Hi all,

After successfully logged in using mobile account on OS Sierra 10.13.2, does the mobile home sync to user home folder work?
Has anyone try it? any comments or answer will be much appreciated.

Thanks for the feedback @jconte & @alexjdale - unfortunately, these fixes do not work in our environment. As a reminder, we are not using AD. We use FreeIPA, which is an open source Linux adaptation of LDAP. It works fundamentally the same as AD, but AD uses its own proprietary version of LDAP. Clearly, the two platforms do not handle user authentication the same exact way.

To reiterate what is happening:
- A Mobile Account user has our FreeIPA directory server defined in Directory Utility on their laptop and can authenticate to it while inside our network. I.e., network login is working correctly.
- That same user cannot log into their account when outside of our network. I.e., macOS is not caching their network credentials for local login when it can't see the directory server. This local login worked fine prior to 10.13.x.

Does anyone here use a LDAP product like FreeIPA that has been able to solve this problem?

Anyone? Bueller? ;)

@steagle Did you ever find a resolution to this? We are also using FreeIPA over here and have started to experience similar issues.

@jm_peterson I work with steagle and we don't currently have a solution for this. What version of FreeIPA are you running, a current version? As we haven't tested latest current builds yet.

@bmcdade I apologize for just getting to this, never saw a notification. We are running 4.5.4 and still experiencing the issue. I've found a couple commonalities in the machines where this error occurs in /var/log/opendirectory.log which is interesting given that we do not use that. 93.3656, Module: ldap - failed to retrieve LDAP server schema - LDAP error - 48
93.4181.4182 - Client: opendirectoryd, UID: 0, EUID: 0, GID: 0, EGID: 0
93.4181.4182, Node: /LDAPv3/freeipa.org.com, Module: ldap - __odnode_copy_record_block_invoke: 4101 No predicates provided and in /var/log/krb5kdc.log
WARNING Found KDC certificate (O=System Identity,CN=com.apple.kerberos.kdc)is missing the PK-INIT KDC EKU, this is bad for interoperability.
These errors are only present in machines that have had the network accounts issue.

My best guess at this point, based off the LDAP 48 error, is that the machine is not passing the correct credentials or does not have access to authenticate against the cached credentials when there is no network connection.

@jim_peterson - Thanks for the update.

Oddly enough I don't have either the krb5kdc.log or the opendirectory.log files on my bound machine. I can bind to the LDAP (FreeIPA server) and it does allow network login but however no matter what I do, I can't create those local/mobile accounts with a valid password. I guess we may now looking at migrating over to Jamf Connect + Okta, where our Okta account is bound to the FreeIPA server, it's a bit of a run around but if it works and we can get account management control for both on and off network, then we are more then happy to go that route.

Hi @morgan.sd51 , I have seen this error before and its related to the home folder, if you remove the homefolder from Active Directory on the allocated space (Ex: yourdomain.localsharedspaceusers%username%) and replace it to the local path you will be able to login the user. Once the user has logged in, you can add back the shared space.

Cheers!

came in just to post that I miss 10.6.8 when everything worked pretty well.......

@latorrep your comment has resolved my issue! I remembered seeing the error in the past when trying to create a new user but an existing home directory was named with the corresponding account name. However I have very little Active Directory experience and would never have known to look there. Thanks!!

@bmcdade @steagle did you ever manage to get a mobile user to log in when off network? I also run FreeiPA and tried it on High Sierra and Mojave and both present the same problem. While online mobile accounts can log in no problem. Tried the suggestions in this thread wrt to securetoken, as well as removed sqlindexes from /var/db/dslocal/nodes/Default but still no success. Thank you in advance for your answer

@kwaber We still have the issue with FreeIPA and Mobile accounts on High Sierra and Mojave. We are now looking at using Nomad Login+Okta as a solution. It seems that Apple really killed the LDAP binding in High Sierra and later and haven't found a solution.

@bmcdade @steagle We are using AD with an LDAP plugin. We are having a similar issue where the computer logs in fine if they are on network but doesn't cache their credentials. Any luck in figuring out the issue?

Thanks!

Topher Nadauld

@Tophernad Anytime I had issues with our AD bound Macs it was resolved by unchecking “use UNC path from Active Directory” option in Directory Utility. No changes on AD needed.

@Tophernad Nope, we stopped looking for a solution from Apple and started to work on rolling out Jamf Connect Login (using Okta). We attached our LDAP to Okta, and now the plan is that it will be the provider.

@bmcdade Thanks for the info. We are working towards Nomad Login AD.