Home Forums OS X Server and Client Discussion Active Directory ZERO luck with AD on Tiger – HELP!

  • This topic has 18 replies, 9 voices, and was last updated 19 years ago by Anonymous.
Viewing 15 posts - 1 through 15 (of 15 total)
  • Author
    Posts
  • June 23, 2005 at 12:41 am #362068
    LoadStar
    Participant

    Ok, I’m beginning to wonder if there’s something completely bizarre about our environment here that is causing Tiger to fail – MISERABLY and COMPLETELY – to effectively work with AD and home directories. I’ve asked around, and apparently most people are getting it to work just fine in Tiger, which leads me to believe it’s either something I’m doing, or something screwy we have going here.

    Here’s the process I’m following.
    1) Clean install Tiger.
    2) Update to 10.4.1, then update to Security Patch 2005-006
    3) Using Directory Access.app, bind the computer to Active Directory.
    4) Uncheck the box for "Force local home directory on startup disk."
    5) Add /Active Directory/domain.edu to the Authentication search path.

    So far, so good, right? Wrong. I try and log out and log in using an AD credentials. All I get is a spinning beach ball. Checking the system.log, the problem seems to be automount freaking out for some reason, as shown in the log excerpt below:

    Jun 22 19:04:13 test-imac automount[264]: Can’t mount server.domain.edu:/user on /private/Network/Servers/server.domain.edu/user: Permission denied (13)
    Jun 22 19:04:13 test-imac automount[264]: Attempt to mount /automount/Servers/server.domain.edu/user returned 13 (Permission denied)
    Jun 22 19:04:13 test-imac automount[145]: Can’t mount server.domain.edu:/user on /private/Network/Servers/server.domain.edu/user: Permission denied (13)
    Jun 22 19:04:17 test-imac automount[268]: Can’t mount server.domain.edu:/user on /private/Network/Servers/server.domain.edu/user: Permission denied (13)
    Jun 22 19:04:17 test-imac automount[268]: Attempt to mount /automount/Servers/server.domain.edu/user returned 13 (Permission denied)
    Jun 22 19:04:17 test-imac automount[145]: Can’t mount server.domain.edu:/user on /private/Network/Servers/server.domain.edu/user: Permission denied (13)
    Jun 22 19:04:21 test-imac automount[271]: Can’t mount server.domain.edu:/user on /private/Network/Servers/server.domain.edu/user: Permission denied (13)
    Jun 22 19:04:21 test-imac automount[271]: Attempt to mount /automount/Servers/server.domain.edu/user returned 13 (Permission denied)
    Jun 22 19:04:21 test-imac automount[145]: Can’t mount server.domain.edu:/user on /private/Network/Servers/server.domain.edu/user: Permission denied (13)
    Jun 22 19:04:23 test-imac kernel[0]: nfs server automount -fstab [145]: not responding
    Jun 22 19:04:23 test-imac KernelEventAgent[37]: tid 00000000 received VQ_NOTRESP event (1)
    Jun 22 19:04:23 test-imac KernelEventAgent[37]: tid 00000000 type ‘nfs’, mounted on ‘/automount/Servers’, from ‘automount -fstab [145]’, not responding

    And so on, and so forth – that sequence repeats itself as long as I let the machine go.

    Here’s the kicker. I tried the above 1-5 process, then went to the terminal and tried a dscl to see if I could read a record from Active Directory. Guess what – reading a record from AD causes the SAME THING to happen, automount starts freaking out. Why would automount kick in on a record read in dscl?

    If I were to CHECK the box for "force local home directory" – none of the above problems happen. The home directory sharepoint from AD mounts without a problem on the desktop, and I can log in, using AD credentials, without a problem. The problem only exists if I tell it I want to use the Windows home directory as the Mac home directory.

    For the record: this is a standard Windows home directory, shared via smb.

    So, the questions are: am I following the right procedure? And if I am, why is automount flipping out? PLEASE HELP. We have to roll out 55 Mac OS X 10.4 machines in less than a month, and right now, I’m so screwed. If there’s anything I’m saying above that is at all unclear, please ask and I’ll try and clarify.

    June 27, 2005 at 9:15 pm #362126
    LoadStar
    Participant

    [QUOTE BY= MacTroll] Check out our article on troubleshooting home directories. It’ll show you how to run automountd in debug mode, which might help some here.[/QUOTE]

    Good thought. Here’s the problems I have following the instructions in that article:
    [QUOTE]1. Check the record in the directory service.[/QUOTE]
    I can’t check the record from Directory Service as long as I have the “force local home directory” checkbox unchecked. As soon as I read a record with dscl, automount flips out.

    [quote]2. Check and make sure that the client is getting the mount record.[/quote]
    When the “force local home directory” checkbox is unchecked, the only user I can log in as is the local administrator account, and doing lookupd -d and allMounts as the local administrator account is non-revealing.

    [quote]3. Run the automount process by hand.[/quote]
    Again, as long as the “force local homde directory” checkbox is checked, I can’t login as a network user, and logging in as a local account I’m obviously not going to get any mount records from directory service. So, trying to follow the instructions in this step won’t work, as they presume you’re logged in as the account from directory service. (Additionally, I can only presume that the location automounts are in has changed under 10.4 – “/private/var/automount/Network/Servers” doesn’t exist, but “/private/Network/Servers” does.)

    [quote]4. Turn on guest access.[/quote]
    Tried opening the security on the sharepoint on the server where the home directory is stored – it’s open Everyone – Full Access. Didn’t change anything. Automount still flipped out. (Also tried setting permissions on the entire directory tr

    [quote]5. Group folders.[/quote]
    Not applicable.

    [quote]6. 10.3.5.[/quote]
    Not applicable.

    I’m not deliberately being obtuse – if I am, it’s purely accidental! Smile I just don’t see that article as being of much help. Is there any way to set the automount daemon to run in debug mode when it’s called by the kernel?

    July 1, 2005 at 12:29 am #362175
    LoadStar
    Participant

    Success. Well, not success. Progress, at least. I now know the problem, I just don’t know the cause or the solution. But knowing is half the battle! Wink (Some of you will get that one.)

    What the problem is NOT:
    – DNS. Gave the Mac a static IP address, and added it to the DNS tables. Didn’t change a thing.
    – Authentication. I am authenticating without a problem. Finally sat there and watched the system log on the AD domain controller, and it is definitely authenticating just fine.
    – Kerberos (at least on the server side). According to the log entry for the login success, the login method is Kerberos.
    – Time differential between client and server. They’re within a few seconds of each other.
    – How many folders deep the home directory is within the sharepoint. (This was a fairly out there idea… thought perhaps the Mac was having an issue with a home directory that was nested an extra folder deep within the sharepoint.) Created a home directory at the very top of the sharepoint, as I figured it would be looking for – didn’t change anything.

    So what did the problem end up appearing to be? SMB on the Mac. Yeah, that’s right. Thanks, Apple. For some reason, it’s trying to connect to the home directory server as ROOT. Yeah, WTF is right.

    What I did to find this out: I changed the home directory for a test user in AD to point to a box I could do some auditing on. I then attempted to log in, and started seeing failures in the Security log on my box. Here’s the description from the log entry:

    Logon Failure:
 	Reason:		Unknown user name or bad password
 	User Name:	ROOT
 	Domain:		DOMAIN_NAME
 	Logon Type:	3
 	Logon Process:	NtLmSsp 
 	Authentication Package:	MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 	Workstation Name:	\\TEST-IMAC

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    (I redacted the “domain” in the log entry above. You don’t need to know that, suffice to say that it was indeed the correct domain name.)

    Now. What is the source of the problem, and how do I fix this? Anyone have any brilliant ideas?

    July 1, 2005 at 3:06 am #362181
    LoadStar
    Participant

    Update – again. Seems I was partially mistaken in my last post.

    Here’s the sitch as I know it:
    – If I force a local home directory, I log on just fine. I do get a set of 3 entries on the domain controller/KDC’s event log, all identical:

    Event Type:	Failure Audit
Event Source:	Security
Event Category:	Account Logon 
Event ID:	675
Date:		6/30/2005
Time:		7:50:52 PM
User:		NT AUTHORITY\SYSTEM
Computer:	PRIME1
Description:
Pre-authentication failed:
 	User Name:	testaccount
 	User ID:		DOMAIN_NAME\testaccount
 	Service Name:	krbtgt/DOMAIN.EDU
 	Pre-Authentication Type:	0x0
 	Failure Code:	0x19
 	Client Address:	xxx.xxx.4.5


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    Doesn’t seem to have an impact on being able to log on. I do get a Kerberos TGT without a problem.

    – If I DON’T force a local home directory (i.e use the home directory from Active Directory), I get this log entry, over and over, on the Domain Controller/KDC:

    Event Type:	Failure Audit
Event Source:	Security
Event Category:	Account Logon 
Event ID:	680
Date:		6/30/2005
Time:		9:05:18 PM
User:		NT AUTHORITY\SYSTEM
Computer:	PRIME2
Description:
Logon attempt by:	MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:	ROOT
 Source Workstation:	\\TEST-IMAC
 Error Code:	0xC0000064


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    And the following log entry on the home directory server:

    Event Type:	Failure Audit
Event Source:	Security
Event Category:	Logon/Logoff 
Event ID:	529
Date:		6/30/2005
Time:		8:29:46 PM
User:		NT AUTHORITY\SYSTEM
Computer:	HOME_DIR_SERVER
Description:
Logon Failure:
 	Reason:		Unknown user name or bad password
 	User Name:	ROOT
 	Domain:		DOMAIN_NAME
 	Logon Type:	3
 	Logon Process:	NtLmSsp 
 	Authentication Package:	MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 	Workstation Name:	\\TEST-IMAC

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    So, clearly, when I have the “force local home directory” checkbox UNCHECKED, for some reason, it seems to be trying to log on as ROOT, not as the username I’m entering. If I have it CHECKED, it logs on just fine as the username I enter.

    I’d say it’s clearly a bug, a glitch with the AD plugin for Directory Services, but I’m understanding that other people aren’t having the same problem. I dunno at this point what to do.

    July 19, 2005 at 11:38 am #362367
    Anonymous
    Guest

    I am seeing the same thing on a newly upgraded XServe (10.3.9 > 10.4.1 > 10.4.2).

    It appears that it only occurs when I have a valid Kerberos ticket. When my ticket expired last night, the log entries ceased:

    Jul 18 23:32:20 – automount[5748]: Attempt to mount /automount/Servers//SYS returned 13 (Permission denied)
    Jul 18 23:32:20 – automount[250]: Can’t mount :/SYS on /private/Network/Servers//SYS: Permission denied (13)

    July 26, 2005 at 5:20 pm #362493
    AllanMarcus
    Participant

    I’m seeing the same problem. I did a fresh install of Tiger and updated it with software update to 10.4.2. I entered the smb mount point info into AD and I checked that my user can mount the share with his name and pw. If I set the Mac to force a local home directory, the share is mounted and there is a local home dir for the user. If I turn off that check box so we can have remote home directories, then I get the permission failure problem noted earlier in this thread.

    I’m actually taking the 4 day Apple class (MacOS 335) on directory services next week in Cupertino. I’m hoping they can shed a little light on this and other problems.

    -Allan

    August 1, 2005 at 3:24 pm #362601
    andyinindy
    Participant

    I can attest to having this issue as well, however I see it only when the “create mobile account at login” checkbox is selected. I see the same errors in the log that you are describing:

    Aug  1 09:45:17 A200428 automount[186]: Can't mount ben.butler.edu:/acunning on /private/Network/Servers/ben.butler.edu/acunning: Permission denied (13)
Aug  1 09:45:21 A200428 automount[440]: Can't mount ben.butler.edu:/acunning on /private/Network/Servers/ben.butler.edu/acunning: Permission denied (13)
Aug  1 09:45:21 A200428 automount[440]: Attempt to mount /automount/Servers/ben.butler.edu/acunning returned 13 (Permission denied)
Aug  1 09:45:21 A200428 automount[186]: Can't mount ben.butler.edu:/acunning on /private/Network/Servers/ben.butler.edu/acunning: Permission denied (13)
Aug  1 09:45:25 A200428 automount[443]: Can't mount ben.butler.edu:/acunning on /private/Network/Servers/ben.butler.edu/acunning: Permission denied (13)
Aug  1 09:45:25 A200428 automount[443]: Attempt to mount /automount/Servers/ben.butler.edu/acunning returned 13 (Permission denied)
Aug  1 09:45:25 A200428 automount[186]: Can't mount ben.butler.edu:/acunning on /private/Network/Servers/ben.butler.edu/acunning: Permission denied (13)
Aug  1 09:45:29 A200428 automount[446]: Can't mount ben.butler.edu:/acunning on /private/Network/Servers/ben.butler.edu/acunning: Permission denied (13)
Aug  1 09:45:29 A200428 automount[446]: Attempt to mount /automount/Servers/ben.butler.edu/acunning returned 13 (Permission denied)
Aug  1 09:45:29 A200428 automount[186]: Can't mount ben.butler.edu:/acunning on /private/Network/Servers/ben.butler.edu/acunning: Permission denied (13)

    I found this post on Apple’s boards, which sheds a bit of light on things:

    http://discusssearch.info.apple.com/[email protected]@.68b5c7aa

    Looks like a major bug with Apple’s authentication setup!

    I’m going to try to change some auth settings on my clients to see if this helps, and also work with our Windows admin to see what is happening on the server side.

    Unbelieveable!

    August 1, 2005 at 5:41 pm #362605
    Anonymous
    Guest

    I’ve noticed something very interesting. I can connect to any Active Directory member server in the domain through “Connect to Server” or network browser, but when I try to connect to an Active Directory domain controller, I get the same results as the rest of you, the “name or password is not correct” message.

    However, On the Windows servers, whether the mac connects or not, the AD log shows sucesses. The first two are from connect via “Connect to server” and the last is through the network browser which produces the Alias – original item not found error.

    I find it amazing that the member servers and Domain Controllers give the same security log entry, yet Tiger mounts the member server shares while not mounting the Domain Controller shares……

    I hope they get this fixed real soon.

    For the non-windows people, the 0x0 is the response for a successful authentication. It is not actually an error. A bad username or password would return one of the following error codes:

    0xC000006A An incorrect password was supplied.
    0xC0000064 The account does not exist.

    ———————————-
    Successful Network Logon:
    User Name: appleuser
    Domain: MKE
    Logon ID: (0x0,0x9352B4)
    Logon Type: 3
    Logon Process: NtLmSsp
    Authentication Package: NTLM
    Workstation Name: \\OSX-TIGER
    Logon GUID: –
    Caller User Name: –
    Caller Domain: –
    Caller Logon ID: –
    Caller Process ID: –
    Transited Services: –
    Source Network Address: 192.168.254.99
    Source Port: 0
    ——————————————

    Then immediatly after:

    User Logoff:
    User Name: appleuser
    Domain: MKE
    Logon ID: (0x0,0x9352B4)
    Logon Type: 3

    ——————————————

    If I try the same thing from Finder’s network browser, I get this:

    Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Logon account: APPLEUSER
    Source Workstation: \\OSX-TIGER
    Error Code: 0x0

    September 26, 2005 at 3:47 pm #363361
    rhapsody
    Participant

    We are having the same problem here on 10.4.2 client bind to AD.
    Log file reveal same permission denied problem.

    We don’t have any cluster services in our AD configuration.
    And SMB Connections are disabled on our Domain.

    As anyone solved that recently ?

    September 27, 2005 at 12:09 am #363369
    superrcat
    Participant

    This problem will also occur if you are using DFS or try logging into a Mac OS X client with a user that has a home directory located on a DFS share.

    October 11, 2005 at 3:26 am #363564
    Anonymous
    Guest

    Have the same problem here,smb is off ,,dfs not used anything else we can try please

    October 12, 2005 at 9:05 pm #363593
    kwhelan
    Participant

    curiously wondering if the other security settings in AD are consistent as some people seem to be able to get this to work and others like myself not,
    People have tried clean installs of OSX etc so logically the problem must be either smb.conf settings or AD issues.
    Can we perhaps see some working smb.conf files to compare
    My AD seems to work perfectly but maybe some policy is overiding another, and logic would suggest that if smb shares works once client has signed on then its not a AD security problem but something not working at the login prompt of OSX specifically or in sequence to allow home folder authentication
    For AD I have smb signing off as recommended( how do we test this)but what about the network security lanmanger authentication setting ntlmv2?
    there has to be a logical reason to why some people get setups to work and others don’t and its dam frustrating for those of us that havn’t.I n fact its pretty much job critical.No Apple techs in this country have been any help whatsoever except suggest I buy Admitmac

    October 12, 2005 at 9:19 pm #363594
    kwhelan
    Participant

    My suspect SMB.conf if anyone can spot any obvious errors please
    Last login: Thu Oct 13 09:41:45 on ttyp1
    Welcome to Darwin!
    Art-EMac09:~ admin$ sudo -s
    Password:
    Art-EMac09:~ root# cd /etc
    Art-EMac09:/etc root# pico smb.conf

    GNU nano 1.2.4 File: smb.conf

    ; Template configuration file for smbd.
    ; ============================================================================
    ; For the format of this file and comprehensive descriptions of all the
    ; configuration option, please refer to the man page for smb.conf(5).
    ;
    ; The following configuration should suit most systems for basic usage and
    ; initial testing. It gives all clients access to their home directories and
    ; allows access to all printers specified in /etc/printcap. It also provides
    ; a public share point for generally exporting stuff.
    ;
    ; Some things to check out:
    ;
    ; 1: Make sure that the user specified in “guest account” exists. Typically
    ; this will be a user that cannot log in and has minimal privileges.
    ; Often the “nobody” account doesn’t work (very system dependant).
    ;
    ; 2: You should consider the “security =” option. See a full description
    ; in the main documentation and the smb.conf(5) manual page
    ;

    [global]
    guest account = unknown
    encrypt passwords = yes
    auth methods = guest opendirectory
    passdb backend = opendirectorysam guest
    printer admin = @admin, @staff
    server string = Art-EMac09
    unix charset = UTF-8-MAC
    display charset = UTF-8-MAC
    dos charset = 437
    client ntlmv2 auth = no

    realm = LINDISFARNE.HB.SCHOOL.NZ
    security = ADS

    workgroup = LINDISFARNE
    defer sharing violations = no
    use spnego = yes
    os level = 8
    vfs objects = darwin_acls
    brlm = yes
    ; Using the Computer Name to compute the NetBIOS name. Remove this comment to $
    netbios name = Art-EMac09
    [homes]
    comment = User Home Directories
    browseable = no
    read only = no

    ;[public]
    ; path = /tmp
    ; public = yes
    ; only guest = yes
    ; writable = yes
    ; printable = no

    [printers]
    path = /tmp
    printable = yes

    October 13, 2005 at 2:05 pm #363605
    dave621
    Participant

    Found the same problem with afp shares on a windows server. Also it would login in and mount the server space, but in the server space would be a library folder with com.apple.dock.plist, com.apple.MCX.plist, and com.apple.homesync.plist. Also the local Mobile account for a regular user would only have the Desktop folder and the Library folder in their users folder. If I logged in with a Domain Admin account I hade all the folders in my users folder correctly but still got the Library folder in my auto-mounted server space. I had a Apple SE in to look at the problem with mobile accounts and he said they are working on a switch for the dsconfiad to fix this problem. They didn’t think it would be in 10.4.3 but later. Hope this helps,
    Dave

    April 7, 2006 at 12:27 am #365925
    Anonymous
    Guest

    I have also experienced this same problem after upgrading to 10.4. After a little bit of investigative work, I have discovered that the problem on my network is caused by the Winblows2000 sp4 server that holds the home folders. Apparently when the home folder is mapped, automount uses the FQDN as the netbios name, i.e. TEST.MYDOMAIN.COM instead of the short name TEST. While this will work with the home folder located on an XP and a Winblows2003 box, it does not appear to work when the home folder is on a Winblows2000 sp4 box. If you are experiencing this problem and your home folder is located on a Winblows2000 box, log into the OS X box via ssh and run (sudo mount_smbfs -U yourusername {path to the home folder using the shortname of the server} {mount point}). If this works then (sudo umount {mount point}) and rerun the mount_smbfs command using the FQDN name of the server instead of the short name. If this hangs and your home folder is located on a Winblows2000 box, then your problem is most likely due to automount using the FQDN of the computer.

    There are other reasons that will cause this problem such as, incorrect file permission on the home folder share.

    Hope this helps.

  • Author
    Posts
Viewing 15 posts - 1 through 15 (of 15 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.