error on AD login after security update 2007-004

[kraaft]

The macs in our school authenticate at an Active Directoy server. Students use both macs and windows pcs with their account. No additional software for directoy access is used on the mac client side as well as on the windows 2003 server side.
after applying the security update 2004-007 every login attempt on every mac (G4,G5, Intel) the first login attempt after boot results in an error message (You are unable to log in to the user account at this time…”
The error message in /var/log/system.log reads:
Code display: [code]
May 10 15:45:26 ibook-sk kernel[0]: netsmb_dev: loaded
May 10 15:45:26 ibook-sk automount[222]: Can’t mount sredu01.kzo.lokal:/HomesSchueler$ on /private/Network/Servers/sredu01.kzo.lokal/HomesSchueler$: Invalid argument (22)
May 10 15:45:26 ibook-sk automount[222]: Attempt to mount /automount/Servers/sredu01.kzo.lokal/HomesSchueler$ returned 22 (Invalid argument)
May 10 15:45:26 ibook-sk automount[157]: Can’t mount sredu01.kzo.lokal:/HomesSchueler$ on /private/Network/Servers/sredu01.kzo.lokal/HomesSchueler$: Invalid argument (22)
May 10 15:45:28 ibook-sk /System/Library/CoreServices/CCacheServer.app/Contents/MacOS/CCacheServer: Exiting: (os/kern) successful (0)
[/code]

The second attempt works fine and every following login with different users too.
I have seen the problem mentioned at macfixit but all the suggested troubleshooting solutions didn’t work.

Has anybody seen this problem too? Even found a solution (not removing the update!)?

[kraaft]

The problem is strictly related to the update as i tested it on several machines (ppc and intel) before and after the update.

I tried the troubleshooting solutions from macfixit.
– Disconnecting and rebinding to the AD
– Restoring the smbfs and smbmount files that had been changed with the update (with that the network homes allways failed to mount)
– deleting loginwindow and directory access prefs

[genericpenguin13]

I am having a very similar problem. Clients and Server 10.4.9 bound to AD 2003. User accounts are on AD, group is on OD and they have homes on SMB shares with the correct path in AD.

All permissions are correct on homes(it works after the first login).

Clients receive the “You are unable to log in to the user account at this time…” message. If you attempt a login the first time, it fails. The second time it will let you in. The log output is:

[code]May 16 12:23:16 NewsLtd-Test-Image-1 mDNSResponder: Adding browse domain local.
May 16 12:23:18 NewsLtd-Test-Image-1 configd[38]: target=enable-network: disabled
May 16 12:23:22 NewsLtd-Test-Image-1 ARDAgent [200]: ********ARDAgent Launched********
May 16 12:23:22 NewsLtd-Test-Image-1 ARDAgent [200]: ********ARDAgent Ready********
May 16 12:24:32 NewsLtd-Test-Image-1 ARDAgent [200]: Front Process:Couldn’t get front process.. error: -600.
May 16 12:24:44 NewsLtd-Test-Image-1 kernel[0]: netsmb_dev: loaded
May 16 12:24:44 NewsLtd-Test-Image-1 automount[208]: Can’t mount matsydfs01a.news.newslimited.local:/bushg$ on /private/Network/Servers/matsydfs01a.news.newslimited.local/bushg$: Invalid argument (22)
May 16 12:24:44 NewsLtd-Test-Image-1 automount[208]: Attempt to mount /automount/Servers/matsydfs01a.news.newslimited.local/bushg$ returned 22 (Invalid argument)
May 16 12:24:44 NewsLtd-Test-Image-1 automount[173]: Can’t mount matsydfs01a.news.newslimited.local:/bushg$ on /private/Network/Servers/matsydfs01a.news.newslimited.local/bushg$: Invalid argument (22)
May 16 12:24:47 NewsLtd-Test-Image-1 /System/Library/CoreServices/CCacheServer.app/Contents/MacOS/CCacheServer: Exiting: (os/kern) successful (0)
May 16 12:25:26 NewsLtd-Test-Image-1 kernel[0]: smbfs_smb_qfsattr: (fyi) share ‘NTFS’, attr 0x700ff, maxfilename 255
May 16 12:25:30 NewsLtd-Test-Image-1 automount[439]: Can’t mount matsydfs01a.news.newslimited.local:/bushg$ on /private/Network/Servers/matsydfs01a.news.newslimited.local/bushg$: Invalid argument (22)
May 16 12:25:30 NewsLtd-Test-Image-1 automount[439]: Attempt to mount /automount/Servers/matsydfs01a.news.newslimited.local/bushg$ returned 22 (Invalid argument)
May 16 12:25:30 NewsLtd-Test-Image-1 automount[173]: Can’t mount matsydfs01a.news.newslimited.local:/bushg$ on /private/Network/Servers/matsydfs01a.news.newslimited.local/bushg$: Invalid argument (22)
May 16 12:25:31 NewsLtd-Test-Image-1 kernel[0]: smbfs_smb_qfsattr: (fyi) share ‘NTFS’, attr 0x700ff, maxfilename 255[/code]

The first login ends with :
[code]May 16 12:24:47 NewsLtd-Test-Image-1 /System/Library/CoreServices/CCacheServer.app/Contents/MacOS/CCacheServer: Exiting: (os/kern) successful (0)[/code]

After that the user login works as normal.

Re-binding does nothing. Haven’t tried restoring the smbfs and smbfsmount files but I’m not keen on removing systems files as I do not want to move away from a vanilla system and cause problems with further updates. The prefs I will try but I’m not optimistic. Has no-one come up with a workaround or fix? I’ve tried lots of things (killing the mcx_cache, re-binding, tcpdumps, etc) but I guess I’m just not cluey enough.

I hope somebody gets there.

[pat_mc_crotch]

We have [i]exactly [/i]the same issue, and have been hanging out for 10.4.10 to resolve the issue. Unfortunately, it did not.

Has anyone had any successes finding a solution?

[kraaft]

The 10.4.10 update didn’t solve the problem but I finally found a solution:

change the following entry in /etc/hostconfig:
AUTOMOUNT=-YES- to AUTOMOUNT=-NO-

This disables NFS automount and solves the problem. So if you don’t need nfs mounts you’re fine.

I used the following unix command in Apple Remote Desktop to change this on all my machines:
[code]
perl -p -i.bak -e ‘s/AUTOMOUNT=-YES-/AUTOMOUNT=-NO-/’ /etc/hostconfig
[/code]

[pat_mc_crotch]

Kraaft – thanks so much for your response. Tell me, does this need to be done on the OS X servers as well, or only the clients?

I will let you know the outcome when I push your command out to the OS X clients via ARD.

Many, many thanks again.

[Radiola]

kraaft, if I may ask, how did you hit on this solution? (It seems to work on my workstation, BTW.) That never came *close* to occuring to me, and I hope there’s a diagnostic lesson in this someplace. 🙂

– Aaron

[genericpenguin13]

I tried the workaround but it doesn’t work for me. I get:
[code]Jun 26 09:51:59 NewsLtd-Test-Image-1 /System/Library/CoreServices/mcxd.app/Contents/MacOS/mcxd: MCXD.createMobileUserAccount() DADiskCreateFromVolumePath(“/private/Network/Servers/matsydfs01a.news.newslimited.local/bushg$”) == NULL
Jun 26 09:52:01 NewsLtd-Test-Image-1 /System/Library/CoreServices/mcxd.app/Contents/MacOS/mcxd: MCXD.completeMCXLogin mount failed url = smb://matsydfs01a.news.newslimited.local/bushg$
Jun 26 09:52:01 NewsLtd-Test-Image-1 /System/Library/CoreServices/mcxd.app/Contents/MacOS/mcxd: MCXD.deleteCanceledMobileAccountIfNecessary delete of “/Users/bushg” == SUCCESS
Jun 26 09:52:01 NewsLtd-Test-Image-1 loginwindow[494]: AuthorizationRef returned an error (-60006), with username = bushg\n
Jun 26 09:52:01 NewsLtd-Test-Image-1 loginwindow[494]: This indicates that a SecurityAgent plugin has returned something other than errAuthorizationDenied (usually cancelled) after the auth record is set up.\n
Jun 26 09:52:01 NewsLtd-Test-Image-1 /System/Library/CoreServices/CCacheServer.app/Contents/MacOS/CCacheServer: Exiting: (os/kern) successful (0)
Jun 26 09:52:01 NewsLtd-Test-Image-1 TabletDriver[505]: kCGErrorInvalidConnection : CGSGetNextEventRecord: Invalid connection
Jun 26 09:52:01 NewsLtd-Test-Image-1 ARDAgent [508]: kCGErrorInvalidConnection : CGSGetNextEventRecord: Invalid connection
Jun 26 09:52:01 NewsLtd-Test-Image-1 /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/MacOS/AppleVNCServer: kCGErrorInvalidConnection : CGSGetNextEventRecord: Invalid connection
Jun 26 09:52:01 NewsLtd-Test-Image-1 /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow: Login Window Application Started[/code]

However I have not upgraded to 10.4.10. Is that a prerequisite? I’m going to try it now.

[genericpenguin13]

Damn. I upgraded to 10.4.10 (and included all the security updates) but I still get the same issue. Oh, well. Back to the drawing board. I’m glad it worked for some people. It’s still a pretty good find! Kudos krafft!

[kraaft]

[QUOTE][u]Quote by: Radiola[/u][p]kraaft, if I may ask, how did you hit on this solution? (It seems to work on my workstation, BTW.) That never came *close* to occuring to me, and I hope there’s a diagnostic lesson in this someplace. 🙂

– Aaron[/p][/QUOTE]

I read about the possibility in a post regarding other login problems so i thought I’d apply it here. The error message saying something like ‘your home directory seems to be on an afp or smb volume’ hinted to me that the system seemed to be expecting something else (nfs mount?). So disabling an unused nfs automount service seemed reasonable.
That still doesn’t explain why the error occurs at all though.

[tspoon1986]

[QUOTE][u]Quote by: kraaft[/u][p]The 10.4.10 update didn’t solve the problem but I finally found a solution:

change the following entry in /etc/hostconfig:
AUTOMOUNT=-YES- to AUTOMOUNT=-NO-

This disables NFS automount and solves the problem. So if you don’t need nfs mounts you’re fine.

I used the following unix command in Apple Remote Desktop to change this on all my machines:
[code]
perl -p -i.bak -e ‘s/AUTOMOUNT=-YES-/AUTOMOUNT=-NO-/’ /etc/hostconfig
[/code][/p][/QUOTE]

Thanks so much for this, we were having exactly the same problem, and I’ve seen others online with this problem as well. It worked for us!

[OkiKowai]

Just wanted to add that after a few years, this still resolved the issue for me. It was really annoying as the first login failed with the error and then all subsequent logins worked. Thank you so much for finding this way back when.

[jlivezey1999]

Have have change the file that is stated above and we are still having the same issue. I also notice that I get a failure audit from my AD server and it looks like the mac is trying to authenticate using the computer account.

Any help would be greatly appreciated. I really wish I could update these macs to 10.5 as we have had no problem since the switch…

Thanks,

JL

[Author]

Posts