Help

"Allow Network Users to login" Missing

perrycj
Contributor III

Posted on ‎10-03-2014 11:55 AM

Little bit of an odd issue. Freshly imaged Mac(s) with 10.9.2 binds correctly (or so it seems) but network users can't login. However, if AD object is deleted and then they are re-binded, everything works as expected.

We are using the standard built-in binding script from our JSS. 98% of the time works with no issue but the other 2%, on identical Macs, this happens. I say it appears to bind because it shows as binded in Directory Utility, has all the right attributes and appears as an object on the AD side.

The one weird thing is the checkbox in "Login Items" in the Users & Group category that is called, "Allow Network Users to login" is completely missing. No where to be found. But delete the object, rebind, and magically it's there.

I've tried running this:

sudo dseditgroup -o delete -T group com.apple.access_loginwindow

But the result is no group exists, so that didn't help. Any ideas? Has anyone seen this before in their environment?

0 Kudos
Reply
8 REPLIES 8

lwindram
Contributor

Posted on ‎10-06-2014 06:24 AM

We have seen this as well and with about the same frequency. Our resolution is the same as yours - delete the Computer Object and rebind. FWIW these objects are identifiable on the AD side by a small down arrow that is superimposed on the object icon.

0 Kudos
Reply

perrycj
Contributor III

Posted on ‎10-06-2014 06:32 AM

@lwindram Thanks for the response. Yea we know how to identify and delete from AD but I'm trying to find exactly why it's happening. Can't seem to get a solid answer.

0 Kudos
Reply

nateburt
New Contributor III

Posted on ‎10-06-2014 10:07 AM

I don't think we've seen this, but we have intermittent AD login issues when the time drifts small amounts on the client. Not enough to break the domain trust, but communication with the AD fails. use "ntpdate -q timeserveraddress" before and after a time sync to see what the time drift is, and whether it is connected.

There is a lot of discussion out there about Mavericks (I think especially 10.9.1 & .2) related to Apple's implementation of the Network Time Protocol.

0 Kudos
Reply

powellbc
Contributor II

Posted on ‎01-13-2015 06:12 AM

We too are seeing this issue, with a much higher frequency than stated here. However, we are not seeing that the newly created computer object is disabled (what the downward arrow referenced above indicates). This is on a Windows 2008 R2 based AD.

In one test case, disabling and then re-enabling the computer object addressed the issue, but this is not a tenable solution long term as this seems to now be affecting the majority of our computers that are bound via the JSS.

I will report any further details I find here.

0 Kudos
Reply

powellbc
Contributor II

Posted on ‎01-13-2015 08:13 AM

Update: Disabling and re-enabling the computer object was not a fix. The option seems to sometimes just come back with no rhyme or reason.

0 Kudos
Reply

powellbc
Contributor II

Posted on ‎01-21-2015 11:30 AM

We addressed the issue by recreating the directory binds in the JSS. The newly created binds work correctly and do not exhibit the issue described above.

It seems to me the issue started when we upgraded from 9.5x to 6.62.

0 Kudos
Reply

pbuttiglieri
New Contributor

Posted on ‎02-25-2016 02:47 PM

Been seeing this issue with 4 MAC MINI's we have. the issue I have seen is the time of the machine advances on the MAC to where it gets to 10 minutes later than the domain and the handshaking stops. once the time is corrected and rebooted it has resolved for me. now to figure out how to set NTP to the domain NTP server.

0 Kudos
Reply

pbuttiglieri
New Contributor

Posted on ‎02-25-2016 02:47 PM

and just figured out the NTP setting. thought it was a static drop down list.

0 Kudos
Reply