johnklimeck
45

Comments

Anyone using OS 10.8.2 and Active Directory, and successful login and account creation

Posted 11/13/12 at 5:02 PM by johnklimeck

Is anyone having success with this, or is most everyone still using OS 10.7.5

Can successfully bind a clean 10.8.2 image with dsconfigad, mobile enable, to Windows AD 2008 R2, all is good there.

Can login with valid AD user, but OS X does not really finish the process. The Finder hangs (Finder icon bounces in the dock, no Apple menu bar, and question mark icons in the dock. The local account is never created, can login as admin and check with dcxl, no user, no home directory.

This does not happen in 10.8.0, or 10.7.5 (separate issue and topic thread for 10.7.5).

Total deal breaker for us. Have logged a bug with Apple and spoken to an Apple engineer. Can reproduce everytime, and this is not the OS X image. A brand new image downloaded directly from Apple (Recovery HD) on i7 MacBook Pro.

Thx,

John K

45

Comments

nkalister cjaBadge
Posted 11/13/12 at 6:18 PM by nkalister

it's working fine here with mobile accounts that do not sync. Are you trying to sync the home dirs? Also, posting the output from dsconfigad -show could help us troubleshoot this with you . . .

UESCDurandal
Posted 11/13/12 at 6:21 PM by UESCDurandal

We've just started rolling out AD binding to our organization so all of our users are running 10.8.2. Haven't seen the issue you're describing. I'm also running the Golden Triangle with our Open Directory Master, but I've also logged into AD users without binding to OD and have been fine.

I use System Preferences and Directory Utility to bind exiting Macs and then I've used the binding objects in Casper Admin for newly imaged Macs.

johnklimeck
Posted 11/13/12 at 8:23 PM by johnklimeck

Appreciate it guys, throwing us for a loop.

Here is dsconfigad -show (does not look like anything unusual)


Active Directory Forest = domainname.local
Active Directory Domain = domainname.local
Computer Account = mbp15-1113$

Advanced Options - User Experience
Create mobile account at login = Enabled
Require confirmation = Disabled
Force home to startup disk = Enabled
Mount home as sharepoint = Disabled
Use Windows UNC path for home = Enabled
Network protocol to be used = smb
Default user Shell = /bin/bash

Advanced Options - Mappings
Mapping UID to attribute = not set
Mapping user GID to attribute = not set
Mapping group GID to attribute = not set
Generate Kerberos authority = Enabled

Advanced Options - Administrative
Preferred Domain controller = not set
Allowed admin groups = not set
Authentication from any domain = Enabled
Packet signing = allow
Packet encryption = allow
Password change interval = 14
Restrict Dynamic DNS updates = not set
Namespace mode = domain

bentoms ccaBadge cugBadge
Posted 11/14/12 at 12:08 AM by bentoms

What happens if you set the below to disabled & then try?

Use Windows UNC path for home = Enabled

CypherCookie
Posted 11/14/12 at 7:38 AM by CypherCookie

Hi All,

we currently are using Casper 8.62 with our machines running 10.8.2 with our usings logging in via AD.

We have used Casper bind to the Mac's and have had a couple of issues with this;

1) sometimes admin accounts login with managed mobile profiles instead of admin rights.
2) we are noticing some machines are not allowing users to log on and then randomly allowing them to then logon.

we are currently trouble shooting these issues and believe the following are the reasons;

1) Mobile accounts etc are controlled via the AD we are trying to figure out why sometimes users get adin rights and sometimes don't.

2) This issue could be to do with a combination of network switch and DC problems we are currently looking into our infrastructure to try and find the problem.

charles.hitch ccaBadge
Posted 11/14/12 at 8:16 AM by charles.hitch

Works well here. We had to disable "Authentication From Any Domain" to get it to work though. Also disabled "Use Windows UNC path for home".

alexjdale
Posted 11/14/12 at 12:18 PM by alexjdale

Works pretty well here too, with all versions of 10.8. We also had to disablce "Use Windows UNC path for home" since that would cause some user logins to fail.

We do see rare login issues with some users/sites, but 99% of the time it works 100% of the time.

UESCDurandal
Posted 11/14/12 at 12:42 PM by UESCDurandal

@alexjdale - I too was having issues with logins when "Use Windows UNC path for home" was checked. I found that the problem stemmed from a bad path in their AD profile tab. So long as there is a folder at that path and the user has permission to read/write then we could login.

We want to keep it that way as to mimic how our PCs behave.

bentoms ccaBadge cugBadge
Posted 11/14/12 at 2:28 PM by bentoms

We mount all drives @ login using an AppleScript app I've written, including the Profile drive.

This was due to http://support.apple.com/kb/HT4829

Maybe it's the same issu?

johnklimeck
Posted 11/14/12 at 2:44 PM by johnklimeck

OK, here's the update.

Used the above suggestions:

- disabled "Use Windows UNC path for home"
- disabled "Mount home at Sharepoint"
- disabled, "Authentication from any domain" (since there is a legacy AD domain, and we do not want users being authenticated to that old domain, only the new domain (AD 2008), apparently there are issues in that scenario

There is another thing. We have new Exchange 2010 and those AD users are being migrated to Exchange 2010 and to the new AD 2008 domain. Most AD users were actually created in that old AD domain and being authenticated against that old domain, and there is something about "SIDs", Microsoft System ID's, and information can be coming from those old SID's.

My AD user account logs in fine. But at least one of my test AD accounts (that were brand new users created in the new 2008 AD domain), still gets this weird issue.

It must be something related to a specific AD user, and /or Mac OS 10.8.2. It does not happen all the time.

I'll keep testing. I am just wondering what to do if we roll this out and get this non functional login / user template for a user when we do our AD rollout next month. Is there something we can do on the AD 'Users' side. My AD knowledge is not deep enough to know what to look for.

Of course only seeing this in 10.8.2, not 10.7.5

Apple is aware. Have logged a ticket / bug. No return call yet. Over 48 hours.

CypherCookie
Posted 11/15/12 at 4:12 AM by CypherCookie

Thanks for the update John, its interesting that you are seeing this issue in 10.8.2 and not in10.7.5!

What did you look for to say that the error was definitely with 10.8.2? or was it just a case of this error is only appearing on the newer machines?

tkimpton
Posted 11/15/12 at 1:34 PM by tkimpton

@bentoms ditto at using an applescript for that reason

robert.mullins
Posted 11/28/12 at 2:29 PM by robert.mullins

Seeing this in my environment also,
not happening with 10.7.5
Also not happening with machines upgraded from 10.6.8 or 10.7.4 ..... :(
HELP!

G-Lo ccaBadge
Posted 11/28/12 at 5:31 PM by G-Lo

Just curious, but are you able to BIND successfully through the GUI?

Lhsachs ccaBadge
Posted 11/28/12 at 7:38 PM by Lhsachs

What I have found imaging with Casper 8.62, installing Mac OS X 10.8.2 (build 12C54) and binding to Active Directory with the native Casper binding:
The system binds to Active Directory but with Apple's default settings, NOT the setting I have for AD. If I unbind from AD and use Casper Remote to set up AD, the settings come in the way I want them. I now have a script, based on one here: https://jamfnation.jamfsoftware.com/discussion.html?id=5891 that will set the machine bound to ad with the settings I desire for AD. I'm working on getting it to run after the Mac has bound to AD...

If I image the same system (using the same netboot image) with 10.7, the AD settings come in properly...

pete_c ccaBadge
Posted 2/8/13 at 4:58 PM by pete_c

Bump. Still seeing inconsistent 5200 and 5202 errors with 10.8.2; same AD bindings working fine with 10.6.8.

Fresh install of 10.8.2 onto a blank drive: can't bind from Users & Groups > Login Options. Binds successfully from Directory Utility with Create Mobile checked; logging in from an AD account causes the aforementioned Finder hang. Reboot, same thing. Can't unbind the Mac using any method, including dsconfigad.

bentoms ccaBadge cugBadge
Posted 2/8/13 at 7:02 PM by bentoms

Working fine for me. :( sorry!

nkalister cjaBadge
Posted 2/8/13 at 7:33 PM by nkalister

hmm . . . . people having problems- are you all on .local domains like John?
I haven't seen any of these issues with 10.8.2 at ALL, but my domain is not configured as .local.
And have any of you besides john opened an applecare case on it? if you can't unbind with dsconfigad, apple should have something to say about that . . .

johnklimeck
Posted 2/8/13 at 8:20 PM by johnklimeck

Update. Opened case with Apple, basically of very little help.

Centrify Express / Direct Control works perfectly, and I love all the command line tools, and their Account Migration app. So far we have done almost 150 bindings with Centrify (AD 2003 to AD 2008), and maybe one or two I have had to rebind. If there is an issue with logging in, it's almost always on the AD account side: password, acct expiring, migration not done completely, etc.

It's seems an issue with 10.8.2. Incidentally I thought the10.8.3 betas would fix, nope (12D61), not in my AD env.

Still get the Finder, menu bar hang. (with Apple's plug-in)

nkalister cjaBadge
Posted 2/8/13 at 8:43 PM by nkalister

that's so weird . . .i'm up to 113 10.8.2 client machines managed, not a single one has had a binding issue with the apple plugin. I'm really curious if the others having problems are on .local domains as well.

ernstcs
Posted 2/8/13 at 9:08 PM by ernstcs

I'm afraid I'm not seeing an issue with 10.8.2 and the native AD binding, and it being handled by the Casper 8.62. I have a random issue here and there, but nothing ever in mass. Haven't for as far back as I can remember using the native AD plugin, which is a long time it seems. My beard is going white...

shakim
Posted 2/8/13 at 10:15 PM by shakim

No issues with 10.8.2 and "Beta 10.8.3" using the Native AD Plugin in our AD Environment.

johnklimeck
Posted 2/9/13 at 12:26 PM by johnklimeck

"No issues with 10.8.2 and "Beta 10.8.3" using the Native AD Plugin in our AD Environment. "

Are you .local domain. AD 2008?

franton ccaBadge cjaBadge
Posted 2/9/13 at 1:18 PM by franton

Let me also confirm that 10.8.2 with the bind completed by Casper is working here too. (actually we've had a few teething problems lately but that was probably caused by our datacentre blow out this morning)

dlondon
Posted 2/10/13 at 11:03 PM by dlondon

I've seen this sort of message when manually adding machines to our Active Directory domain.

Domain Functional Level: WIndows Server 2003
Forest Functional Level: Windows Server 2003

OS X 10.8.2 but also with 10.7 and even 10.6

The message I see is
Unable to add server.
Authentication server encountered an error while attempting the requested operation.
(5202)

I usually authenticate as DOMAIN\username and then password but when I get that message I try the Fully Qualified account name i.e. username@my.fully.qualified.domain.name e.g. fred@someschool.edu
It then joins with no problems.

Usually things go like this for some months and the the DOMAIN\username works again. I've brought it up with our server team but they don't know what causes it.

Regardless - have you tried using a Fully Qualified user name?

maik.sanftenberg ccaBadge
Posted 2/11/13 at 4:05 AM by maik.sanftenberg

John,
we came across a simular issue at the beginning of our AD implementation.
We have a different setup then it should be in AD.

Question: Is the domain really .local?

We where unable to bind OS X 10.7 and 10.8 clients.
Windows clients in the same network segment where able to connect without any Problems.

We ended up using Centrify Express to bind our machines to AD.
http://www.centrify.com/express/free-active-directory-tools-for-linux-mac.asp

It is working fine for us.

johnklimeck
Posted 2/11/13 at 1:31 PM by johnklimeck

Yes we are company.local (which Apple says there could be issues, and we have seen them).

So Centrify it is for us as well. It just works.





DeanaE
Posted 2/13/13 at 12:20 PM by DeanaE

We just set up a new lab yesterday using the Casper AD and have the same problem with no task bar and finder hanging. Computers are 10.8.2 and we are .local on our district network. Would like to know how to resolve this.

alex.merenyi ccaBadge
Posted 2/13/13 at 12:41 PM by alex.merenyi

I've had no problems with AD and 10.8.2, but our domain isn't .local. Nothing has changed for us since 10.6.8.

johnklimeck
Posted 2/13/13 at 12:52 PM by johnklimeck

DeanaE,

As I say above, I tested this for a few weeks in an AD 2008 env, .local. I wanted to see the Apple native AD plugin work, but it did not.

I got the the Finder / Menu Bar hang, every time. I can reproduce the bug every time. Apple called us back a few times, but of very little help. Apple finally admitted to us that they could reproduce the bug, yet the latest 10.8.3 beta builds still do not fix the issue.

Centrify Express / DC works perfectly. That's what we are using.

sudhaker
Posted 2/15/13 at 1:36 AM by sudhaker

Hi,

I have just configured AD and successfully logged in on my MBP with 10.8.2.

We are using .local domain.

Actually I tried to do the binding long back and had a call with apple support but they were of little help, they just told me that Mac's cannot be configured on AD for .local and closed the ticket.

Now yesterday I tried a different scenario and it worked. Here is what I did.

The Domain was configured on "company.local" hosted on server "domainserv.company.local".

When I clicked "Join" the popup asked for the address of server (previously i tried to configure and bind the mac using "Directory Utility" and was just supplying "domain.local" all the time, but now it was not needed).

Here instead of giving "company.local" i gave the complete machine name which is "domainserv.company.local", it asked for the Domain Admin login. Boom everything was automatically configured.

I did not face any issues related to Finder hanging as john was facing.
But hey thats not it.

I am facing problem while trying to sync to the network home. It says "The Sync could not complete because your network home at "(null)" does not allow writing." and the "Settings" option for Mobile Account in disabled for the current user in "Users & groups".

Apart from this everything else is working fine with me.

Let me know if you need the "dsconfigad" output for inspection.

Sudhaker

maik.sanftenberg ccaBadge
Posted 2/15/13 at 2:13 AM by maik.sanftenberg

A quick command on that.

As we still have a test AD environment i created a new .local domain and seen the same issues as described above with hanging toolbar and general binding issues.
Giving the full server name worked.
But it should be a workaround.

And remember that .local is reserved by Apple to be used by Bonjour.

I highly recommend to use a different suffix like .corp on the end or other (.intern) or else. With this settings we don't run into any issues.

sudhaker
Posted 2/18/13 at 10:50 PM by sudhaker

Hey Maik,

Were you able to sync your home directory after you login using Domain user.
I am still not able to get it working.

pete_c ccaBadge
Posted 3/18/13 at 5:42 PM by pete_c

10.8.3 definitely didn't fix this for me. Functional AD level is 2003, have both a 2003 and a 2008 AD server, not a .local domain.

New iMac shows as bound:

sh-3.2# dsconfigad -show
Active Directory Forest = grey.global
Active Directory Domain = jbrown.grey.global
Computer Account = chi1adg25079$

Advanced Options - User Experience
Create mobile account at login = Enabled
Require confirmation = Disabled
Force home to startup disk = Enabled
Mount home as sharepoint = Enabled
Use Windows UNC path for home = Disabled
Network protocol to be used = afp
Default user Shell = /bin/bash

Advanced Options - Mappings
Mapping UID to attribute = not set
Mapping user GID to attribute = not set
Mapping group GID to attribute = not set
Generate Kerberos authority = Enabled

Advanced Options - Administrative
Preferred Domain controller = not set
Allowed admin groups = NTJBROWN\domain admins, NTJBROWN\enterprise admins
Authentication from any domain = Disabled
Packet signing = allow
Packet encryption = allow
Password change interval = 14
Restrict Dynamic DNS updates = not set
Namespace mode = domain

Logging in with an AD account will get a password reset notification, if the account is inside the change interval, but still the Finder never launches / no new home folder bug. Wildly inconsistent as I've bound half a dozen laptops over the last three weeks with no backend changes.

bentoms ccaBadge cugBadge
Posted 3/18/13 at 5:46 PM by bentoms

Hey, I know that domain!

I used to work for Grey London. Reach out there to a guy called James Burnett... He may be able to advise.

pete_c ccaBadge
Posted 3/19/13 at 11:28 AM by pete_c

Crazy enough but after shutting the new iMac down and reconnecting, but this time on a 100bT instead of gigabit Ethernet connection, it bound fine.

tjahn79
Posted 4/22/13 at 6:23 PM by tjahn79

johnklimeck, I have had the same issue with my .local domain. I ended up using centrify for my initial deploy.
However, after further testing, I did discover a way to make the Freezing Finder issue go away.
What lead me down the home folder path was this:
The dock worked, Launchpad worked, I could launch Terminal from Launchpad, running "cd ~" resulted in "Home folder not found." The finder was crashing because it didn't have a home folder to read the desktop or write to recent items.
Details:
Successfully binding a machine
In *Active Directory* open your directory user's Properties
Click on the Profile Tab
In Local Path enter: C:\Users
Hit OK

This seems to show OSX where to put the home folder. It has worked on several accounts that I have tried it on.

corradokid
Posted 7/23/13 at 1:15 PM by corradokid

Details:
Successfully binding a machine
In *Active Directory* open your directory user's Properties
Click on the Profile Tab
In Local Path enter: C:\Users
Hit OK

This seems to show OSX where to put the home folder. It has worked on several accounts that I have tried it on.


We are using a .local domain, but we bind our Macs to AD only for account verification not for home folder storage. Seem to have this happen randomly, but we're on a mix of 10.7.5 and 10.8.4/ I'm assuming making the change in AD for the user will tell OS X to place the home folder on the AD server? When binding to AD we tick the following boxes in Directory Utility:

[√] Create Mobile Account
[√] Force local home directory on startup disk (greyed out)
[√] Default User Shell: /bin/bash
[√] Allow administration by: domain admins, enterprise admins

Profile path in AD profile properties is blank.

Any help would be appreciated!

sgrall
Posted 7/23/13 at 5:30 PM by sgrall

For those who haven't seen the article:

OS X Mountain Lion: Improving mobile user login times for Active Directory .local domains
http://support.apple.com/kb/HT5738

asid-russ
Posted 7/30/13 at 3:33 PM by asid-russ

I had the same problem as well and found a solution. For me, I found out it would only happen to AD Users who had local administrator access to the Mac (In the AD Bind settings on the mac, there's a section for assigning AD Users to the local admins group). When I removed the AD User from the AD group that was assigned local admin privileges (and waited for AD replication), I was able to log in without the issue!

pete_c ccaBadge
Posted 7/30/13 at 10:18 PM by pete_c

Between 10.8.4 and removing all Windows Server 2003 DCs, this has been resolved for my org as well.

TheMacGuy
Posted 8/2/13 at 3:43 AM by TheMacGuy

I'm having this exact same problem johnklimeck described at the beginning with a brand new iMac running 10.8.4 joining an Active Directory 2008 domain. I've tried all of the suggestions listed in this thread with no success. My older iMacs running Snow Leopard that have been on the domain for 3 years are working fine. No account name conflicts between the local system and AD. Right now the system is being used to develop a template for an 18 station lab so all the work is being done by hand.

Any other suggestions on what to try?

I should add that for about the first 15 seconds after a restart, there is a notice at the login screen that "Network Accounts are Unavailable" but then it goes away and when I go Login Options>Directory Utility, everything looks good.

Howell
Posted 8/13/13 at 3:33 PM by Howell

I'm having this exact same issue as originally posted.

AD 2008 R2
OS X 10.8.4

I can log in as most AD accounts. The account that I need to use is not logging in all the way. Question marks on the dock bouncing Finder on the dock. When I attempt to open Notes or Mail; I get an error that the Library needs to be repaired. Its not creating a Home Folder under /Users.

I have tried everything listed above. Does anyone else have any ideas.

Howell
Posted 8/14/13 at 5:00 PM by Howell

I found a resolution to my issue if anyone stumbles across this.

First I had to disable the option to create a mobile account upon log in in Active Directory settings in OS X. This allowed me to get the user logged in but, the mobile account creation would fail.

Second follow these steps:
1. Delete the old user if that user exists on the client system.

2. Test to make sure the system is properly bound to Active Directory.

3. Login as the local admin and run the following command in the
Terminal:
sudo
/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileac count
-n userid -v

Remember this will require a password and will not return any visual
output when the keys are pressed.

4. Log out the local admin.

5. Log in as the Network user.

6. To configure the syncing service go to System Preferences >
Accounts and click on the Settings button. This will be grayed out
with users who are not set up with a network home directory.

Hope this helps.