login failing on machines that used to authenticate fine

[WestNab]

We have five Macs running 10.5.8, bound to AD & OD, where login fails with a ‘shake’ or error message `unable to login … at this time`. 11 other Macs in the same room, configured similarly, where login succeeds as normal.

The domain can be pinged successfully from each.

In Directory Utility > Directory Servers the domain academic.greenhead.ac.uk is marked `green` but marked `This server is not in your authentication search policy` (the OD server is also marked green with no error message – OK).
Search Policy tab – it is present – remove and re-add – no change.

1) One suggestion on:
http://discussions.apple.com/thread.jspa?messageID=8006003
which worked for some, but not others:
“Apple have enabled LDAP signing and encrypting in 10.5.3. If this isn`t enabled in your AD this will cause problems.
The solution is either to enable this for your AD, or disable encryption and/or packet signing (we had to do both) on the Macs. The second solution may be easier:- Make sure the machine is not bound to the AD (no red gems etc.) then…
In terminal:-
dsconfigad -packetsign disable
dsconfigad -packetencrypt disable
Reboot and rebind.”

2) Another suggestion at http://openradar.appspot.com/6541409:
`Open (edit) the Active Directory entry in the Services panel. Enable “Allow authentication from any domain in the forest” Close this panel and go to the “Search Policy” panel. You should now find “/Active Directory/All Domains” in the list of domains which can be added. Add it Return to the services panel and disable “Allow authentication from any domain in the forest”.` This article seems to imply that this doesn`t affect logins?

Tried both 1 & 2 (but not enabling LDAP signing, the disabling packet signing & encrypting) – still no login.

Rebinding each Mac to AD has fixed for one, but not the other 4.

Check Microsoft DNS – all have correct A & ptr records except one which didn`t have an A record – now corrected.

Check time servers and correct where necessary – restart machines – still same problem.

Strangely and perhaps significantly, AD domain administrators can login to the machines OK.

Any ideas?

[WestNab]

Thanks for your reply. No, I can’t id teststudent AD account, which can’t login.

If I login with a local account, I can command-K, authenticate as teststudent and mount Windows shares fine.

Andy

[sgstuart]

How long were your machines successfully login on? How often does your AD require your Computer accounts to “re-authenticate”? Is your computers DNS name ending the same as your AD Domain Name?

Thanks,
Steven Stuart

[WestNab]

Thanks for your response. I am not aware of AD requirements for computers to re-authenticate? Where & how is that configured? I evidently don’t fully understand AD. I thought that the process of joining the domain created a ‘shared secret’ (RID or something?) that the computer then always used to authenticate itself in the domain.

As mentioned previously, leaving the domain and rebinding doesn’t seem to fix the problem.

The machine is called, for example, machine5. FQDN is, for example, machine5.x.y.z.uk – this is correct in DNS, i.e. name can be resolved correctly. This is the same on machines where login works. The domain is called ‘x’, but it’s FQDN is x.y.z.uk. Search domain in network preferences is set to x.y.z.uk on all machines.

[WestNab]

Steven,

Sorry, forgot to add this info – as far as I know, the machines that now don’t login were working from October last year until sometime this spring.

We did change domain controllers (from older 2003 servers to 2008 servers) in April. All machines are apparently configured correctly with the new AD DCs, but perhaps something is lingering from the old DCs?

[WestNab]

Just found a workround/fix – on a machine that didn’t log users in – disable the option to get home directory from AD – teststudent then logs in.

Home directory is set in AD to home folder on an xserve via afp.

For some reason teststudent can not connect (using command-K) to this home directory any more using AD credentials – even from a machine where login still works and option to get home directory from AD is still enabled! Presumably other student accounts can’t either.

I’ve found on machines where login works, I’ve got ‘Force local home directory on startup disc’ enabled, as well as use the AD home directory – it seems the former takes precedence and the fact that the AD home dir is inaccessible doesn’t prevent login if the local home is used.

So progress made, but I don’t understand entirely … I will have a more thorough check of settings on the xserve. Presumably something wrong there.

[sgstuart]

Hi Westnab,
How AD and Macs work together is still something I am fully trying to understand myself. I do not have OD in the mix either. I am glad that you are finding some workarounds as well.

I have also seen things that are saying there are problems with AD 2008. Maybe some of these may assist more, especially for your problem.

Here is one article:
http://support.apple.com/kb/TS2967

Here is another link for info: with many links off of it:
http://www.macwindows.com/snowleopardAD.html

Thanks,
Steven Stuart

[WestNab]

Steven,

I’ve checked out the xserve and although Directory Utility says everything is fine, Workgroup Manager doesn’t seem to be accessing AD at all. I had included a couple of AD groups as members of OD groups, but these are now marked as ‘Not Found’ in Workgroup Manager. If I try to add members to the OD group from AD, ‘All domains’ or ‘x.y.z.uk’ are available and can be selected, but no items appear in the side panel.

Any idea of the best step now? My first thought is to unbind the xserve from the domain, wait a bit, reboot maybe, and rebind …

Andy

[sgstuart]

Hi,
Unfortunately, I have no words of wisdom. I think the unbind – > bind sounds like a good thing to try. It at least can not hurt.

Thanks,
Steven Stuart

[WestNab]

The first attempt at unbinding the xserve resulted in the whole machine hanging – couldn’t get back into Finder to Force Quit from Directory Utility, so I had to power cycle the xserve.
For the next attempt, I disabled Active Directory in Directory Utility > Services before editing the Active Directory item and unbinding from AD. This went ahead smoothly. I rebooted, checked that the xserve no longer was in AD, then bound it in again. On binding to AD, it put up a message “Join Kerberos realm. To join this server to the Active Directory Kerberos realm, open Server Admin and select Open Directory for this server. In the Settings pane, click General, then click Join Kerberos and enter credentials for a local administrator on this server”.
With hindsight, perhaps I should have just ignored this!
In Server Admin > Open Directory > Settings > General
⁃ Join Kerberos is not available – ‘Add Kerberos Record’ is available, Kerberos is already running.
I probably shouldn’t have done what I now did, which was to trash my existing OD and recreate new one by changing my xserve from OD Master (‘Connected to a directory server’) and then change it back again!
(In between, I did have a ‘Join Kerberos’ button, but when I tried it, nothing happened – maybe because I’d entered wrong settings?)
I can now recreate my user groups in WGM, which have as members groups from AD.
I now find I have to rebind all my Macs to the xserve because of the new OD and also unbind and rebind to AD before user login works – but it does!
Of course, I will also have to recreate preferences for my workstations and user groups …

[sgstuart]

Hi Westnab,
I misunderstood that the xserve that you were going to unbind was the OD master itself. Yes, anything bound to the OD would need to be reset and so forth in a situation like that. I feel extremely bad that I assumed it was just a regular xserver that you were talking about unbinding. I apologize profusely for being the cause, in this case many things could definitely go wrong.

Thanks,
Steven Stuart

[WestNab]

Steven,
Absolutely no problem, I take full responsibility! Anyhow, it seems I’ve got to a situation where users can log in again & have time to go round rebinding the clients (about 40, so could be worse!). On the whole I’m pleased with the outcome, I don’t think I would have found an easier way to fix.
Andy

[sgstuart]

Hi Andy,

So are you saying that this is fixing the problem that you were initially having? If so that is great. On the rebinding part, I am assuming that you have ARD. What I use is a script for binding all of my Mac’s to AD (granted I do not have OD), however, I am sure that there is a way to script that and send it thru ARD to each computer, and it should make that portion quick, easy, and relatively painless. My guess is you are mostly done anyways, however, if this type of thing happens again, and you want to rebind quickly, you could already have it ready to go.

Thanks,
Steven Stuart

[Author]

Posts