Anyone using OS 10.8.2 and Active Directory, and successful login and account creation

johnklimeck
Contributor II

Is anyone having success with this, or is most everyone still using OS 10.7.5

Can successfully bind a clean 10.8.2 image with dsconfigad, mobile enable, to Windows AD 2008 R2, all is good there.

Can login with valid AD user, but OS X does not really finish the process. The Finder hangs (Finder icon bounces in the dock, no Apple menu bar, and question mark icons in the dock. The local account is never created, can login as admin and check with dcxl, no user, no home directory.

This does not happen in 10.8.0, or 10.7.5 (separate issue and topic thread for 10.7.5).

Total deal breaker for us. Have logged a bug with Apple and spoken to an Apple engineer. Can reproduce everytime, and this is not the OS X image. A brand new image downloaded directly from Apple (Recovery HD) on i7 MacBook Pro.

Thx,

John K

46 REPLIES 46

nkalister
Valued Contributor

it's working fine here with mobile accounts that do not sync. Are you trying to sync the home dirs? Also, posting the output from dsconfigad -show could help us troubleshoot this with you . . .

UESCDurandal
Contributor II

We've just started rolling out AD binding to our organization so all of our users are running 10.8.2. Haven't seen the issue you're describing. I'm also running the Golden Triangle with our Open Directory Master, but I've also logged into AD users without binding to OD and have been fine.

I use System Preferences and Directory Utility to bind exiting Macs and then I've used the binding objects in Casper Admin for newly imaged Macs.

johnklimeck
Contributor II

Appreciate it guys, throwing us for a loop.

Here is dsconfigad -show (does not look like anything unusual)

Active Directory Forest = domainname.local
Active Directory Domain = domainname.local
Computer Account = mbp15-1113$

Advanced Options - User Experience Create mobile account at login = Enabled Require confirmation = Disabled Force home to startup disk = Enabled Mount home as sharepoint = Disabled Use Windows UNC path for home = Enabled Network protocol to be used = smb Default user Shell = /bin/bash

Advanced Options - Mappings Mapping UID to attribute = not set Mapping user GID to attribute = not set Mapping group GID to attribute = not set Generate Kerberos authority = Enabled

Advanced Options - Administrative Preferred Domain controller = not set Allowed admin groups = not set Authentication from any domain = Enabled Packet signing = allow Packet encryption = allow Password change interval = 14 Restrict Dynamic DNS updates = not set Namespace mode = domain

bentoms
Release Candidate Programs Tester

What happens if you set the below to disabled & then try?

Use Windows UNC path for home = Enabled

CypherCookie
Contributor

Hi All,

we currently are using Casper 8.62 with our machines running 10.8.2 with our usings logging in via AD.

We have used Casper bind to the Mac's and have had a couple of issues with this;

1) sometimes admin accounts login with managed mobile profiles instead of admin rights.
2) we are noticing some machines are not allowing users to log on and then randomly allowing them to then logon.

we are currently trouble shooting these issues and believe the following are the reasons;

1) Mobile accounts etc are controlled via the AD we are trying to figure out why sometimes users get adin rights and sometimes don't.

2) This issue could be to do with a combination of network switch and DC problems we are currently looking into our infrastructure to try and find the problem.

charles_hitch
Contributor II

Works well here. We had to disable "Authentication From Any Domain" to get it to work though. Also disabled "Use Windows UNC path for home".

alexjdale
Valued Contributor III

Works pretty well here too, with all versions of 10.8. We also had to disablce "Use Windows UNC path for home" since that would cause some user logins to fail.

We do see rare login issues with some users/sites, but 99% of the time it works 100% of the time.

UESCDurandal
Contributor II

@alexjdale - I too was having issues with logins when "Use Windows UNC path for home" was checked. I found that the problem stemmed from a bad path in their AD profile tab. So long as there is a folder at that path and the user has permission to read/write then we could login.

We want to keep it that way as to mimic how our PCs behave.

bentoms
Release Candidate Programs Tester

We mount all drives @ login using an AppleScript app I've written, including the Profile drive.

This was due to http://support.apple.com/kb/HT4829

Maybe it's the same issu?

johnklimeck
Contributor II

OK, here's the update.

Used the above suggestions:

- disabled "Use Windows UNC path for home"
- disabled "Mount home at Sharepoint"
- disabled, "Authentication from any domain" (since there is a legacy AD domain, and we do not want users being authenticated to that old domain, only the new domain (AD 2008), apparently there are issues in that scenario

There is another thing. We have new Exchange 2010 and those AD users are being migrated to Exchange 2010 and to the new AD 2008 domain. Most AD users were actually created in that old AD domain and being authenticated against that old domain, and there is something about "SIDs", Microsoft System ID's, and information can be coming from those old SID's.

My AD user account logs in fine. But at least one of my test AD accounts (that were brand new users created in the new 2008 AD domain), still gets this weird issue.

It must be something related to a specific AD user, and /or Mac OS 10.8.2. It does not happen all the time.

I'll keep testing. I am just wondering what to do if we roll this out and get this non functional login / user template for a user when we do our AD rollout next month. Is there something we can do on the AD 'Users' side. My AD knowledge is not deep enough to know what to look for.

Of course only seeing this in 10.8.2, not 10.7.5

Apple is aware. Have logged a ticket / bug. No return call yet. Over 48 hours.

CypherCookie
Contributor

Thanks for the update John, its interesting that you are seeing this issue in 10.8.2 and not in10.7.5!

What did you look for to say that the error was definitely with 10.8.2? or was it just a case of this error is only appearing on the newer machines?

tkimpton
Valued Contributor II

@bentoms ditto at using an applescript for that reason

robert_mullins
New Contributor

Seeing this in my environment also,
not happening with 10.7.5
Also not happening with machines upgraded from 10.6.8 or 10.7.4 ..... :(
HELP!

G-Lo
New Contributor III

Just curious, but are you able to BIND successfully through the GUI?

Lhsachs
Contributor II

What I have found imaging with Casper 8.62, installing Mac OS X 10.8.2 (build 12C54) and binding to Active Directory with the native Casper binding:
The system binds to Active Directory but with Apple's default settings, NOT the setting I have for AD. If I unbind from AD and use Casper Remote to set up AD, the settings come in the way I want them. I now have a script, based on one here: https://jamfnation.jamfsoftware.com/discussion.html?id=5891 that will set the machine bound to ad with the settings I desire for AD. I'm working on getting it to run after the Mac has bound to AD...

If I image the same system (using the same netboot image) with 10.7, the AD settings come in properly...

Not applicable

Bump. Still seeing inconsistent 5200 and 5202 errors with 10.8.2; same AD bindings working fine with 10.6.8.

Fresh install of 10.8.2 onto a blank drive: can't bind from Users & Groups > Login Options. Binds successfully from Directory Utility with Create Mobile checked; logging in from an AD account causes the aforementioned Finder hang. Reboot, same thing. Can't unbind the Mac using any method, including dsconfigad.

bentoms
Release Candidate Programs Tester

Working fine for me. :( sorry!

nkalister
Valued Contributor

hmm . . . . people having problems- are you all on .local domains like John?
I haven't seen any of these issues with 10.8.2 at ALL, but my domain is not configured as .local.
And have any of you besides john opened an applecare case on it? if you can't unbind with dsconfigad, apple should have something to say about that . . .

johnklimeck
Contributor II

Update. Opened case with Apple, basically of very little help.

Centrify Express / Direct Control works perfectly, and I love all the command line tools, and their Account Migration app. So far we have done almost 150 bindings with Centrify (AD 2003 to AD 2008), and maybe one or two I have had to rebind. If there is an issue with logging in, it's almost always on the AD account side: password, acct expiring, migration not done completely, etc.

It's seems an issue with 10.8.2. Incidentally I thought the10.8.3 betas would fix, nope (12D61), not in my AD env.

Still get the Finder, menu bar hang. (with Apple's plug-in)

nkalister
Valued Contributor

that's so weird . . .i'm up to 113 10.8.2 client machines managed, not a single one has had a binding issue with the apple plugin. I'm really curious if the others having problems are on .local domains as well.

ernstcs
Contributor III

I'm afraid I'm not seeing an issue with 10.8.2 and the native AD binding, and it being handled by the Casper 8.62. I have a random issue here and there, but nothing ever in mass. Haven't for as far back as I can remember using the native AD plugin, which is a long time it seems. My beard is going white...

shakim
New Contributor III

No issues with 10.8.2 and "Beta 10.8.3" using the Native AD Plugin in our AD Environment.

johnklimeck
Contributor II

"No issues with 10.8.2 and "Beta 10.8.3" using the Native AD Plugin in our AD Environment. "

Are you .local domain. AD 2008?

franton
Valued Contributor III

Let me also confirm that 10.8.2 with the bind completed by Casper is working here too. (actually we've had a few teething problems lately but that was probably caused by our datacentre blow out this morning)

dlondon
Valued Contributor

I've seen this sort of message when manually adding machines to our Active Directory domain.

Domain Functional Level: WIndows Server 2003
Forest Functional Level: Windows Server 2003

OS X 10.8.2 but also with 10.7 and even 10.6

The message I see is Unable to add server.
Authentication server encountered an error while attempting the requested operation.
(5202)

I usually authenticate as DOMAINusername and then password but when I get that message I try the Fully Qualified account name i.e. username@my.fully.qualified.domain.name e.g. fred@someschool.edu It then joins with no problems.

Usually things go like this for some months and the the DOMAINusername works again. I've brought it up with our server team but they don't know what causes it.

Regardless - have you tried using a Fully Qualified user name?

maiksanftenberg
Contributor II

John, we came across a simular issue at the beginning of our AD implementation.
We have a different setup then it should be in AD.

Question: Is the domain really .local?

We where unable to bind OS X 10.7 and 10.8 clients.
Windows clients in the same network segment where able to connect without any Problems.

We ended up using Centrify Express to bind our machines to AD.
http://www.centrify.com/express/free-active-directory-tools-for-linux-mac.asp

It is working fine for us.

maiksanftenberg
Contributor II

see post above...

johnklimeck
Contributor II

Yes we are company.local (which Apple says there could be issues, and we have seen them).

So Centrify it is for us as well. It just works.

DeanaE
New Contributor

We just set up a new lab yesterday using the Casper AD and have the same problem with no task bar and finder hanging. Computers are 10.8.2 and we are .local on our district network. Would like to know how to resolve this.

alex_merenyi
New Contributor II

I've had no problems with AD and 10.8.2, but our domain isn't .local. Nothing has changed for us since 10.6.8.

johnklimeck
Contributor II

DeanaE,

As I say above, I tested this for a few weeks in an AD 2008 env, .local. I wanted to see the Apple native AD plugin work, but it did not.

I got the the Finder / Menu Bar hang, every time. I can reproduce the bug every time. Apple called us back a few times, but of very little help. Apple finally admitted to us that they could reproduce the bug, yet the latest 10.8.3 beta builds still do not fix the issue.

Centrify Express / DC works perfectly. That's what we are using.

sudhaker
New Contributor

Hi,

I have just configured AD and successfully logged in on my MBP with 10.8.2.

We are using .local domain.

Actually I tried to do the binding long back and had a call with apple support but they were of little help, they just told me that Mac's cannot be configured on AD for .local and closed the ticket.

Now yesterday I tried a different scenario and it worked. Here is what I did.

The Domain was configured on "company.local" hosted on server "domainserv.company.local".

When I clicked "Join" the popup asked for the address of server (previously i tried to configure and bind the mac using "Directory Utility" and was just supplying "domain.local" all the time, but now it was not needed).

Here instead of giving "company.local" i gave the complete machine name which is "domainserv.company.local", it asked for the Domain Admin login. Boom everything was automatically configured.

I did not face any issues related to Finder hanging as john was facing.
But hey thats not it.

I am facing problem while trying to sync to the network home. It says "The Sync could not complete because your network home at "(null)" does not allow writing." and the "Settings" option for Mobile Account in disabled for the current user in "Users & groups".

Apart from this everything else is working fine with me.

Let me know if you need the "dsconfigad" output for inspection.

Sudhaker

maiksanftenberg
Contributor II

A quick command on that.

As we still have a test AD environment i created a new .local domain and seen the same issues as described above with hanging toolbar and general binding issues.
Giving the full server name worked.
But it should be a workaround.

And remember that .local is reserved by Apple to be used by Bonjour.

I highly recommend to use a different suffix like .corp on the end or other (.intern) or else. With this settings we don't run into any issues.

sudhaker
New Contributor

Hey Maik,

Were you able to sync your home directory after you login using Domain user.
I am still not able to get it working.

Not applicable

10.8.3 definitely didn't fix this for me. Functional AD level is 2003, have both a 2003 and a 2008 AD server, not a .local domain.

New iMac shows as bound:

sh-3.2# dsconfigad -show
Active Directory Forest = grey.global
Active Directory Domain = jbrown.grey.global
Computer Account = chi1adg25079$

Advanced Options - User Experience Create mobile account at login = Enabled Require confirmation = Disabled Force home to startup disk = Enabled Mount home as sharepoint = Enabled Use Windows UNC path for home = Disabled Network protocol to be used = afp Default user Shell = /bin/bash

Advanced Options - Mappings Mapping UID to attribute = not set Mapping user GID to attribute = not set Mapping group GID to attribute = not set Generate Kerberos authority = Enabled

Advanced Options - Administrative Preferred Domain controller = not set Allowed admin groups = NTJBROWNdomain admins, NTJBROWNenterprise admins Authentication from any domain = Disabled Packet signing = allow Packet encryption = allow Password change interval = 14 Restrict Dynamic DNS updates = not set Namespace mode = domain

Logging in with an AD account will get a password reset notification, if the account is inside the change interval, but still the Finder never launches / no new home folder bug. Wildly inconsistent as I've bound half a dozen laptops over the last three weeks with no backend changes.

bentoms
Release Candidate Programs Tester

Hey, I know that domain!

I used to work for Grey London. Reach out there to a guy called James Burnett... He may be able to advise.

Not applicable

Crazy enough but after shutting the new iMac down and reconnecting, but this time on a 100bT instead of gigabit Ethernet connection, it bound fine.

tjahn79
New Contributor

johnklimeck, I have had the same issue with my .local domain. I ended up using centrify for my initial deploy. However, after further testing, I did discover a way to make the Freezing Finder issue go away. What lead me down the home folder path was this:
The dock worked, Launchpad worked, I could launch Terminal from Launchpad, running "cd ~" resulted in "Home folder not found." The finder was crashing because it didn't have a home folder to read the desktop or write to recent items. Details:
Successfully binding a machine
In *Active Directory* open your directory user's Properties
Click on the Profile Tab
In Local Path enter: C:Users
Hit OK

This seems to show OSX where to put the home folder. It has worked on several accounts that I have tried it on.

aldencates
New Contributor
Details: Successfully binding a machine In *Active Directory* open your directory user's Properties Click on the Profile Tab In Local Path enter: C:Users Hit OK This seems to show OSX where to put the home folder. It has worked on several accounts that I have tried it on.

We are using a .local domain, but we bind our Macs to AD only for account verification not for home folder storage. Seem to have this happen randomly, but we're on a mix of 10.7.5 and 10.8.4/ I'm assuming making the change in AD for the user will tell OS X to place the home folder on the AD server? When binding to AD we tick the following boxes in Directory Utility:

[?] Create Mobile Account
[?] Force local home directory on startup disk (greyed out)
[?] Default User Shell: /bin/bash
[?] Allow administration by: domain admins, enterprise admins

Profile path in AD profile properties is blank.

Any help would be appreciated!