Another hour, another question – AD integration

[nobrainer]

I know this isn’t probably specific to instaDMG, but it may since it’s happening on the images I created using it, but not the images created the ‘old’ way.

We deployed the image to a few systems and everything seemed to work fine. I can sign in with my AD account and everything seems to work. However, when i try to sign in as the end users ID, they can’t login. They can sign in to their web-based email, they can sign on to a PC, they can sign on to a mac with an previous build on it (even one they never signed into before). Reset the PWs, not locked out or disabled, etc. Just get the shaking screen when they try to sign in.

So I have another IT staff member sign in that never signed on to the box… they get right in – so it’s hitting AD.

If I sign in, remove the system from the domain, reboot, add back to the domain, reboot, THEN the user can sign in like normal, but until I do that, NOTHING I do seems to work (reboots, password resets, even tried taking it out for a lobster dinner)…

The DomJoin is not scripted, it’s being handled by casper, same as it has been since we deployed it 2 years ago…

[Allister Banks]

Hey nobrainer,

You know what’s the sneakiest thing I learned from a class given by Arek Dreyer? If you ssh in to the machine in question, you can tail the logs in realtime – that’s at least one way to figure out where the error lies. Especially when it’s successful with some logins(possibly it has to do with the OU? Is DNS looking at the right place/is this workstation on the right network?) and not others you have an A/B comparison to look at the difference between. Perhaps logging on the server could tell you as well.
I’m at the shallow end of an AD integration(my first with a huge forest) so please do share any things you find that lead you in the right direction. Thanks,

Allister

[nobrainer]

Okay, so I did a bunch of searching.. but I can’t figure how to actually check the logs 😳

[Allister Banks]

It’s 😳 when you DON’T ask!
Console.app in the Apps/Utilities folder is a ‘starter’ log reader, and conveniently gives you an overall view of all output written to log files. /var/log/system.log is where I’d start looking on your system, and when you’re doing the SSH trick mentioned above you can monitor it via [code]tail -f /path/to/somename.log[/code]
Sorry i can’t point you at the exact log, I don’t know it myself, but Console.app can point you in the location of some likely ones to investigate. Let us know,

Allister

[nobrainer]

Hmm. I’ve tried system.log, directoryservice.error.log and directoryservice.log

those 3 didn’t seem to change when I tried to sign in with the user’s account.
then I had to give up the machine back to the user.

[foilpan]

try running directoryservice in debug mode and tailing the debug log.

[code]
killall -USR1 DirectoryService
tail -f /Library/Logs/DirectoryService/DirectoryService.debug.log
[/code]

also, be sure you can login as a local admin or ssh in to lookup accounts in AD. a simple “id ” should suffice. if that succeeds, you’re on the right track. if not, i’d look to your bind script or policy to ensure it’s doing what you expect.

[nobrainer]

Hmm.
the Killall command didn’t work.

$ killall -USR1 DirectoryService
No matching processes belonging to you were found

$ tail -f /Library/Logs/DirectoryService/DirectoryService.debug.log
tail: /Library/Logs/DirectoryService/DirectoryService.debug.log: No such file or directory

I can sign in as a local admin and as a domain admin. I just can’t sign in as the end user, which is what confuzzles me.

[Rusty Myers]

Try using sudo. You not restricting who can log in via system preferences, are you?

[nobrainer]

[QUOTE][u]Quote by: nobrainer[/u][p]Hmm.
the Killall command didn’t work.

$ killall -USR1 DirectoryService
No matching processes belonging to you were found

$ tail -f /Library/Logs/DirectoryService/DirectoryService.debug.log
tail: /Library/Logs/DirectoryService/DirectoryService.debug.log: No such file or directory

I can sign in as a local admin and as a domain admin. I just can’t sign in as the end user, which is what confuzzles me.

[/p][/QUOTE]

Ohh… needs a sudo killall 🙂

[Author]

Posts