+8We still use the golden triangle with AD for authentication and OD for preferences. The accounts are cached mobile accounts. We've updated 6 machines from 10.9.4/10.9.3, etc to 10.9.5 and 5 of them don't allow any accounts to login after the update, even local non directory accounts. We're hosting the software update service on x serves but the problem has also occurred when pulling the update from Apple and not our servers.
Anybody else seen anything similar or have any good suggestions?
+10it happened to one of our machines yesterday and I was going crazy with it!! In order for me to log into the machine locally I had to do a disk repair in Utilities. Finally I got in and pretty much did this as well
) Remove the network cable and then log in as the local admin
2) Unbind (it doesn't care that it isn't on the network)
3) Restart with network cable connected
4) log in as local admin
5) Rebind
- In the Search Policy > Directory Domains (of the binding), remove /Active Directory/yourdomain
Now it should just display
/Local/Default
/Active Directory/yourdomain/All Domains
6) Restart - local and domain accounts (new and existing should now work)
+10Now it should just display
/Local/Default
/Active Directory/yourdomain/All Domains
What did it say beforehand?
+1I was receiving the CPU usage issue which is what seemed to be causing the login issues. The user account would hang and just spin, I assume because of this issue with the opendirectoryd process. Disconnecting from the network seemed to allow the login, and then reconnecting would cause that process to spin up CPU usage. When I logged into a local admin account there was no issue, so I was able to remove the computer from the domain that way. Either way, I could've forcibly removed it, the larger issue is that I had to restore the machine from a Time Machine backup in order to get us back to where we needed to be. If this has been escalated to Apple there probably isn't a need for me to do the same, but does anyone have an update?
+8@justinmeader][/url I've submitted it to Apple and they've forwarded to engineering... but I think the more people that submit the more likely they are to address it. If they only get a few submissions they may respond as they have for some of our other big ticket items... fix it in 10.10 and suggest that we move the machines to Yosemite. Not a good solution for thousands of machines that can't run essential software if they're at 10.10.
+14Dennis - have modified my post to show what I remember as the 3 lines that were there.
Andrew - since making the change I don't notice a significant difference in logon time but maybe I'm just grateful to log in at all :)
Regards,
David
+14We are just a single domain/forest. I'm using Casper for the AD bind/FV2 configs using Self Service. For this round of AD integration (anybody remember the 10.5.0 release and AD?), I'm simply ticking "Allow authentication from any domain in the forest" and I have the following Search Policy/Directory Domain listing:
/Local/Default
/Active Directory/yourdomain/All Domains
No issues here yet on a small number of machines running 10.9.5. We aren't using a Golden Triangle config (or was it Cylinder of Destiny) ... just a large single AD domain. Monitoring with interest ...
+8Here's the response that I got from Apple:
It looks like removing the item from the search is the correct solution. The following command can be used to remove it via ARD or other method: dscl /Search -delete / CSPSearchPath "/Active Directory/BSD"
Makes it sound like they're not planning on addressing it.
+8So they released this kb and probably won't do anything else. Looks like I might need to run this on all of our machines before they move up to 10.9.5... who knows, may clear up some other issues that we have related to AD:
dscl /Search -delete / CSPSearchPath "/Active Directory/yourdomainname"
+5We ran into the issue as well and we rewrote our AD Bind script to change it from "yourdomainname" to "all domains". This resolved the issue that we were seeing.
Make sure that if you script it and scope it at your machines, that you recommend they be off network if possible. If they are on network, scope it for startup and it will take about 10 minutes before it can connect to the JSS and run the script, but it will resolve the issue.
+20Started a new job with old Mavericks Macs. Updated to 10.9.5 and hit this problem. I tried all the normal tricks, and almost re-imaged the whole Mac. My biggest mistake was Googling the problem when I should have came to JAMF Nation first.
The combination of @EliasG & @andrew_stenehjem solution fixed it. I followed the steps in the link below and it worked right way.
Thanks for the old post guys.
http://support.apple.com/kb/HT201149
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.