Anyone using OS 10.8.2 and Active Directory, and successful login and account creation

it's working fine here with mobile accounts that do not sync. Are you trying to sync the home dirs? Also, posting the output from dsconfigad -show could help us troubleshoot this with you . . .

We've just started rolling out AD binding to our organization so all of our users are running 10.8.2. Haven't seen the issue you're describing. I'm also running the Golden Triangle with our Open Directory Master, but I've also logged into AD users without binding to OD and have been fine.

I use System Preferences and Directory Utility to bind exiting Macs and then I've used the binding objects in Casper Admin for newly imaged Macs.

Appreciate it guys, throwing us for a loop.

Here is dsconfigad -show (does not look like anything unusual)

Active Directory Forest = domainname.local
Active Directory Domain = domainname.local
Computer Account = mbp15-1113$

Advanced Options - User Experience Create mobile account at login = Enabled Require confirmation = Disabled Force home to startup disk = Enabled Mount home as sharepoint = Disabled Use Windows UNC path for home = Enabled Network protocol to be used = smb Default user Shell = /bin/bash

Advanced Options - Mappings Mapping UID to attribute = not set Mapping user GID to attribute = not set Mapping group GID to attribute = not set Generate Kerberos authority = Enabled

Advanced Options - Administrative Preferred Domain controller = not set Allowed admin groups = not set Authentication from any domain = Enabled Packet signing = allow Packet encryption = allow Password change interval = 14 Restrict Dynamic DNS updates = not set Namespace mode = domain

What happens if you set the below to disabled & then try?

Use Windows UNC path for home = Enabled

Hi All,

we currently are using Casper 8.62 with our machines running 10.8.2 with our usings logging in via AD.

We have used Casper bind to the Mac's and have had a couple of issues with this;

1) sometimes admin accounts login with managed mobile profiles instead of admin rights.
2) we are noticing some machines are not allowing users to log on and then randomly allowing them to then logon.

we are currently trouble shooting these issues and believe the following are the reasons;

1) Mobile accounts etc are controlled via the AD we are trying to figure out why sometimes users get adin rights and sometimes don't.

2) This issue could be to do with a combination of network switch and DC problems we are currently looking into our infrastructure to try and find the problem.

Works well here. We had to disable "Authentication From Any Domain" to get it to work though. Also disabled "Use Windows UNC path for home".

Works pretty well here too, with all versions of 10.8. We also had to disablce "Use Windows UNC path for home" since that would cause some user logins to fail.

We do see rare login issues with some users/sites, but 99% of the time it works 100% of the time.

@alexjdale - I too was having issues with logins when "Use Windows UNC path for home" was checked. I found that the problem stemmed from a bad path in their AD profile tab. So long as there is a folder at that path and the user has permission to read/write then we could login.

We want to keep it that way as to mimic how our PCs behave.

We mount all drives @ login using an AppleScript app I've written, including the Profile drive.

This was due to http://support.apple.com/kb/HT4829

Maybe it's the same issu?

OK, here's the update.

Used the above suggestions:

- disabled "Use Windows UNC path for home"
- disabled "Mount home at Sharepoint"
- disabled, "Authentication from any domain" (since there is a legacy AD domain, and we do not want users being authenticated to that old domain, only the new domain (AD 2008), apparently there are issues in that scenario

There is another thing. We have new Exchange 2010 and those AD users are being migrated to Exchange 2010 and to the new AD 2008 domain. Most AD users were actually created in that old AD domain and being authenticated against that old domain, and there is something about "SIDs", Microsoft System ID's, and information can be coming from those old SID's.

My AD user account logs in fine. But at least one of my test AD accounts (that were brand new users created in the new 2008 AD domain), still gets this weird issue.

It must be something related to a specific AD user, and /or Mac OS 10.8.2. It does not happen all the time.

I'll keep testing. I am just wondering what to do if we roll this out and get this non functional login / user template for a user when we do our AD rollout next month. Is there something we can do on the AD 'Users' side. My AD knowledge is not deep enough to know what to look for.

Of course only seeing this in 10.8.2, not 10.7.5

Apple is aware. Have logged a ticket / bug. No return call yet. Over 48 hours.

Thanks for the update John, its interesting that you are seeing this issue in 10.8.2 and not in10.7.5!

What did you look for to say that the error was definitely with 10.8.2? or was it just a case of this error is only appearing on the newer machines?

@bentoms ditto at using an applescript for that reason

Seeing this in my environment also,
not happening with 10.7.5
Also not happening with machines upgraded from 10.6.8 or 10.7.4 ..... :(
HELP!

Just curious, but are you able to BIND successfully through the GUI?

What I have found imaging with Casper 8.62, installing Mac OS X 10.8.2 (build 12C54) and binding to Active Directory with the native Casper binding:
The system binds to Active Directory but with Apple's default settings, NOT the setting I have for AD. If I unbind from AD and use Casper Remote to set up AD, the settings come in the way I want them. I now have a script, based on one here: https://jamfnation.jamfsoftware.com/discussion.html?id=5891 that will set the machine bound to ad with the settings I desire for AD. I'm working on getting it to run after the Mac has bound to AD...

If I image the same system (using the same netboot image) with 10.7, the AD settings come in properly...

Bump. Still seeing inconsistent 5200 and 5202 errors with 10.8.2; same AD bindings working fine with 10.6.8.

Fresh install of 10.8.2 onto a blank drive: can't bind from Users & Groups > Login Options. Binds successfully from Directory Utility with Create Mobile checked; logging in from an AD account causes the aforementioned Finder hang. Reboot, same thing. Can't unbind the Mac using any method, including dsconfigad.

Working fine for me. :( sorry!

hmm . . . . people having problems- are you all on .local domains like John?
I haven't seen any of these issues with 10.8.2 at ALL, but my domain is not configured as .local.
And have any of you besides john opened an applecare case on it? if you can't unbind with dsconfigad, apple should have something to say about that . . .

Update. Opened case with Apple, basically of very little help.

Centrify Express / Direct Control works perfectly, and I love all the command line tools, and their Account Migration app. So far we have done almost 150 bindings with Centrify (AD 2003 to AD 2008), and maybe one or two I have had to rebind. If there is an issue with logging in, it's almost always on the AD account side: password, acct expiring, migration not done completely, etc.

It's seems an issue with 10.8.2. Incidentally I thought the10.8.3 betas would fix, nope (12D61), not in my AD env.

Still get the Finder, menu bar hang. (with Apple's plug-in)

that's so weird . . .i'm up to 113 10.8.2 client machines managed, not a single one has had a binding issue with the apple plugin. I'm really curious if the others having problems are on .local domains as well.

I'm afraid I'm not seeing an issue with 10.8.2 and the native AD binding, and it being handled by the Casper 8.62. I have a random issue here and there, but nothing ever in mass. Haven't for as far back as I can remember using the native AD plugin, which is a long time it seems. My beard is going white...

No issues with 10.8.2 and "Beta 10.8.3" using the Native AD Plugin in our AD Environment.

"No issues with 10.8.2 and "Beta 10.8.3" using the Native AD Plugin in our AD Environment. "

Are you .local domain. AD 2008?

Let me also confirm that 10.8.2 with the bind completed by Casper is working here too. (actually we've had a few teething problems lately but that was probably caused by our datacentre blow out this morning)

I've seen this sort of message when manually adding machines to our Active Directory domain.

Domain Functional Level: WIndows Server 2003
Forest Functional Level: Windows Server 2003

OS X 10.8.2 but also with 10.7 and even 10.6

The message I see is Unable to add server.
Authentication server encountered an error while attempting the requested operation.
(5202)

I usually authenticate as DOMAINusername and then password but when I get that message I try the Fully Qualified account name i.e. username@my.fully.qualified.domain.name e.g. fred@someschool.edu It then joins with no problems.

Usually things go like this for some months and the the DOMAINusername works again. I've brought it up with our server team but they don't know what causes it.

Regardless - have you tried using a Fully Qualified user name?