Jamf Nation Community

There's a thread on MacE: https://groups.google.com/forum/m/#!topic/macenterprise/IPTSGXmVtkw

Andrew, we are also seeing this problem. If we disconnect from the network (or otherwise make the OS X box unable to speak with AD), we can log in, but then we see opendirectoryd start hogging all the CPU cycles that it can. This is not uniform across all of our OS X laptops, though. We have some that work fine on 10.9.5 and bound to AD, while others don't.

Thanks for the thread... looks like the same problem.

As far as rebinding... I had to unplug the machine from the network to login locally and then rebind. I still had the same problems. Sounds like somebody else suggested removing from AD, trashing all AD prefs and rebinding.

Andrew-- are you seeing this issue on desktops?

I started to wonder from PeteToscano's post whether this might be a MacBook Pro issue?

We are almost all iMac desktop here where I am not seeing the issue…(yet that is!)

Yep - various iMac models.

Had login problems for one user the day he updated to 10.9.5. Could not login with a cached network account or local admin account. Safe boot, disk warrior, unbind, re-bind, flush caches, etc. nothing let me in. Finally net booted and did a clean netinstall of the OS and we got in. He had a lot of shareware and junk apps so I'm chalking it up to that. No issues with other users.

I started to wonder from PeteToscano's post whether this might be a MacBook Pro issue?

We're seeing this on one MBP, one MBA, and two Minis so far.

I remember seeing a similar issue with updates to 10.7 way back. I used to go into dscl from terminal and delete the local user and then I'd be able to log in with their network credentials.

I was having to do the dscl deletion thing, too, when we went from 10.9.0 to 10.9.1. I chalked it up to changes Apple might have been making with iCloud that were then in turn causing trouble with our AD directory records. As soon as the accounts were recreated clean in dscl, everything ran fine.

We are seeing good luck with the delta updater 10.9.5, but I haven't tested/needed the combo updater (maybe there's an issue there?) --generally the combos get better results but maybe not this time.

@justinworkman and @Gillaspy, this happens for accounts that don't exist on the machine as well, so I can't delete them via dscl.

Out of curiosity, anyone know of or has come up with a way to block/disable this particular update until things can be sorted out?

@barret55, are you using an internal SUS server (NetSUS or Apple Software Update)? I haven't enabled the update on our internal software update servers, which all clients are pointed to via Jamf, so no clients can get it at this point.

@andrew_stenehjem I'm using Apple's SUS.

@barret55, have you disabled this update then by unchecking it or manually disabling in the plist file? I've left the 10.8.5 update enabled and manually disabled 10.9.5 entries in the /etc/swupd/com.apple.server.swupdate.plist file for now.

Probably unrelated, but I updated to 10.9.5 last week and noticed this morning that the system's Active Directory keychain entry (on the System keychain) had vanished. I had to rebind to AD.

Probably unrelated, but I updated to 10.9.5 last week and noticed this morning that the system's Active Directory keychain entry (on the System keychain) had vanished. I had to rebind to AD.

I tried unbinding one of our troubled servers, then rebinding. No luck. Still messed up. :(

No issues here yet, but most clients haven't started upgrading yet. I've updated my work machines w/out issue and AD/cached mobile accounts/802.1x @ login still seems to be OK. We aren't using OD at all. I'll monitor and update if we start having issues.

We noticed some issues on our end. We are using the golden triangle. We weren't pointing our clients to our internal SUS, but have done so now until this is resolved. From our testing standpoint, when I removed our bind to OD, we are able to login. Otherwise it fails.

Hi Andrew,

We use AD for Authentication/binding. Like you we use cached mobile accounts. Casper is used for setting everything else. Yesterday I installed 10.9.5 (not the combo) and rebooted to find I couldn't log in either. I couldn't log in with domain or local accounts and boot times were really long ~10 minutes and it took a long time to time out on the logon attempts. I was able to ping the machine but not connect via SSH (not even a prompt). Not having seen this I spent the rest of the day checking disk and memory and backing up the disk when I found no issues there.

Today I found your thread and also the link posted by Ben Toms above (https://groups.google.com/forum/m/#!topic/macenterprise/IPTSGXmVtkw). What has worked for me is as follows:
1) Remove the network cable and then log in as the local admin
2) Unbind (it doesn't care that it isn't on the network)
3) Restart with network cable connected
4) log in as local admin
5) Rebind - In the Search Policy > Directory Domains (of the binding), remove "/Active Directory/yourdomain" from the list which should look like this: /Local/Default /Active Directory/yourdomain /Active Directory/yourdomain/All Domains

(sorry - can't remember if that was the right order)

Now it should just display /Local/Default /Active Directory/yourdomain/All Domains

6) Restart - local and domain accounts (new and existing should now work)

Notes:
a) This machine was an upgrade from 10.7.5 to 10.9.4 and then yesterday to 10.9.5
b) The machine had originally had that extra Search Domain (/Active Directory/yourdomain) added because on 10.7 we had been getting a message "network accounts are not available" after binding and rebooting to the logon prompt.
c) Looking at a clean build for another newer domain, "/Active Directory/yourdomain" is not available, and now that I am on 10.9.5 it is not available as something I can add back to this machine even if I wanted to.

** Looking back on this. It may be that you don't even have to unbind - just remove Search Domain (/Active Directory/yourdomain)

Hope that helps.

Regards,

David

Hi David,

Thanks for the detailed response. Yesterday I found exactly what you found and removing the /Active Directory/yourdomain entry does allow login to work. It still appears to take longer than it should to login. I have a support ticket open with Apple and they have forwarded this on to engineering. At this point, we won't be enabling the 10.9.5 update.

Thanks again,

Andrew

I have not noticed any issues logging in with my AD user account after upgrading to 10.9.5. But I'm still hesitant to allow my clients to upgrade, so i've made it unavailable in our local SUS. My search domain only includedes /Local/Default and /Active Directory/mydomain/All Domains

I'm hoping the source of this issue is found before 10.9.6 is released.

@denmoff "I'm hoping the source of this issue is found before 10.9.6 is released."

I agree... if there is a 10.9.6

It would take an egregious bug for there to be a 10.9.6. 10.9.5v1.1 or some post-10.9.5 patch might be options...

have you tried
dsconfigad -alldomains disable

it happened to one of our machines yesterday and I was going crazy with it!! In order for me to log into the machine locally I had to do a disk repair in Utilities. Finally I got in and pretty much did this as well

) Remove the network cable and then log in as the local admin
2) Unbind (it doesn't care that it isn't on the network)
3) Restart with network cable connected
4) log in as local admin
5) Rebind
- In the Search Policy > Directory Domains (of the binding), remove /Active Directory/yourdomain

Now it should just display
/Local/Default
/Active Directory/yourdomain/All Domains

6) Restart - local and domain accounts (new and existing should now work)

@EliasG

Now it should just display
/Local/Default
/Active Directory/yourdomain/All Domains

What did it say beforehand?

I was receiving the CPU usage issue which is what seemed to be causing the login issues. The user account would hang and just spin, I assume because of this issue with the opendirectoryd process. Disconnecting from the network seemed to allow the login, and then reconnecting would cause that process to spin up CPU usage. When I logged into a local admin account there was no issue, so I was able to remove the computer from the domain that way. Either way, I could've forcibly removed it, the larger issue is that I had to restore the machine from a Time Machine backup in order to get us back to where we needed to be. If this has been escalated to Apple there probably isn't a need for me to do the same, but does anyone have an update?

@justinmeader][/url I've submitted it to Apple and they've forwarded to engineering... but I think the more people that submit the more likely they are to address it. If they only get a few submissions they may respond as they have for some of our other big ticket items... fix it in 10.10 and suggest that we move the machines to Yosemite. Not a good solution for thousands of machines that can't run essential software if they're at 10.10.

Dennis - have modified my post to show what I remember as the 3 lines that were there.

Andrew - since making the change I don't notice a significant difference in logon time but maybe I'm just grateful to log in at all :)

Regards,

David

We are just a single domain/forest. I'm using Casper for the AD bind/FV2 configs using Self Service. For this round of AD integration (anybody remember the 10.5.0 release and AD?), I'm simply ticking "Allow authentication from any domain in the forest" and I have the following Search Policy/Directory Domain listing:

/Local/Default
/Active Directory/yourdomain/All Domains

No issues here yet on a small number of machines running 10.9.5. We aren't using a Golden Triangle config (or was it Cylinder of Destiny) ... just a large single AD domain. Monitoring with interest ...

Here's the response that I got from Apple:

It looks like removing the item from the search is the correct solution. The following command can be used to remove it via ARD or other method: dscl /Search -delete / CSPSearchPath "/Active Directory/BSD"

Makes it sound like they're not planning on addressing it.

So they released this kb and probably won't do anything else. Looks like I might need to run this on all of our machines before they move up to 10.9.5... who knows, may clear up some other issues that we have related to AD:

dscl /Search -delete / CSPSearchPath "/Active Directory/yourdomainname"

http://support.apple.com/kb/HT201149

We ran into the issue as well and we rewrote our AD Bind script to change it from "yourdomainname" to "all domains". This resolved the issue that we were seeing.

Make sure that if you script it and scope it at your machines, that you recommend they be off network if possible. If they are on network, scope it for startup and it will take about 10 minutes before it can connect to the JSS and run the script, but it will resolve the issue.

Started a new job with old Mavericks Macs. Updated to 10.9.5 and hit this problem. I tried all the normal tricks, and almost re-imaged the whole Mac. My biggest mistake was Googling the problem when I should have came to JAMF Nation first.

The combination of @EliasG & @andrew_stenehjem solution fixed it. I followed the steps in the link below and it worked right way.

Thanks for the old post guys.

http://support.apple.com/kb/HT201149