

Reply
User profile for user: CharitonIosifides
CharitonIosifides Author
User level: Level 1
0 points

Nov 23, 2015 12:50 AM in response to Strontium90

Hello Strontium,


Thanks for the reply.


1. I ran ntpq -p and this is the response I got. Can't say I understand what it means though.


hp4720s-0140d:~ e54723$ ntpq -p

remote refid st t when poll reach delay offset jitter

==============================================================================

*dc01.eac.org 194.116.168.41 3 u 57 64 377 0.333 21.684 10.235

hp4720s-0140d:~ e54723$


2. "Your AD domain should have all the SRV, A, and PTR records defined". CONFIRMED with AD Admin. Not on local domain.


3. Did that (with dsconfigad -useuncpath disable). No change. User still can't login.


4. Means we followed the instructions on how to make a Network Account into a Mobile Account. We changed the Profile -> Home Folder -> Connect in the AD to point to a network location (now disabled). and we checked the "Create mobile account at login" box in the AD config in Directory Utility.


5. Login with a different user that never logged in before works ONLY after a local use logs in. Otherwise we get the "Network Accounts Unavailable" message at the login screen.


User with mobile account cannot login even after local admin login. The little round spinning thing goes round indefinitely and I can't even cancel it (don't know how) and each time I have to shut down the Mac from the power button. Pathetic, I know but I never expected to find my self in this situation....


Is there any log that I can check for errors to see what the AD or the mac does not like?


Thanks again for your interest and your help


Chariton

Reply
User profile for user: Strontium90
Strontium90
User level: Level 5
5,505 points

Nov 23, 2015 5:29 AM in response to CharitonIosifides

So here is my thoughts.


1: Your time drift (jitter) is a little high. However, not likely the cause. You can reset by stopping time sync and then restarting it. I never like seeing whole numbers in the jitter column.


2: Good. That is key.


3: See troubleshooting below.


4: Ah, so the account was working as a network account and now can not access. Logically, this should solve it. Is the Force Local home folder checkbox checked in Directory Utility? You may also consider unbinding from the AD domain and resetting the preferences. Then binding fresh.


5: What mode is login window in? Name and Password or list of users? Temp switch to list of users. Reboot the machine and time how long it takes for Other... to appear. How complicated is your corporate network?


Now, troubleshooting. I suggest the following:


1: Enable SSH on the machine giving you trouble

2: Reboot to the login window

3: SSH into the machine so you can watch logs. Open multiple sessions if needed.

4: Tail the system.log at minimum.

5: Enable Open Directory debug logging

sudo odutil set log debug

6: Tail the OD log:

tail -f /var/log/opendirectoryd.log

7: Once you have the troubleshooting windows open, then try logging in, watching what happens. Also, a window showing top can be helpful.


Any chance you once had Centrify? In some cases this sounds like a hung up MCX issue.


Reid

Apple Consultants Network

Author "El Capitan Server – Foundation Services" :: Exclusively available in Apple's iBooks Store

Author "El Capitan Server – Control & Collaboration" :: Exclusively available in Apple's iBooks Store

Author of Yosemite Server and Mavericks Server books

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

I have converted an Active directory network account to a mobile one and now I can't login at all

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up