+8We still use the golden triangle with AD for authentication and OD for preferences. The accounts are cached mobile accounts. We've updated 6 machines from 10.9.4/10.9.3, etc to 10.9.5 and 5 of them don't allow any accounts to login after the update, even local non directory accounts. We're hosting the software update service on x serves but the problem has also occurred when pulling the update from Apple and not our servers.
Anybody else seen anything similar or have any good suggestions?
+12We are not seeing that issue here with 10.9.5 upgrades (with +/- 110 of them). We do only use AD, however, so maybe you are seeing a golden triangle issue?
Can you rebind to resolve?
+4Andrew, we are also seeing this problem. If we disconnect from the network (or otherwise make the OS X box unable to speak with AD), we can log in, but then we see opendirectoryd start hogging all the CPU cycles that it can. This is not uniform across all of our OS X laptops, though. We have some that work fine on 10.9.5 and bound to AD, while others don't.
+8Thanks for the thread... looks like the same problem.
As far as rebinding... I had to unplug the machine from the network to login locally and then rebind. I still had the same problems. Sounds like somebody else suggested removing from AD, trashing all AD prefs and rebinding.
+12Andrew-- are you seeing this issue on desktops?
I started to wonder from PeteToscano's post whether this might be a MacBook Pro issue?
We are almost all iMac desktop here where I am not seeing the issue…(yet that is!)
+5Had login problems for one user the day he updated to 10.9.5. Could not login with a cached network account or local admin account. Safe boot, disk warrior, unbind, re-bind, flush caches, etc. nothing let me in. Finally net booted and did a clean netinstall of the OS and we got in. He had a lot of shareware and junk apps so I'm chalking it up to that. No issues with other users.
+4I started to wonder from PeteToscano's post whether this might be a MacBook Pro issue?
We're seeing this on one MBP, one MBA, and two Minis so far.
+7I remember seeing a similar issue with updates to 10.7 way back. I used to go into dscl from terminal and delete the local user and then I'd be able to log in with their network credentials.
+12I was having to do the dscl deletion thing, too, when we went from 10.9.0 to 10.9.1. I chalked it up to changes Apple might have been making with iCloud that were then in turn causing trouble with our AD directory records. As soon as the accounts were recreated clean in dscl, everything ran fine.
We are seeing good luck with the delta updater 10.9.5, but I haven't tested/needed the combo updater (maybe there's an issue there?) --generally the combos get better results but maybe not this time.
+8@justinworkman and @Gillaspy, this happens for accounts that don't exist on the machine as well, so I can't delete them via dscl.
+5Out of curiosity, anyone know of or has come up with a way to block/disable this particular update until things can be sorted out?
+8@barret55, are you using an internal SUS server (NetSUS or Apple Software Update)? I haven't enabled the update on our internal software update servers, which all clients are pointed to via Jamf, so no clients can get it at this point.
+8@barret55, have you disabled this update then by unchecking it or manually disabling in the plist file? I've left the 10.8.5 update enabled and manually disabled 10.9.5 entries in the /etc/swupd/com.apple.server.swupdate.plist file for now.
+18Probably unrelated, but I updated to 10.9.5 last week and noticed this morning that the system's Active Directory keychain entry (on the System keychain) had vanished. I had to rebind to AD.
+4Probably unrelated, but I updated to 10.9.5 last week and noticed this morning that the system's Active Directory keychain entry (on the System keychain) had vanished. I had to rebind to AD.
I tried unbinding one of our troubled servers, then rebinding. No luck. Still messed up. :(
+14No issues here yet, but most clients haven't started upgrading yet. I've updated my work machines w/out issue and AD/cached mobile accounts/802.1x @ login still seems to be OK. We aren't using OD at all. I'll monitor and update if we start having issues.
+8We noticed some issues on our end. We are using the golden triangle. We weren't pointing our clients to our internal SUS, but have done so now until this is resolved. From our testing standpoint, when I removed our bind to OD, we are able to login. Otherwise it fails.
+14Hi Andrew,
We use AD for Authentication/binding. Like you we use cached mobile accounts. Casper is used for setting everything else. Yesterday I installed 10.9.5 (not the combo) and rebooted to find I couldn't log in either. I couldn't log in with domain or local accounts and boot times were really long ~10 minutes and it took a long time to time out on the logon attempts. I was able to ping the machine but not connect via SSH (not even a prompt). Not having seen this I spent the rest of the day checking disk and memory and backing up the disk when I found no issues there.
Today I found your thread and also the link posted by Ben Toms above (https://groups.google.com/forum/m/#!topic/macenterprise/IPTSGXmVtkw). What has worked for me is as follows:
1) Remove the network cable and then log in as the local admin
2) Unbind (it doesn't care that it isn't on the network)
3) Restart with network cable connected
4) log in as local admin
5) Rebind
- In the Search Policy > Directory Domains (of the binding), remove "/Active Directory/yourdomain" from the list which should look like this:
/Local/Default
/Active Directory/yourdomain
/Active Directory/yourdomain/All Domains
(sorry - can't remember if that was the right order)
Now it should just display /Local/Default /Active Directory/yourdomain/All Domains
6) Restart - local and domain accounts (new and existing should now work)
Notes:
a) This machine was an upgrade from 10.7.5 to 10.9.4 and then yesterday to 10.9.5
b) The machine had originally had that extra Search Domain (/Active Directory/yourdomain) added because on 10.7 we had been getting a message "network accounts are not available" after binding and rebooting to the logon prompt.
c) Looking at a clean build for another newer domain, "/Active Directory/yourdomain" is not available, and now that I am on 10.9.5 it is not available as something I can add back to this machine even if I wanted to.
** Looking back on this. It may be that you don't even have to unbind - just remove Search Domain (/Active Directory/yourdomain)
Hope that helps.
Regards,
David
+8Hi David,
Thanks for the detailed response. Yesterday I found exactly what you found and removing the /Active Directory/yourdomain entry does allow login to work. It still appears to take longer than it should to login. I have a support ticket open with Apple and they have forwarded this on to engineering. At this point, we won't be enabling the 10.9.5 update.
Thanks again,
Andrew
+10I have not noticed any issues logging in with my AD user account after upgrading to 10.9.5. But I'm still hesitant to allow my clients to upgrade, so i've made it unavailable in our local SUS. My search domain only includedes /Local/Default and /Active Directory/mydomain/All Domains
I'm hoping the source of this issue is found before 10.9.6 is released.
+8@denmoff "I'm hoping the source of this issue is found before 10.9.6 is released."
I agree... if there is a 10.9.6
+29It would take an egregious bug for there to be a 10.9.6. 10.9.5v1.1 or some post-10.9.5 patch might be options...
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
