Jamf Nation Community

Is there a local home folder for that account? If so, who owns it's contents and what are the permissions?

I enroll the mac reboot it and get that error. I have done plenty of macs and this error just started yesterday on mine account and our other tech. our username is from Active Directory. When I first set up the mac i just create an Admin account just to get into it for the 1st time, enroll it, reboot it, then try to log in with AD account.

I have seen this issue when "Use UNC path from Active Directory to derive network home location" is enabled in the AD settings in Directory Utility. We had domain trust issues between a few of our domains at my last gig, and this was definitely a problem when trying to log in with credentials from an un-trusted domain.

Whenever I've seen this error, it was always related to the home folder. I'd go into AD and check the folder path of their home folder, and double-check to make sure the user has permissions to the folder and that the folder actually exists. As a test, you can remove the home folder from AD and try again. If you can log in after removing the home folder from AD, that definitely tells you whether or not the home folder is the issue.

Kill your Use UNC path.

We use the UNC path to map users documents on the dock on a mac that are being stored on a server. It's weird this just started happening.

We started getting this when we were starting to use mobile accounts for a secure login implementation that we are testing and is coming up. We had to do what Jared also mentioned and it resolved the issue.

We also found the Use UNC path for home folder setting to be very problematic and disabled it long ago. In addition to not allowing logins on occasion, we also saw cases of extremely long (like 6+ minutes) logins occurring for Macs off the network, frustrating our users. More trouble than its worth, so that setting is off and will not go back on here.

So question,
What are you all doing if you unchecked use UNC path? Are you running a separate script to mount the home folder?

Gabe Shackney
Princeton Public Schools

@gshackney we're doing this.t

@gshackney …we don't. Users either mount it themselves or they don't use it. Which we're angling for the latter, because we're trying to move away from network home folders.

I've noticed this issue on very rare occasion with some of our machines, but a reboot and trying to login again resolved it for us.

Do you use another piece to add their folder back to the dock? Dock util perhaps?

Gabe Shackney
Princeton Public Schools

OK, we had a LOT of issues with this today with our students. Forgive my ignorance, but if we disable the "Use UNC to Derive ..." checkbox in Directory Bindings on the JSS, how will this effect users? Will they have to manually access their network share folder? Will their network folder not appear in the dock?

I just know we have some unhappy teachers and I'd like them to be happy, but I don't want to remove functionality that we've had previously before using Casper ...

Thanks to @bentoms we are starting to rollout an Application & LaunchAgent for our Faculty and Students for mounting their respective network shares at Login (or manually via the application). Works like a charm and is a lot better than having to explain to someone to do a Command + K to connect to our fileserver.

@EliasG, just wanted to share a process I just recently stumbled upon which is currently working for us with AD and mobile accounts. Before I explain, see our working settings below:

Active Directory Forest          = ourdomain.com
Active Directory Domain          = ourdomain.com
Computer Account                 = mycomputer$

Advanced Options - User Experience
  Create mobile account at login = Enabled
     Require confirmation        = Disabled
  Force home to startup disk     = Enabled
     Mount home as sharepoint    = Disabled
  Use Windows UNC path for home  = Enabled
     Network protocol to be used = smb
  Default user Shell             = /bin/bash

Advanced Options - Mappings
  Mapping UID to attribute       = not set
  Mapping user GID to attribute  = not set
  Mapping group GID to attribute = not set
  Generate Kerberos authority    = Enabled

Advanced Options - Administrative
  Preferred Domain controller    = not set
  Allowed admin groups           = OUR_ADMIN_GROUPS
  Authentication from any domain = Disabled
  Packet signing                 = allow
  Packet encryption              = allow
  Password change interval       = 0
  Restrict Dynamic DNS updates   = not set
  Namespace mode                 = domain

I followed @bentoms instructions for creating an Applescript application to mount the correct network directory for the user logging in and the Launch Agent to run the application automagically.

Initially based on the suggestions here, I disabled the Use UNC path setting via policy given we were getting the same error message that "User cannot be logged in at this time". However, when I tried logging in with several test AD accounts on a freshly imaged machine I kept getting an error saying that "OSX needs to repair your library to run applications".

Looking a bit closer, I noticed that while the test AD accounts were indeed logging in, a local home directory was not being created in the Users folder on the machine. In System Preferences, too, in Users & Groups, rather than seeing a Settings button for the mobile account I was logged in as, it said Create. So it appeared to not be actually creating the local mobile account. It was doing this just fine before I made this change ...

Running a dsconfigad -show in Terminal I realized that there were two pertinent settings related to home directories - one for determining the UNC path and another for actually mounting the network home folder as a sharepoint. While the UNC path is a checkbox option within Directory Bindings on the JSS, the option for mounting the network home folder as a sharepoint is not, oddly enough. So I changed this manually with a dsconfigad -sharepoint disable in Terminal.

After logging in a second time with the previously tested AD test accounts, it did not give me the "cannot be logged at this time" error, it successfully created the mobile account locally on the machine, and the Launch Agent for mounting the logged in user properly mounted the test user's network folder.

Perhaps this is not the same issue you were experiencing, but for us given my tests and results it appeared the issue was not with the UNC path per-se but when both UNC and mounting a user's home directory as a sharepoint were enabled when a user was logging on a machine for the first time.

UPDATED

This did not end up resolving our issue as we previously thought and had tested. We still see the "user cannot login at this time" message.

We don't mount folders, we sync them instead.