AD User accounts wont login to Mac

bev0113
New Contributor

We have several AD users who can not login to our Mac clients, The screen shakes. I have been researching this and have tried several suggestions but to no avail. Any ideas or assistance greatly appreciated.

4 REPLIES 4

rbundonis
New Contributor II

What have you tried? That may help so we don't recommend the same.

Some common items:
1: Log in as the local admin
2: Check time with ```
ntpq -p

3:  Confirm that you are bound by using ```
id username

(replace username with a real user's name)
4: Try to auth using Kerberos by using ```
kinit username
``` (replace username with a real user's name)
5: Confirm TGT is grants with ```
klist
```

If all this checks out, go into the AD plugin (I assume you are using the built in) and disable the "Use UNC path to derive network home folder option." Then try logging in as the user again.

alexjdale
Valued Contributor III

Also, if you are mapping local UID/GID to Active Directory attributes, make sure those attributes for the users are populated with usable numbers or else logins will fail.

davidacland
Honored Contributor II

Can other users from the same domain login on these Macs? I would definitely try id as rbundonis said. That will tell you if the Mac can see that account. Try it with some other working accounts to confirm the difference. Final rambling thought, do you use mobile (cached) accounts? It could be that the macs have actually dropped off the domain but users that have previously logged in are still working. You can confirm this by using dscl in the terminal.

Type dscl to go into interactive mode, then use cd to navigate around, ls to list the subdirectories. You should be able to cd into the users directory and list the users with ls.

bev0113
New Contributor

Yes other accounts from the same domain can login fine. If I shorten the name, it works, even if I setup the user in ad by copying the account that does not work.

For example: jeffery.karr can not login, if I create a new account using jeff.karr he can login fine.