- Jamf Nation Community
- Products
- Jamf Pro
- Re: Tips - AD corruption in Lion
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Tips - AD corruption in Lion
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-13-2012 03:20 AM
Anyone got any suggestions. I've had 2 or 3 issues recently where AD on Lion is corrupting, users basically can't login. I use Casper to bind and this works fine on new and existing macs without a problem. I've also tried manually binding and this works. I've also removed Macs for the OU in AD before rebinding etc. When i successfully bind on one of these dodgy Macs networks unavailable disappears after 5-10 seconds at the login screen and i'm also able to run dscl localhost and search through AD. everything looks fine but my only solution has been to rebuild so far, which of course works. Anyone got any ideas? `
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-13-2012 03:24 AM
Sorry i should point out that these users having been working fine for a few months now and isn't tied to password change
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-13-2012 05:00 AM
If you crank up the log level on opendirectoryd that should tell you some more info.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-13-2012 08:12 AM
are you using mobile accounts?
we have a similar problem at one account where the user changes their password, and while connected to the network they use the new pw, but when they get home and try to unlock the screen it uses the previous password. i have machines at another account that have no issues, so i wonder if its some sort of AD setting? The best part is when we changed to the lion image we convinced the customer that the apple AD plugin was going to be less headaches than the Quest Auth Plugin was giving us on the laptops and really both have turned into quite the headache. At least with Quest somebody cared and tried to fix the problems, they only seemed to make it worse, but Apple just does not care unless you have an alliance agreement, and then they slowly seem to care.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-13-2012 09:13 AM
Hi Nessts, yes we are using mobile accounts.
As suggested by jared i am now looking at the logs.
I've managed to get hold of an a problematic macbook pro now so will try and work on it.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-13-2012 08:43 PM
nessts, what kind of problems were you having with the quest plugin? Did you once in a while have the same type of login problems with laptops?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-14-2012 07:13 AM
yes, at this customer all the machines are laptops so not always connected to the network, and people just randomly cannot login,cannot change passwords, cannot unlock their screensaver, and fix after fix did not help a bit, the good news was they were at least responsive and tried to fix things, Apple however is less than responsive on things that don't affect the normal consumer it seems at times.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-13-2014 12:49 PM
@nessts did you ever figure out what caused this problem and a solution?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-13-2014 12:58 PM
In the case of Quest, the problem was Quest and the solution is Apple.
With the Apple plugin, sometimes it randomly stops talking to AD and we have a launchdaemon that checks every boot and connection to the production network and rebinds if necessary, no root cause, but i have sen that behavior across many AD domains, so its probably just something funky in the AD plugin, which seems to happen less and less with newer OS.
At the site where we used Quest they are pretty anal about the computer password being refreshed every 14 days and if not the computers get moved to a disabled OU, which allows them no access, so rebinding and deleting the old computer record solves that.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-14-2014 07:26 AM
@nessts thanks for the reply. I am investigating and trying to figure out what is causing our macs to break the trust with AD and look like they are bound but really they are not anymore.
