Jamf Nation Community

Have you tried to unbind one of the Macs and rebind it?

Patrick Bachuwa
Desktop Engineering Applications Sears Holdings Corporation
Michigan Campus
3000 W. 14 Mile Road
Royal Oak, MI 48073-1717
Phone: 248 637-0350

Is your Kerberos fine?

Mac uses Kerberos to login

Is tha ad in the search settings?

At what stage does it fail?

Login window shake?
Does it give an error saying u can't login at this time?
Do get get the " network accounts available" on the login window?

Criss Myers

Be honest I don’t think I will need to do that as user has tried to log in to several different Macs which all the users on those Macs can login ok….I have also tried my test AD account as fresh login (not cached to all Macs too)

Have u checked the user unc path? Can it access their home area server?

If it can't mount their home drive it can't login ,

Check permissions

Criss Myers

We have seen this before as well and that's what tried and it seemed to
work. Also you may want to change the clients domain password.

Patrick Bachuwa
Desktop Engineering Applications Sears Holdings Corporation
Michigan Campus
3000 W. 14 Mile Road
Royal Oak, MI 48073-1717
Phone: 248 637-0350

All good…kerberos, search settings…..e
Yes login window shakes

Go into terminal on a working “bound” mac client and do a: id user_name

Replacing user_name for the user who cannot login, you should get information back about group membership and user ID, if you get nothing back then it is possible that either the user account doesn’t exist or possibly some other issue with the account in AD.

Hasaan

Is the time (timeserver) set properly? If they are + / - 7 minutes from
the DC it won't sign in. There is directory service logs and system
logs in /private/var/log (or use console if you can get into the
system.)

John Wojda

Lead System Engineer, DEI

3333 Beverly Rd. B2-338B

Hoffman Estates, IL 60179

Phone: (847)286-7855

Page: (224)532.3447

Team Lead: Matt Beiriger
<mailto:mbeirig at searshc.com;jwojda at searshc.com?subject=John%20Wojda%20Fe
edback&body=I%20am%20contacting%20you%20regarding%20John%20Wojda.>

Mac Tip/Tricks/Self Service & Support <http://bit.ly/gMa7TB>

Window shake means can't authenticate,

So either wrong id, wrong password or can't search the AD

If others can logon then it's a user error, not permissions but authentication

If no users can login, check time skew, may have to unbind and rebind as the ad domain controller is not acknowledging the client

Criss Myers

I get weird issues myself with our ad, normal if I try 3 times it logs in, but I get an error msg with that, if it shakes a reboot fixes

Login as local user and check it can read the add then try to mount the users home folder via connect to server to show it can authenticate,

Criss Myers

You want logs check the answers at the bottom from MacFirst regarding enabling log levels

http://www.experts-exchange.com/Apple/Operating_Systems/OS_X/OS_X_Server/Q_26211858.html

Start there.

The other issues people have suggested would be ok if no one could login to the box from AD, the issues with Time Server, etc.

A single user is something else with their account in AD itself so you really need the logs.

/Library/Logs/DirectyService/

Craig Ernst

In AD, make sure the use account path matches exactly what it should be. PCs don't care about capitalization - but Macs do, at least in our environment. We've had this issue over the years for a few users, it was always a capital letter showing as lower case or vice versa somewhere in the path.

you dont need to enable root account, just do a Casper policy to delete that file on startup and initiate a reboot

that way if the fix works u can assign to other computers later as required

Criss Myers
Senior IT Analyst (Mac Services)
iPhone / iPad Developer
Apple Certified Technical Coordinator v10.5
LIS Development Team
Adelphi Building AB28
University of Central Lancashire
Preston PR1 2HE
Ex 5054
01772 895054

You don't need to enable root to do this, but of course you can. I would verify you are actually getting kerberos tickets. Log in as a local account, then launch the kerberos ticket app, which I think is called ticket viewer in /System/Library/CoreServices. Once this app is launched try getting a kerberos ticket with the user in question. If you are issued a ticket, then make sure all your ducks are in a row. Machine is bound, DNS is working properly, etc. Also, if issued a ticket try to manually map their home folder. If all works well it should mount with no additional authentication.

If you don't get a ticket then like someone said earlier, check your time/date servers, make sure your kerberos realm is up and running and all of those good things.

-Tom

OK I have find the problem and would like to share with you all (you may already know this, so forgive me …)

AD plugin in MacOS X only allows 1 Forest and 1 Domain by default. If you have an environment 1 Forest and Multiple Domains you will need to use this command from Terminal to enable it.

dsconfigad –namespace forest

After this, users will need to login as below;

domainusername

(Not just username)

This helped me in environment 10.6.5 Client Macs in 2003/2008 AD

I really appreciate your time and effort in responding to me and giving me the troubleshooting tips.

Thanks!
Cem