Active Directory authentication trouble

[AaronAdams]

My company recently upgraded its old NT 4 Domain to Windows 2000-based Active Directory. I have a PowerBook I use personally and at work, and I have a personal local account and a work account, authenticated through AD with a home local to the PowerBook. Since starting to use AD, I’ve had some trouble authenticating, and just some general weird things going on.

I am using 10.3.5 and I’m correctly bound to the directory via the AD plugin. A computer account and a user account exist for me in the domain, and the DNS entries for all machines, including my Mac, appear to be correct. I am caching the last user login for offline operation and I have the AD plugin set to allow administration by domain admins, of which I am one.

On my Mac, I have network locations set for home and work. Each location has a different wireless network it joins and a different set of DNS servers and search domains. I switch between the two locations as necessary.

Here’s a description of some of the weirdness:

In the morning, I’ll cold boot my PowerBook at work and login with my personal local account. After local login is complete, I’ll select the correct network location (work) and, using fast user switching, return to the login screen where I’ll attempt to login to AD. The login works fine, but I get a second window with a check box at the top labeled “Enable workgroup management”. The box is checked. Below it is a tall, blank space with nothing listed (I assume workgroups would go here). There is another checkbox at the bottom of the blank box labeled “Remember my choice” and a button to “Refresh”.

What is this dialog for? What is this workgroup management feature and why am I being presented with it if no workgroups exist, judging by the blank list?

When I check the “Remember my choice” box, it never remembers my choice and continues to present me with this dialog upon subsequent logins. When I click the refresh button, all check boxes and buttons, except for login, are grayed out. I am able to login without any problem.

When I’m done with work for the day, I logout of the AD account and go back to either the login screen or my personal local account and close the lid to the PowerBook, putting it to sleep. When I get home, I use my personal local account to change to the home network location. Within a few seconds, I get two dialogs telling me that my home directory share from work cannot be reached and it gives me the option to disconnect.

Should these shares have been disconnected when I logged out? Why weren’t they? Why does some kind of persistent communication remain after I’ve logged out of my AD-based account?

I can use my personal local account all evening without a problem. The next morning, upon arriving at work, I’m never sure what I’m going to get. Using my personal local acount, I’ll change network locations back to the work location. Using fast user switching, I’ll go to the login screen and select my AD-based account from the list and attempt to login. Sometimes the login works fine, albeit with the workgroup management dialog. Usually, however, the login window shakes and I’m unable to login at all. All network functions in my personal local account work fine. I can surf the web, retrieve e-mail, ping any server, including the AD controller, and establish VPN connections. The only thing I cannot do it authenticate to AD. So I’ll reboot the machine. After reboot, the AD authentication works fine and I’m back to the workgroup management dialog.

What’s going on here? Why does AD authentication work sometimes and not others?

I appreciate any help you can offer.

[Anonymous]

I am having the exact same issue. Have you found a solutiion to this yet?

[AaronAdams]

Here are the solutions I was given:

The “Enable Workgroup Management” window is a bug. It has something to do with the fact that my AD-based user is an admin in the domain and on the local machine, so the authentication window displays that dialog. I never completely understood this whole topic, but since it’s more of a minor annoyance than a work stopping problem, I just click through it and go on.

Secondly, every account on the machine seems to require a unique long name. For instance, my local account has a short name of aaron, my AD account has a short name of adamsa, but both have the long name Aaron Adams. Changing the long name of my local account fixed some of the authentication weirdness I was experiencing. I have no idea why the long name makes any difference. The short names and UIDs for each account are unique, why does it care what the long name is?

Lastly, I found out that when I switch locations and want to login to AD, I have to manually kill the DirectoryServices component so it will restart and straighten out whatever it needs to straighten out. I created an alias in my .bash_profile to execute this command:

sudo kill $(ps -ax | awk '/\/usr\/sbin\/DirectoryService/ {print $1}')

It seems to me that the OS should perform an operation like this on its own when I change locations. In my mind, there’s no reason why I should have to do this manually at the command line.

Admittedly, I don’t know as much about this whole topic as I should, as you can tell from the semi-informed and semi-technical reply I’ve provided here. If anyone can provide some insight into these matters, it would be greatly appreciated.

[AaronAdams]

[QUOTE BY= macshome] The workgroup selection box comes up because you are logging in as an admin and the Mac thinks there are some mcx settings to apply.[/quote]
I understand why that happens now, thank you. But… (and there’s always a but) since I installed 10.3.6 on this machine, it has started remembering my choices. I cleared the “Enable workgroup management” checkbox and checked the “Remember my choices” box, and that window has not come back since. I don’t know if that’s a fix incorporated into 10.3.6, or if something changed on my system because of the install and now it it able to remember my preference.

[QUOTE BY= macshome]I’m curious as to your FUS scheme that you are using. We are integrating active directory and we just use the cached user account feature to make a mobile account. The users then just use that cached account when on the road or at home.[/quote]
I have two accounts on my machine, one that is a local account that I use for my personal things, and a second that is an AD-authenticated account that I use for work. It is also cached for use as a mobile account as you described. There really isn’t any technical reason I divide things into two accounts, it’s more for my own organization and logical consistency. I prefer not to mix business and personal files, and the items I need in my dock or on my desktop are different at work than they are at home, for instance.

[QUOTE BY= macshome]The mount is probably hanging around as automatically mounted home shares are pretty persistent. They are done that way so that when you log back in you jump right into the folder. In any case if you are logged out of that account then you can just dismiss the warning. It’s doing what it is supposed to by letting you know a network mount dropped.[/quote]
Understood.

[QUOTE BY= macshome]You might be loosing the AD authentication because the AD plugin seems to be pretty sensitive to network changes/irregularities and it tends to re-write /L/P/edu.mit.Kerberos at the drop of a hat. You can try removing the auto-config lines from said file after you have logged in a via AD successfully.[/quote]
This is another one of those things that was somehow fixed after I installed 10.3.6. Now I can change network locations and login and logout of accounts all day long and things work without having to kill the DirectoryServices component. I don’t know what Apple did, or even if they did anything at all, but I’m grateful.

Thanks for your help macshome.

[Author]

Posts