Tips - AD corruption in Lion

barber
New Contributor

Anyone got any suggestions. I've had 2 or 3 issues recently where AD on Lion is corrupting, users basically can't login. I use Casper to bind and this works fine on new and existing macs without a problem. I've also tried manually binding and this works. I've also removed Macs for the OU in AD before rebinding etc. When i successfully bind on one of these dodgy Macs networks unavailable disappears after 5-10 seconds at the login screen and i'm also able to run dscl localhost and search through AD. everything looks fine but my only solution has been to rebuild so far, which of course works. Anyone got any ideas? `

9 REPLIES 9

barber
New Contributor

Sorry i should point out that these users having been working fine for a few months now and isn't tied to password change

jarednichols
Honored Contributor

If you crank up the log level on opendirectoryd that should tell you some more info.

http://support.apple.com/kb/HT4696

nessts
Valued Contributor II

are you using mobile accounts?
we have a similar problem at one account where the user changes their password, and while connected to the network they use the new pw, but when they get home and try to unlock the screen it uses the previous password. i have machines at another account that have no issues, so i wonder if its some sort of AD setting? The best part is when we changed to the lion image we convinced the customer that the apple AD plugin was going to be less headaches than the Quest Auth Plugin was giving us on the laptops and really both have turned into quite the headache. At least with Quest somebody cared and tried to fix the problems, they only seemed to make it worse, but Apple just does not care unless you have an alliance agreement, and then they slowly seem to care.

barber
New Contributor

Hi Nessts, yes we are using mobile accounts.

As suggested by jared i am now looking at the logs.

I've managed to get hold of an a problematic macbook pro now so will try and work on it.

ClassicII
Contributor III

nessts, what kind of problems were you having with the quest plugin? Did you once in a while have the same type of login problems with laptops?

nessts
Valued Contributor II

yes, at this customer all the machines are laptops so not always connected to the network, and people just randomly cannot login,cannot change passwords, cannot unlock their screensaver, and fix after fix did not help a bit, the good news was they were at least responsive and tried to fix things, Apple however is less than responsive on things that don't affect the normal consumer it seems at times.

JimAllsop
New Contributor

@nessts did you ever figure out what caused this problem and a solution?

nessts
Valued Contributor II

In the case of Quest, the problem was Quest and the solution is Apple.
With the Apple plugin, sometimes it randomly stops talking to AD and we have a launchdaemon that checks every boot and connection to the production network and rebinds if necessary, no root cause, but i have sen that behavior across many AD domains, so its probably just something funky in the AD plugin, which seems to happen less and less with newer OS.
At the site where we used Quest they are pretty anal about the computer password being refreshed every 14 days and if not the computers get moved to a disabled OU, which allows them no access, so rebinding and deleting the old computer record solves that.

JimAllsop
New Contributor

@nessts thanks for the reply. I am investigating and trying to figure out what is causing our macs to break the trust with AD and look like they are bound but really they are not anymore.