We modified our AD binding in the JSS to use the UNC path. Initially, the thought was to allow a network home directory to be used when students/employees were logging in. This has worked in our testing. Going forward, we found some errors on some computers for those that are logging in.
The errors were simply, You are unable to log in to the user account _ at this time. There was a discussion about this here.
It appears, if you disable the UNC Path, this will correct this problem. The issue however doesn't appear for all users trying to log in.
Does anyone have a definitive answer whether we should be enabling the UNC path or not? If not, I will disable this across the board, but it is curious why some users can log in and others cannot.
Thank you in advance for your replies.
Depending on the version of Mac OS you end-users have, this can be caused by having the home directory path in the AD profile specified using DFS. Newer versions of the OS (Yosemite and later) seem fine with DFS home shares. With older machines, we have the users' home directories set up as SMB shares and the users AD profile updated accordingly. Then the "Use UNC path from Active Directory..." seems to work fine. One reason why you might want to consider unchecking "Use UNC path" is if you have created mount scripts for users. We have developed mount scripts that mount the user's home directory and all of the shares they should get. The advantage for us of doing this using mount scripts is that we have a lot of users on laptops who have VPN access - and we can configure the VPN client (Cisco AnyConnect) to run the mount script after authenticating and connecting to the network. This way, the user gets all of their share regardless of whether they are in the office or working remotely.
I disabled it across the board because the potential problem it can cause (being unable to log in at all) is catastrophic and was always escalated to me. We have tens of thousands of AD user accounts that I have no control over, and a poor history of consistency across their AD records.
Nobody complains about a lack of automatic mounting, but we don't use network home drives very much.
Thank you, some very valid thoughts and I sincerely appreciate it. The capitalization would explain why some work and others don't.
We are using macOS 10.12.6 on all of our student Macs. I think creating a script to do the mounting makes sense, the only thing is, I am not well versed with scripting so it seems daunting to start from scratch. Do you know of any scripts that are "public" domain so to speak? I could borrow the logic from them and work them into something usable for our environment.
I discovered that a trailing space at the end of the path specified in AD can cause problems. Where a home folder path should be "server.company.com/users/jsmith", the result of a copy/paste on a Windows PC "server.company.com/users/jsmith " is not obvious and will make you spin your wheels for hours trying to solve the problem. I also had to get on to our AD admins to ensure that the FQDN was specified because our DNS in a multi-domain environment doesn't work well with just the hostname "server/users/jsmith"