Upgraded labs to Catalina, now AD accounts can't log in

rahern
New Contributor II

In need of some help. I work at a small university, and we have 7 Mac labs, 6 of which are managed with Jamf Pro Cloud. Several of them we upgraded to Catalina last week, and now in these spaces, when someone tries to log in with their active directory username and password, they get stuck at a spinning loading wheel. We push the directory settings from Jamf, normally. On the machine I'm testing with, I unbound, rebound manually, still same issue.

And before anyone says "most of us don't bind via AD anymore", I know, I'm working on alternatives, but for now, I'd like to just fix the actual issue at hand, so any help would be much appreciated. Thanks so much!

9 REPLIES 9

garybidwell
Contributor II

Do the users have a home folder path specified in their AD user profile.?
you could try blanking one out to test or modify the local Mac account in directory access not to map a home I’ve found in the past if there’s a issue with AD home folders it can hang the login process, specially if your using incorrectly setup DFS paths
It worth a try just to eliminate this as a cause

dominicanuofca
New Contributor II

Good point. We've found that here too - if the AD account doesn't have a home directory on the server, then in Directory Utility for that account on the Mac the box "Use UNC path from Active Directory to derive network home location" has to be blank or the network user can't login. (We've also found that in some cases the "Allow network users to login" checkbox in Users & Groups disappears randomly and unbinding and rebinding fixes it, but you say you've tried un/rebind.)

easyedc
Valued Contributor II

I have a ticket with Apple support for what sounds like a similar issue. Basically AD bound Macs essentially act like they aren't. If you're in a local account and try an id lookup, does it fail?

iMac Pro:~ ed$id userid
id: userid: no such user

Where it should provide some list of group memberships

iMac Pro:~ ed$id userid
uid=12345(userid) gid=10123(ADGroupname) 
groups=10123(ADGroupname),12(everyone)

Apple asked us to test the latest BS beta to see if it was resolved there. Haven't been able to test/recreate with BS yet on one of the affected computers.

rahern
New Contributor II

Figured it out. I unchecked the box that says "create mobile account at login", and now everything works. Very strange, but hey, it fixed it, so I'm happy.

dlondon
Contributor III

I had that experience too with Catalina at the beginning of the year and our labs which had a refresh. Changing from Mobile accounts to Network accounts brought the logon time down from about 15 minutes for first time logon to about 2-3 minutes. In both cases we create a local home.

For us I found that there were many inconsistancies in various subnets connecting to the Domain Controllers so I'm on a mission to get that fixed. For us I can see that something else is still there making the logon time slow and inconsistent. To me inconsistant implies several servers that do the same job and 1 or more not working correctly so you hit them and get a delay before it times out.

mhegge
Contributor II

Curious as to mobile and network. I have used "create mobile account at login" for years in classrooms (and faculty and staff laptops) with little issues. Lately, Catalina, some students are having issues logging into some computer they have logged into before. Thinking something with the user account(s) got jacked during an upgrade or security update. Generally there are very little issues.

Is unchecking create mobile account at login automatically default to create a network account?![optional image ALT text](
85cf6aa2a19f448cb49b8c67ab1c9c87
)

mhegge
Contributor II

In my experience, unchecking create mobile account at login makes it so no one other than local admins can log in.

dlondon
Contributor III

Not so - unticking Create Mobile Accounts will create network accounts i.e. homes but no users in the local directory so no caching of credentials.

mhegge
Contributor II

I think it is because our system is not set up for network accounts.