Unable to log into AD account twice?

[mlinde]

Ok, so I’m testing 10.5.2 client here. This is specifically on a MacBook Pro, but the hardware shouldn’t matter, right?

Anyway, I can bind fine to AD and OD, verify access to the domain with “id”, and log into my domain account…once.

If I log out, I can never log into that account again. I can’t find any obvious errors in the logs, and any other domain account can log in…once.

I wiped the entire system and re-installed to see if it was a bad install (it’s a test machine right now), same thing.

Couple of notes:
Unit has Parallels and Boot Camp set up (but not active when testing)
If I log in as a local admin when the domain account doesn’t work, the account is listed in LDAP, the home folder exists, and “id” still returns valid information, so the unit is still on the domain.
I am tied to a local timeserver, so Kerberos time-differential is not an issue.

And finally, I’m still learning this cylinder/triangle/pyramid of death config, so be specific if you have suggestions.

Thanks!

[kaptagat]

We also have the same problem caused in part by our policy of locking an account after 5 failed attempts. Members of staff can login fine, but then they found that they couldn’t access their Entourage (Exchange) email. Further investigation revealed that 10.5 was carrying out a further 12 authentication attempts after the successful one and these failed which put the user over the lockout policy limit. We don’t know why the extra authentication attempts fail, but it may be because of some feature of our staff domain, as yet unknown, because 10.5 doesn’t attempt the extra authentications on our student domain. We are quite stumped about this.

[mlinde]

That’s an odd one. My problem may be a multi-domain forest (I’m troubleshooting a new angle here) where the OD server is in one domain, and a user account is in another. I can work fine in just AD, but when I also bind to OD it starts to fail with both domains. Of course, it works if AD and OD are from the same domain…

[Wooster]

I´m seeing the same problem here on a large AD network. Very frustrating – worked almost perfect in 10.4.3 – 10.4.11 on the same machines / useraccounts. The problem is that new machines comes with 10.5 now

– NO trouble binding – much faster than 10.4.x

– No problem logging in once (this creates the mobile cached account)

– Second time I log in I just get the shake

– If I remove the account from the list of account as a local admin I can log in once again one time – the ONE exception is if I´m logging in as local admin and do a fast user switching. This gets me logged into the cached mobile AD account

– I have no problem authenticating to the Active Directory thru Terminal using “su userxxx” – this works every time

– No problem if I create an account with local userfolder but without offline login (cached login)

– No difference if I use the AD forrest or domain

I suspect a local 10.5.2 account cache problem.

I have verified this behaviour on 3 machines now – all fresh installs

Anyone got any idea how to get a working solution to this?

[Wooster]

Update…

I today tried a new machine reinstalled with 10.5.2 from scratch and I can not reproduce the same thing as with the previous machines.

Today I can login to a cached mobile AD account every time – BUT every time I login I lock the AD account.

Anyone seen this?

[lmadden]

Hi all, I am having similar issues with binding a 10.5+ mac to AD using Apple’s plug in. 10.4 worked like clockwork, no issues and easy to co.

Now, on a clean install mac, here is what I did and the result:

Wiped mac and loaded 10.5 off DVD.
Ran software update all the way to latest and greatest in system software.
Loaded the seed 10.5.3 as was told this fixed all. it didn’t.
Added local admin account and was able to successfully log in with that.
Ran permission repair and booted to single user mode and ran fsck -y just in case there was something else hinky there it would fix.
Shut mac down, rebooted, and logged in with local account to verify it still worked. It did.
Bound to AD. It came up and said it found an existing account and did I still want to join. Yes.
Put in my domain admin credentials and it bound no problem.
Logged off, then logged in with domain account, no problem.
Shut down, rebooted, tried to log back in with domain account, and after logging me in, but before desktop came up, the parental controls screen comes up and says I have 1 hour to use the mac. Hmmm….
Even if you tell it to allow you to indefinitely use mac, the next time you go to log in, no way jose. It just shakes.

I deleted machine account out of AD and re-added it.

Deleted the Directory Access info out of the preferences folder and rebooted mac so it would create new vanilla folder.

Rebound to AD, no problem, but it did not alert me to an existing account, just went ahead and bound.

At the log in screen, it tells me a network account is available,yet it will absolutely NOT let me log in with domain credentials. The only way to “fix” this is to wipe the mac and start over.

Has anyone seen this behavior? I need to deploy Leopard to about 350 macs here and cannot do it until this issue is solved.

Any help is appreciated.

Lisa
Software Engineer
NASA

[lmadden]

Hi MacTroll….

See responses below:

When regressing AD issues it’s best to go step by step and see where the breakage occurs.

It sounds like you’ve successfully bound to AD through the GUI? [b]YES. Works fine on 10.4.11 macs. I used my own AD account to test with so know account not locked[/b]

If that’s the case, before logging out of that session you can determine if the bind is actually working or not. [b]I will wipe the mac tomorrow and start over and try this. forgot to mention that I check to be sure Parental Controls is NOT enabled, and it’s not, so not sure what is causing that behavior.[/b]

1) First using the “dscl” command from the CLI, see if AD is showing up as a valid directory store and ensure that you’re able to read user accounts through dscl. This test to see that binding actually occurred. [b]Okay, here is some real stupidity. I’ve never done dscl in Terminal, so what argument should I put in? dscl “what?”[/b]

2) Use the “id” command from the CLI to “id user” where use is a known good AD shortname. This test to ensure that users are actually able to be read out of the domain.

3) if all that works now do a “su user” where user is a known good AD user that you know the password to. This tests to ensure that you can actually authenticate as a user.

4) Now go to the login window and attempt to login as an AD user.

In your case it sounds like you were, at least at one time, able to login as a domain user on the system? Which would imply that things are working as far as authentication goes. [b]Yes, first log in with domain credentials works. NO local account with same short name on system, so AD creates it on the fly. As long as you stay logged in everything works fine. When you shut down, reboot, and try to log in again, it lets you, but then invokes parental controls and that is all she wrote.[/b]

If you’re getting the parental controls, it seems as if you’ve been chained to a policy, either locally or from a network service. I’d use the mcxquery command to see if that’s the case.[b]Hmmm, will try this, as I do believe it is something specific on this domain. Other domains here do not have the problem, but of course, trying to get the AD person to even admit the problem might be in that configuration is like pulling teeth.

[/b]I’d also use dscl to see what the user record actually looks like and ensure that you don’t already have a local account with the same shortname. [b]I know there is no local account with same shortname as I am able to use same account to log into my 10.4.11 macs bound to AD with no problems. I may also try, after one log in with domain credentials, to pull the ethernet cable, and see if it lets me log in with cached credentials with no issues. I will post tomorrow sometime. Thanks for your input.[/b]

[lmadden]

Hi again,

The weirdness continues. Was able to log back into mac with domain credentials after it has sat at login screen for 1.5 days. I did not touch nor do anything in the interim….

I logged off, logged back in, no problem. I ran permission repair and it fixed some issues with Cups, Directory Service, and Parental Controls.

I shut it down, rebooted, logged back in, and voila! Parental Control box came back up. After setting it to rest of day it let me log in, but nothing could be used. Every folder had a lock on it.

I saw that my account did have Parental Controls enabled. I unchecked that.

Shut down, rebooted, and absolutely cannot log back in with domain account. Can, however, log in with local machine account. I checked and my own account is in the Accounts pane, and my user folder is still in the Users folder, so at least those did not get deleted. But, I cannot log in.

I have sent the appropriate debug logs plus a screen shot of the Parental Control error (taken with trusty Treo camera phone), to Apple.

Right now I have put that mac into a different OU, after removing it from the normal one in AD, and will see if this makes any difference. Maybe there is some strange policy preventing normal login. But why it would happen with 10.5 and NOT 10.4 is anyone’s guess.

If none of this works, I’m going to look further into the dscl you suggest above. Just wanted to post an update.

Lisa

[lmadden]

Update on the Leopard AD bind issue with Parental Controls…..

I was able to bind to AD on another domain here with no problems, shut down, rebooted, logged back in, NO parental control error message. Shut down again, rebooted, logged in, all is great!!

Rebound to our regular domain, problem resurfaced!

So, this leads me to believe the problem is either with the version of AD we are using or perhaps something in the configuration.

Just wanted to post an update.

Lisa Madden
NASA

[lmadden]

I found out the domain I can bind to and that keeps letting me log back in with domain credentials is running Server 2003 R2. Ours regular domain is not running R2. Not sure yet if this is the problem….

If this were my ONLY job, I could devote 100% of my time to it, but unfortunately it is one of many hats I wear….

I’ll keep plugging away, however, as we definitely cannot deploy Leopard till this is fixed and I have about 350 or more macs here at this NASA center.

Lisa

[AgentOrange]

I have seen this and believe I have fixed it. Do this:

– Unbind your computer from AD

– /System/Library/PrivateFrameworks/FamilyControls.framework/Versions/A/Resources and backup and delete parentalcontrolsd

– reboot your computer

– Rebind to AD

– Try logging on/off a few times

Somehow, I think this parental controls is messing with the system and AD. Leopard so far to me seems to be no better than Windows Vista and UAC. At least in Vista, I can disable UAC.

One thing I found tho is that since doing this the test system I have is a wee bit slow. Not sure if this is related as it is an Intel Mac book with 2GB of ram(not exactly old hardware)

[lmadden]

Hi again,

I tried that “fix,” and actually thought it worked. But it didn’t. Shut down, rebooted, and it let me log in with no Parental Control message. Yay…..

I would have been happy with the kluge fix, and almost started doing the happy dance.

Shut down, rebooted, and nowayjose was I logging in.

So, the only thing that changed was that now it does not warn me Parental Controls is invoked.

I am wondering if somehow Workgroup Manager is interferring. As far as I can tell, we have it turned off. The pc AD guy says that AD does not point to the workgroup manager server anyway, but I don’t know what else to think at this point.

Any other ideas?

thanks again,

Lisa

PS: your slowness might have something to do with Bonjour. I’ve seen that on the forums.

[AgentOrange]

Unfortunately, I concur. This is now happening to me again. It was fine for about 4 days.

What is really frustrating is that Apple wants to charge $1000 to “try” and fix this problem and so far no Mac pro seems to have an answer on how to resolve this Leopard and AD problem.

[lmadden]

I am just happy to find someone else with this issue!

I logged a bug report ticket with Apple, but so far all I’ve been asked for are the debug and server log files. Have not heard boo since then. Time to follow up I guess….

Someone suggested it might have something to do with Workgroup Manager. Do you use that? Ours is not enabled as far as i can tell. Am going to try shutting down that server and see if problem recurs. If not, then that is a good call. If so, at least it was ruled out.

If I find something out, will post here.

Lisa

[AgentOrange]

Here is reply I have from a tech at Apple. If ANYONE is a member of Apple’s developer connection, maybe you could pass on a link for 10.5.3. Apparently it is to be released soon..with supposed “fixes”. This tech slipped and probably was not supposed to tell me this…

Greetings,

Apple does not provide any information about expected release dates.
Please set software update to check every day for updates.

Thank you, [I took his name out]
ACSA, ACXA
Apple, Inc.

On May 1, 2008, at 3:35 PM, I wrote:

> Thanks. Is there an expected release date for 10.5.3?
>
> Me
> E: [email protected]
> T:
> C:
>
>
>
> —– Original Message —–
> From: [I took his name out] [@apple.com]
> Sent: 05/01/2008 08:30 AM EST
> To: ME
> Subject: Case #….. – issue with active directory login and
> 10.5.2 clients
>
>
>
>
> Greetings,
>
> I have found a number of escalations related to AD integration. None
> of these report the exact same issue that you described over the phone
> yesterday, but they are similar. In one of the escalations, the admin
> seemed to have success by specifying a local directory of the user
> home for the first login and then changing the home to a network
> location after verifying that subsequent logins function. I still can
> not say that I know that engineering will be able to provide a
> resolution. It might be worth waiting for the 10.5.3 update, or if
> you are a member of the apple developer connection you can get the
> update now.
>
> Thank you, [I took his name out]
> ACSA, ACXA
> Apple, Inc.

[Author]

Posts