Mac - Ad bind established - but unable to login

KRIECCO
Contributor

I have used several new macbooks with deploystudio, where ad bind is done during deployment. For this one pc however, the login option "other user" does not appear.
I have logged in with local admin account and run dsconfigad -show where it looks correct. I have even tried to remove the bind and manually add it again. Everything is working as it should, but afterwards still the "other" login option does not show up

Any have idea what I should do ? - is this anything that somehow must be reset on the computer

14 REPLIES 14

mkolb
Contributor

Hi,

Did you change the Login Options? From "List of users" to "Name and password"? So you won't need "Others" to click..you can just enter username and password to log in with a new user.

KRIECCO
Contributor

well - I could try and change that, but it will be easier for the user just to click on the name when logging in, instead of must type username each time

KRIECCO
Contributor

It say network account unavailable - so something is wrong ?:(

StoneMagnet
Contributor III

@rossoneris Have you logged into your AD console and verified that the machine record for the problematic machine was created in the correct OU? You might also try re-binding the machine to AD (I've also seen some Macs that report they are bound to an AD server, but until I force an un-bind and then re-bind no AD account can log in)

mkolb
Contributor

Do you also have 802.1x in place? This can cause troubles when a new network user wants to log-in for the first time, because at the login-screen, depending on the configuration, it is possible that the client is not authenticated to the network and has no connection.

A more simply reason I saw sometimes: date and/or time on the client weren't correct.

sgoetz
Contributor

Hey all,

First under Sys Prefs -> Users and Groups -> Login Options - Do you have "Allow Network Users to login at login Window" checked. Also if you look in Keychain Access under the System Keychain. Do you see a keychain for the Active Directory you are connecting to - if not, The machine can't talk to AD. Should look something like this: /Active Directory/DOMAIN

Hope that helps,

Shawn OG

tdclark
Contributor

Like @mkolb said, I used to see the date/time being wrong all the time and causing this. It got so bad I just put a weekly policy to reset the time no matter what.

obi-k
Valued Contributor III

If you've check the date and time are correct, unbound and re-binded, try this too:

Go to System Preferences
Users & Groups
Login Options
* Make sure "Allow network users to log in at login window" is checked off

KRIECCO
Contributor

It was actually a time sync issue

But now the really strange thing. I can login with network users - but next time I logon it does not show the user account on the login screen. If I log in with the local admin I can also not see any of the network users listed under users. I tried to login with a brand new user, thas has newer logged in before, but still it does not show. I can see in the users folders on the mac that the account is created - but why are they not showing up?

KRIECCO
Contributor

And by the way - Filevault is NOT enabled and users that are not showing up, even they are listed in the "users" folder on the mac harddrive is network users(even I manage to log in with them). Local users does show up on the login screen

milesleacy
Valued Contributor

When you bind, use the "Create mobile account at login" option.

This is a checkbox in Directory Utility and Jamf Pro. You can enable the function on an already-bound Mac with the following line in Terminal:

sudo dsconfigad -mobile enable

I hope this helps.

KRIECCO
Contributor

Mobile is enabled for the user and also tried and run the command - but it still does not change anything.
can User settings somehow be "reset" - this is so strange.

KRIECCO
Contributor

Ok - I did run the command and restartet, but still not any network user
then I tried to login with the network user and it came up if I want to enable mobile account - and bingo - now it is there.
But strange as Mobile also was listed under the user before, before I did run this command

milesleacy
Valued Contributor

If you don't want to see the confirmation dialog, you can make sure that you don't require confirmation and force the mobile account.

These are checkboxes in Directory Utility and Jamf Pro, titled Require confirmation before creating a mobile account (uncheck) and Force local home directory on startup disk (check).

You can modify these options via dsconfigad like so...

sudo dsconfigad -mobile enable
sudo dsconfigad -mobileconfirm disable

That said, I would recommend transitioning your bind to configuration profiles, if you must bind.

Ideally, I'd recommend an end to binding, however this can involve a long political process of convincing the 'powers that be' that binding is unnecessary and a process of verifying and/or altering things to make it true that an AD bind is not required by any of your org's processes.