Unable to log into AD account twice?

[lmadden]

Hi again,

I have a developer’s license, so already have the latest seed update for 10.5.3. It does NOT fix the Parental Control issue. It does fix having to put the DNS info in the Hosts file, however, so that is positive.

I have an open ticket (bug report) with Apple and just sent them this morning more debug logs and server logs from my test mac. We’ll see if they can decipher them!!

However, in a conversation with our Apple rep, he thinks it has something to do with the AD schema. I am not an AD guru by any means, and our AD guy just grunts and shrugs and walks away.

I did try another test yesterday. I bound the mac to AD, logged in with domain credentials and it created my local account on the fly as it always does. I shut down, pulled the ethernet cable, and it let me log back in with cached credentials no problem. I put the cable back in, no problem. I shut down, kept cable in, logged back in, and whoosh parental controls came up. Something is being pushed over the network, obviously, but I don’t know from where. Is it thru AD or maybe somehow Workgroup Manager on my Xserve is still pushing some residual file? There is NO MCX plist on the system, but there is one in the user preferences folder. I delete it, but to no avail. I look at it, but it doesn’t have anything in there that would be a clue.

Still stumped here, but working closer (I think).

Lisa

[ZeroLevelZilch]

Just had this problem turn up for me the first time this morning. Hoping this may help somebody else out there.

We have numerous 10.5.x machines bound to our 2k3 domain without issues. But today we got a new MacBook that was only allowing the first login. After that first login no network account could log back in wether they were on the network or using cached creds. However I noticed (by accident really) that from the Fast User menu I could select a problematic user, put in the password and have no problems logging in. I trashed the /Lib/Pref/com.apple.loginwindow.plist, restarted and was able to login again, but only once. Then I switched from user/pass text fields to the list of users and now all users are able to login without an issue.

Anyways worth a shot. Hope this helps.

-Zero.

[lmadden]

Hi,

Thanks for the post. Unfortunately with a gov’t computer we can’t show list of users, so have to keep it as it is. But, it sounds like yours is a different issue. You don’t get the parental controls screen pop up on log in second time, do you? That is what is happening here. If I pull the ethernet cable, then log in it works. Something is being pushed from somewhere on our network that is causing this manifestation (infestation????).

I bound to the forest root today with no problem. However, while we can move computer accounts there, we cannot move user accounts or if they also log into a pc, they won’t log in there. Aaaaarrrghhhhh….

Am going to try putting some packet type sniffers or something on Monday. Macs are coming in Leopard only now so can’t take them backward. HAVE to get this working soon!!

I’ll definitely post when we find what the hell is being pushed and from where. Getting closer…..

Lisa

[ZeroLevelZilch]

Your right. Different problem. My issue is probably closer to the OP’s, but I did notice that there were mentions of Parental controls when I threw DirectoryService into debug mode even though there is no OD or similar policies being forced down.

Good luck,

-Zero.

[lmadden]

going to try shutting down my Xserve today. I do not think it is interferring, but to rule it out, this is all i can think to do. I hate doing it, as it is in another bldg, so will have to drive 4 miles to turn it back on….grrr….

Will post when we have the “fix.”

Lisa

[AgentOrange]

I don’t think you should have to shut down your Xserve. As long as the client is not bound to OD it should have “no” effect.

I am looking into a product called Centrify for OS X client management. Screw Steve and Apple…

I would still maintain the Xerve only for image deployments.

[lmadden]

I did not think it was the Xserve either, but had to prove it to the PC folks that it was not ME causing my own problem.

My servers are not in my bldg, so now have to drive 4+ miles to go reboot it, which I really did not want to do. Sigh….

I got the same error, if you have not guessed.

We looked at Centrify, and now can’t remember why we did not go with them.

We’ll be switching to one agency wide domain here within the next year, and I know the Apple plug in won’t work. don’t know why, so we’ve been looking at third party software. Right now Thursby’s Admit Mac is top of the list. Have you looked at that?

We’re going to try having my computer account in one domain and the user account in the forest root to see if i can log in….OY….this just gets funner and funner.

Lisa

[bentoms]

Hi guys,

We have been having similar issues.

What I have found is that if you change the login window to display by default the Directory Service Status instead of OS version I can login as an AD user when the light turns green but not before.

It seems that the AD Plugin needs to query each DC on the domain before it will allow login, editing the HOSTS file does not change this.

As we have a global AD Domain, this means that on our leopard test macs login can take 6-10 mins. When trying to login before the light goes green we cannot login, (login window shakes).

To change DSStatus please run the follwoing as an Admin/Root user in terminal;

defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo DSStatus

[lmadden]

Hi,

Your issue is not the same as my issue. I know once I shut down, waiting for the Network Account Available green light does take a minute (not much more and usually less), and once it is green I have no problem logging in. The problem is as soon as the desktop starts to come up, so does the Parental Control screen which says I have one hour to use the mac…. I can switch that to rest of day, but after that NO ONE is logging in with domain account.

If you then look in the Accounts pane, ALL accounts, whether local, domain, admin, standard, have the enable Parental Controls check box below the Allow User to Administer Computer check box. For MY account I just logged in with, this box is checked. Even if I uncheck it, it does not matter. If I open Parental Controls from that screen, the only accounts that show up are Standard accounts, no admin acccounts. Yet the box is there for all accounts…..

This only happens on our domain. I can bind to the forest root and shut down, log in no problem. AND it only happens if I am on the network. If I shut down, pull the ethernet cable, I can log back in with cached credentials no problem.

Still testing. Was able to run dscl for my user account after problem occurred, but don’t see anything hinky in the output. Am going to rebind and try again when account is functional and see if there is something in there that is different.

YOUR problem could be that you have to disable Bonjour. I don’t know how to do that, sorry, so if you know how, please post here 🙂

Thanks,

Lisa

[lmadden]

Me again. Just got a response from Apple to my bug report where they say this is a known issue and has been reported to their Engineers. I don’t know of anything else I can do at this time, except stick with Tiger and on Leopard-only macs, make them local log in until this is fixed.

Just letting you all know.

Lisa

[AgentOrange]

lmadden,

Since you have the pre-release of 10.5.3 update; do you know if they fixed the issue that prevented non-admin users from being able to add printers?

Currently, upto 10.5.2, only admins can add printers.

[lmadden]

Hi,

I am so wrapped up in trying to get the Leopard mac to bind to AD, have not tried anything else. I will definitely test the printing thing though, since we have to take all admin rights away (gov’t you know), it will be a royal pain if only an admin can add something as simple as a printer!!

I’ll post response hopefully soon,

Lisa

[lmadden]

First, I did find out that printing is not working right in 10.5.2.

Second, just loaded the latest seed from Apple for 10.5.3 and they told me it would fix the Parental Control issue at next log in with domain credentials. Well, it does not fix it. The error screen does not come up, but there won’t be a third log in.

In fact, more strange behavior, at least on a PPC mac….. Second log in brings up message that my user account can’t be found, it is either moved or deleted. Huh? But, it continues to log me in, with all ?? in the dock. I look in the /Users folder and my user folder has a red circle with minus sign in it. I click on it and try to do a “get info” and the whole folder literally disappears! Gone.

Still working with Apple to fix the AD bind issue, but now we have another thing to worry about!!

Lisa

[mlinde]

Not to hijack, but I’m running against this again, and I don’t know what I did to fix it the first time that I can’t repeat. My logs (when I tail DirectoryService.debug.log) show an error/collision when trying to get a cross-domain authentication, and I don’t know how to resolve that. My AD config enables cross domain authentication, but won’t get more than UID,GID – and not even the GID name:

Last login: Wed May 28 11:08:04 on ttys001
SEG-Loaner-MacBook-Pro:~ cssadm$ id encore\\mlinde
uid=127773712(mlinde) gid=951704675
SEG-Loaner-MacBook-Pro:~ cssadm$

The Tail shows this when that’s happening:

2008-05-28 11:08:50 MDT – T[0xB0103000] – Internal Dispatch, API: dsGetRecordList(), Search Used : DAR : Node Ref = 16777223 : Number of Found Records = 1 : Continue Data = 0 : Result code = 0
2008-05-28 11:08:50 MDT – T[0xB0103000] – CCachePlugin::AddEntryToCacheWithKeys – Entry NOT added for record 0x0022D690 with key pw_uuid:079DAC10-3FEF-43DC-B85C-023DF913B4EF – collision
2008-05-28 11:08:50 MDT – T[0xB0103000] – CCachePlugin::AddEntryToCacheWithKeys – Entry NOT added for record 0x0022D690 with key pw_gecos:Michael Linde – collision
2008-05-28 11:08:50 MDT – T[0xB0103000] – CCachePlugin::AddEntryToCacheWithKeys – Entry NOT added for record 0x0022D690 with key pw_uid:127773712 – collision
2008-05-28 11:08:50 MDT – T[0xB0103000] – CCachePlugin::AddEntryToCacheWithKeys – Entry NOT added for record 0x0022D690 with key pw_name:mlinde – collision
2008-05-28 11:08:50 MDT – T[0xB0103000] – Client: id, PID: 262, API: libinfo, Server Used : libinfomig DAR : Procedure = getpwnam (1) : Result code = 0
2008-05-28 11:08:50 MDT – T[0xB0218000] – Client: id, PID: 262, API: libinfo, Server Used : libinfomig DAC : Procedure = getpwnam (1)
2008-05-28 11:08:50 MDT – T[0xB0218000] – CCachePlugin::getpwnam – Cache hit for mlinde
2008-05-28 11:08:50 MDT – T[0xB0218000] – Client: id, PID: 262, API: libinfo, Server Used : libinfomig DAR : Procedure = getpwnam (1) : Result code = 0
2008-05-28 11:08:50 MDT – T[0xB0103000] – Client: id, PID: 262, API: GetAllGroups, Server Used : mbrmig DAC : uid = 127773712
2008-05-28 11:08:50 MDT – T[0xB0103000] – Client: id, PID: 262, API: GetAllGroups, Server Used : mbrmig DAR : Total groups = 0
2008-05-28 11:08:50 MDT – T[0xB0185000] – Client: id, PID: 262, API: libinfo, Server Used : libinfomig DAC : Procedure Request = getgrgid
2008-05-28 11:08:50 MDT – T[0xB0185000] – Client: id, PID: 262, API: libinfo, Server Used : libinfomig DAR : Procedure = getgrgid (7) : Result code = 0
2008-05-28 11:08:50 MDT – T[0xB0103000] – Client: id, PID: 262, API: libinfo, Server Used : libinfomig DAC : Procedure = getgrgid (7)
2008-05-28 11:08:50 MDT – T[0xB0103000] – CCachePlugin::getgrgid – Cache hit for 951704675
2008-05-28 11:08:50 MDT – T[0xB0103000] – Client: id, PID: 262, API: libinfo, Server Used : libinfomig DAR : Procedure = getgrgid (7) : Result code = 0

So what is causing the collision, or the inability to get ANY group memberships? The big thing here is that I am authenticating across domains (the unit is bound to one AD domain, the account is in another) – this works in 10.4.x

[lmadden]

Our problem here seems to be that we cannot bind a Leopard 10.5.3 mac to a child domain. If i bind to the forest root domain, I’m fine. I tried moving just the computer account to the forest root, but leaving the user account in the child, and it does not work. We can’t move both to the forest root, or those that log into both mac and pc won’t log into the pc!! Not that that is a big problem, ha ha….but it would be inconvenient for them I am sure!

I downloaded the latest 10.5.3 seed yesterday and loaded it on my test mac, with same result. One log in is fine and it creates the mobile account as it should. If you shut down or reboot, it lets you log back in with no apparent errors, but you cannot open any applications (can’t be found). If you physically look on the HD, the applications folder and the library folder have the red circle/white line thru them, and when you do a “get info” the folders dissappear. Not deleted, but invisible!! You can’t do anything. Another reboot, and you will not be able to log in even though the mac says network account is available. No one will log in, ever.

I’ve got a bug report open with Apple, and I’d suggest you do the same if you have a developer license. Your issue sounds different than mine.

Lisa

[Author]

Posts