Anyone using OS 10.8.2 and Active Directory, and successful login and account creation

John, we came across a simular issue at the beginning of our AD implementation.
We have a different setup then it should be in AD.

Question: Is the domain really .local?

We where unable to bind OS X 10.7 and 10.8 clients.
Windows clients in the same network segment where able to connect without any Problems.

We ended up using Centrify Express to bind our machines to AD.
http://www.centrify.com/express/free-active-directory-tools-for-linux-mac.asp

It is working fine for us.

see post above...

Yes we are company.local (which Apple says there could be issues, and we have seen them).

So Centrify it is for us as well. It just works.

We just set up a new lab yesterday using the Casper AD and have the same problem with no task bar and finder hanging. Computers are 10.8.2 and we are .local on our district network. Would like to know how to resolve this.

I've had no problems with AD and 10.8.2, but our domain isn't .local. Nothing has changed for us since 10.6.8.

DeanaE,

As I say above, I tested this for a few weeks in an AD 2008 env, .local. I wanted to see the Apple native AD plugin work, but it did not.

I got the the Finder / Menu Bar hang, every time. I can reproduce the bug every time. Apple called us back a few times, but of very little help. Apple finally admitted to us that they could reproduce the bug, yet the latest 10.8.3 beta builds still do not fix the issue.

Centrify Express / DC works perfectly. That's what we are using.

Hi,

I have just configured AD and successfully logged in on my MBP with 10.8.2.

We are using .local domain.

Actually I tried to do the binding long back and had a call with apple support but they were of little help, they just told me that Mac's cannot be configured on AD for .local and closed the ticket.

Now yesterday I tried a different scenario and it worked. Here is what I did.

The Domain was configured on "company.local" hosted on server "domainserv.company.local".

When I clicked "Join" the popup asked for the address of server (previously i tried to configure and bind the mac using "Directory Utility" and was just supplying "domain.local" all the time, but now it was not needed).

Here instead of giving "company.local" i gave the complete machine name which is "domainserv.company.local", it asked for the Domain Admin login. Boom everything was automatically configured.

I did not face any issues related to Finder hanging as john was facing.
But hey thats not it.

I am facing problem while trying to sync to the network home. It says "The Sync could not complete because your network home at "(null)" does not allow writing." and the "Settings" option for Mobile Account in disabled for the current user in "Users & groups".

Apart from this everything else is working fine with me.

Let me know if you need the "dsconfigad" output for inspection.

Sudhaker

A quick command on that.

As we still have a test AD environment i created a new .local domain and seen the same issues as described above with hanging toolbar and general binding issues.
Giving the full server name worked.
But it should be a workaround.

And remember that .local is reserved by Apple to be used by Bonjour.

I highly recommend to use a different suffix like .corp on the end or other (.intern) or else. With this settings we don't run into any issues.

Hey Maik,

Were you able to sync your home directory after you login using Domain user.
I am still not able to get it working.

10.8.3 definitely didn't fix this for me. Functional AD level is 2003, have both a 2003 and a 2008 AD server, not a .local domain.

New iMac shows as bound:

sh-3.2# dsconfigad -show
Active Directory Forest = grey.global
Active Directory Domain = jbrown.grey.global
Computer Account = chi1adg25079$

Advanced Options - User Experience Create mobile account at login = Enabled Require confirmation = Disabled Force home to startup disk = Enabled Mount home as sharepoint = Enabled Use Windows UNC path for home = Disabled Network protocol to be used = afp Default user Shell = /bin/bash

Advanced Options - Mappings Mapping UID to attribute = not set Mapping user GID to attribute = not set Mapping group GID to attribute = not set Generate Kerberos authority = Enabled

Advanced Options - Administrative Preferred Domain controller = not set Allowed admin groups = NTJBROWNdomain admins, NTJBROWNenterprise admins Authentication from any domain = Disabled Packet signing = allow Packet encryption = allow Password change interval = 14 Restrict Dynamic DNS updates = not set Namespace mode = domain

Logging in with an AD account will get a password reset notification, if the account is inside the change interval, but still the Finder never launches / no new home folder bug. Wildly inconsistent as I've bound half a dozen laptops over the last three weeks with no backend changes.

Hey, I know that domain!

I used to work for Grey London. Reach out there to a guy called James Burnett... He may be able to advise.

Crazy enough but after shutting the new iMac down and reconnecting, but this time on a 100bT instead of gigabit Ethernet connection, it bound fine.

johnklimeck, I have had the same issue with my .local domain. I ended up using centrify for my initial deploy. However, after further testing, I did discover a way to make the Freezing Finder issue go away. What lead me down the home folder path was this:
The dock worked, Launchpad worked, I could launch Terminal from Launchpad, running "cd ~" resulted in "Home folder not found." The finder was crashing because it didn't have a home folder to read the desktop or write to recent items. Details:
Successfully binding a machine
In *Active Directory* open your directory user's Properties
Click on the Profile Tab
In Local Path enter: C:Users
Hit OK

This seems to show OSX where to put the home folder. It has worked on several accounts that I have tried it on.

Details: Successfully binding a machine In *Active Directory* open your directory user's Properties Click on the Profile Tab In Local Path enter: C:Users Hit OK This seems to show OSX where to put the home folder. It has worked on several accounts that I have tried it on.

We are using a .local domain, but we bind our Macs to AD only for account verification not for home folder storage. Seem to have this happen randomly, but we're on a mix of 10.7.5 and 10.8.4/ I'm assuming making the change in AD for the user will tell OS X to place the home folder on the AD server? When binding to AD we tick the following boxes in Directory Utility:

[?] Create Mobile Account
[?] Force local home directory on startup disk (greyed out)
[?] Default User Shell: /bin/bash
[?] Allow administration by: domain admins, enterprise admins

Profile path in AD profile properties is blank.

Any help would be appreciated!

For those who haven't seen the article:

OS X Mountain Lion: Improving mobile user login times for Active Directory .local domains
http://support.apple.com/kb/HT5738

I had the same problem as well and found a solution. For me, I found out it would only happen to AD Users who had local administrator access to the Mac (In the AD Bind settings on the mac, there's a section for assigning AD Users to the local admins group). When I removed the AD User from the AD group that was assigned local admin privileges (and waited for AD replication), I was able to log in without the issue!

Between 10.8.4 and removing all Windows Server 2003 DCs, this has been resolved for my org as well.

I'm having this exact same problem johnklimeck described at the beginning with a brand new iMac running 10.8.4 joining an Active Directory 2008 domain. I've tried all of the suggestions listed in this thread with no success. My older iMacs running Snow Leopard that have been on the domain for 3 years are working fine. No account name conflicts between the local system and AD. Right now the system is being used to develop a template for an 18 station lab so all the work is being done by hand.

Any other suggestions on what to try?

I should add that for about the first 15 seconds after a restart, there is a notice at the login screen that "Network Accounts are Unavailable" but then it goes away and when I go Login Options>Directory Utility, everything looks good.

I'm having this exact same issue as originally posted.

AD 2008 R2 OS X 10.8.4

I can log in as most AD accounts. The account that I need to use is not logging in all the way. Question marks on the dock bouncing Finder on the dock. When I attempt to open Notes or Mail; I get an error that the Library needs to be repaired. Its not creating a Home Folder under /Users.

I have tried everything listed above. Does anyone else have any ideas.

I found a resolution to my issue if anyone stumbles across this.

First I had to disable the option to create a mobile account upon log in in Active Directory settings in OS X. This allowed me to get the user logged in but, the mobile account creation would fail.

Second follow these steps:
1. Delete the old user if that user exists on the client system.

1. Test to make sure the system is properly bound to Active Directory.

2. Login as the local admin and run the following command in the
   Terminal:
   sudo
   /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileac count
   -n userid -v

Remember this will require a password and will not return any visual
output when the keys are pressed.

1. Log out the local admin.

2. Log in as the Network user.

3. To configure the syncing service go to System Preferences >
   Accounts and click on the Settings button. This will be grayed out
   with users who are not set up with a network home directory.

Hope this helps.

Follow these steps pay special attention to 7-10, that is what tripped me up.

1. Open System Preferences and click Accounts.

2. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator.

3. Click Login Options, then click Join or Edit.

4. Click Open Directory Utility.

5. If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator.

6. Click Services.

7. In the list of services, select Active Directory and click the Edit (/) button.

8. If the advanced options are hidden, click Show Advanced Options.

9. Click User Experience, then click “Create mobile account at login,” and optionally click “Require confirmation before creating a mobile account.”

10. If both options are selected, each user decides whether to create a mobile account during login. When a user logs in to Mac OS X using an Active Directory user account, or when logging in as a network user, the user sees a dialog with controls for creating a mobile account immediately.

11. If the first option is selected and the second option is unselected, mobile accounts are created when users log in.

12. If the first option is not selected, the second option is disabled.

13. Click OK.