Posted on 03-05-2015 12:34 PM
Hi Nation,
Hoping someone out there can push me in the right troubleshooting direction.
I recently used Migration Assistant to migrate a home folder on a 2011 Macbook Pro running Mavericks into a 2014 MBPr running Yosemite. The new mac is bound to AD. The problem I'm running into on the MBPr is the user cannot login with his network credentials when the ethernet cable is plugged in. He can login when the ethernet cable is unplugged. Same thing when Screen Saver lock kicks in. The user's password only works when the ethernet cable is unplugged.
Other user accounts have no problem logging in when the ethernet cable is plugged in. For giggles, I tried to unbind/rebind the mac. No luck on that front.
Thanks in advance for your help!
Solved! Go to Solution.
Posted on 03-05-2015 01:32 PM
Something is definitely broken for that account, then. Might be interesting to see what the account's configuration is in dscl:
dscl . -read /Users/*username*
I wonder if something in there is out of sync with what's in AD enough to break the link between the two.
An easy solution would be to just move the user's files to a different location of some sort, delete the account on the local Mac, and have them login again to create a new profile. At that point, they can copy what they want to keep from the old account over from where you have the files saved. Not ideal, but if you don't have a lot of time to troubleshoot...
Posted on 03-05-2015 01:35 PM
Back up the user folder JIC, delete the mobile account but leave the home folder there, unbind/rebind, now log in (and let it take over the existing home dir). Better?
Do users on your wireless network have full access to DC's/the domain? If the answer is no, that might explain why login works on wireless, but not wired...
Posted on 03-05-2015 12:56 PM
Ohh, that's a weird one. Given that other users can login, it doesn't sound like a binding issue. Is this a mobile user account?
Have you checked the account in AD itself to make sure it's not locked out? If not, does AD show login failures for the account when you try and login with ethernet plugged in? Another thought, try su-ing into the account from another user account, and see if that works. Or try resetting the password via passwd on the local machine.
Posted on 03-05-2015 01:18 PM
More food for thought...
Verified AD account is not locked out. Interestingly, I was able to login with the user's credentials on another AD bound Mac. So that narrows down the issue to this user's account on this particular MBPr.
Tried su-ing into the account from my admin account. Unable to su when ethernet cable plugged in. Able to su when ethernet cable unplugged.
Posted on 03-05-2015 01:32 PM
Something is definitely broken for that account, then. Might be interesting to see what the account's configuration is in dscl:
dscl . -read /Users/*username*
I wonder if something in there is out of sync with what's in AD enough to break the link between the two.
An easy solution would be to just move the user's files to a different location of some sort, delete the account on the local Mac, and have them login again to create a new profile. At that point, they can copy what they want to keep from the old account over from where you have the files saved. Not ideal, but if you don't have a lot of time to troubleshoot...
Posted on 03-05-2015 01:35 PM
Back up the user folder JIC, delete the mobile account but leave the home folder there, unbind/rebind, now log in (and let it take over the existing home dir). Better?
Do users on your wireless network have full access to DC's/the domain? If the answer is no, that might explain why login works on wireless, but not wired...
Posted on 03-05-2015 03:49 PM
@RobertHammen - Wireless does have access to DC/domain but was disabled when attempting to login. I went with the folder fix.
Steps to fix:
1) Login with Admin account.
2) Rename users home folder (ex. BROKENsmithj).
3) Unbind Mac. Reboot. Wait a few minutes for AD replication.
4) BIND Mac. Confirm Mac in AD. Reboot Mac.
5) Login with user credentials. This creates a home folder (ex. smithj).
6) Logout and login with Admin credentials.
7) Delete Smith, John user account from Users & Groups. This also deletes the smith user folder.
8) Find BROKENsmithj folder in /Users and rename to smithj.
9) Reboot mac and login with John Smith's credentials.
Important to pay attention to your search policy Directory Domains when BINDing. In step 5, I logged in as smithj but desktop looked strange/different. Realized the user name was Jane Smith (smithj). Checked Directory Utility>Search Policy and the search was set for All Domains. So I went back and added just the North America domain and ordered it above All Domains. Then rebooted, logged in with John Smith's creds and found the desktop I was expecting.
Thanks for the assist guys!
Posted on 03-06-2015 08:12 AM
Just an aside - if you leave the home folder behind when deleting the user and DON'T rename it, after you unbind/rebind and try logging in as the user, the Finder should just use the new home directory (assuming the UID/GID didn't change). If they did, it will prompt if you want to "take over" ownership of the folder, and it will set all of the permissions correctly.
Don't know how many times I spent manually chown -R on home directories when the OS (at least starting with Mountain Lion) can take care of it automatically...