"Allow Network Users to login" Missing

perrycj
Contributor III

Little bit of an odd issue. Freshly imaged Mac(s) with 10.9.2 binds correctly (or so it seems) but network users can't login. However, if AD object is deleted and then they are re-binded, everything works as expected.

We are using the standard built-in binding script from our JSS. 98% of the time works with no issue but the other 2%, on identical Macs, this happens. I say it appears to bind because it shows as binded in Directory Utility, has all the right attributes and appears as an object on the AD side.

The one weird thing is the checkbox in "Login Items" in the Users & Group category that is called, "Allow Network Users to login" is completely missing. No where to be found. But delete the object, rebind, and magically it's there.

I've tried running this:

sudo dseditgroup -o delete -T group com.apple.access_loginwindow

But the result is no group exists, so that didn't help. Any ideas? Has anyone seen this before in their environment?

8 REPLIES 8

lwindram
Contributor

We have seen this as well and with about the same frequency. Our resolution is the same as yours - delete the Computer Object and rebind. FWIW these objects are identifiable on the AD side by a small down arrow that is superimposed on the object icon.

perrycj
Contributor III

@lwindram Thanks for the response. Yea we know how to identify and delete from AD but I'm trying to find exactly why it's happening. Can't seem to get a solid answer.

nateburt
New Contributor III

I don't think we've seen this, but we have intermittent AD login issues when the time drifts small amounts on the client. Not enough to break the domain trust, but communication with the AD fails. use "ntpdate -q timeserveraddress" before and after a time sync to see what the time drift is, and whether it is connected.

There is a lot of discussion out there about Mavericks (I think especially 10.9.1 & .2) related to Apple's implementation of the Network Time Protocol.

powellbc
Contributor II

We too are seeing this issue, with a much higher frequency than stated here. However, we are not seeing that the newly created computer object is disabled (what the downward arrow referenced above indicates). This is on a Windows 2008 R2 based AD.

In one test case, disabling and then re-enabling the computer object addressed the issue, but this is not a tenable solution long term as this seems to now be affecting the majority of our computers that are bound via the JSS.

I will report any further details I find here.

powellbc
Contributor II

Update: Disabling and re-enabling the computer object was not a fix. The option seems to sometimes just come back with no rhyme or reason.

powellbc
Contributor II

We addressed the issue by recreating the directory binds in the JSS. The newly created binds work correctly and do not exhibit the issue described above.

It seems to me the issue started when we upgraded from 9.5x to 6.62.

pbuttiglieri
New Contributor

Been seeing this issue with 4 MAC MINI's we have. the issue I have seen is the time of the machine advances on the MAC to where it gets to 10 minutes later than the domain and the handshaking stops. once the time is corrected and rebooted it has resolved for me. now to figure out how to set NTP to the domain NTP server.

pbuttiglieri
New Contributor

and just figured out the NTP setting. thought it was a static drop down list.