I have bound to 2003 AD correctly and can login to AD from tiger with a local home folder enabled(altho it doesn’t mount the AD profile homefolder)but home folder can be mounted manually ,AD shares are accessible etc
AS soon as I disable local home I get login refusal
“you are unable to login to the user account at this time,,home folder is located smb/afp”
all digital signing is disabled
reading forums for days I suspect its more to do with guest access,keberos etc at login screen to the shares because access seems fine once user is logged in
All windows users work perfectly with the same home folders
don’t know enough about macs to understand logs and troubleshoot this,have even had Mac techs on site and they were unable to figure it out but i Need this and refuse to give up.Admitmac sounds brilliant but too dear
What does the system.log say on your OSX client after you log in. Is it trying to mount your home? Also, what does the UNC path for the home folder look like in AD? It should be \\servername\sharename\homefolder. All folders that are parents of the home folder need at least list access for the person trying to access the home.
UNC path in user profile is
\\servername\sharedvolumename\userhomefolder
users have fullcontrol over the sharevolume,they have read and list security access,they have full permissions for their home folders altho these arn’t individually shared,
have tried enabling guest access ,logging on with full admin account etc and all homefolders are accessible from “connect to server” using smb and afp
system log for mac with some automount errors at end
/System/Library/LoginPlugins/URLMountUIProxy.loginPlugin/Contents/Resources/UIProxyServer.app/Contents/MacOS/UIProxyServer: server: bootstrap_check_in(): 0x44c: Bootstrap not privileged
Sep 7 12:58:48 Art-EMac09 kernel[0]: AFPSleepWakeHandler: going to sleep
Sep 7 12:58:49 Art-EMac09 configd[38]: AppleTalk shutdown
Sep 7 12:58:49 Art-EMac09 configd[38]: AppleTalk shutdown complete
Sep 7 13:17:14 Art-EMac09 kernel[0]: System Sleep
Sep 7 13:17:14 Art-EMac09 kernel[0]: System Wake
Sep 7 13:17:14 Art-EMac09 kernel[0]: Wake event 0020
Sep 7 13:17:14 Art-EMac09 kernel[0]: Sound assertion “0 != err” failed in “AppleLegacyAudio/AppleTexas2Audio/AppleTexas2Audio.cpp” at line 960 goto Exit
Sep 7 13:17:14 Art-EMac09 kernel[0]: USB caused wake event (OHCI)
Sep 7 13:17:16 Art-EMac09 kernel[0]: UniNEnet::monitorLinkStatus – Link is up at 100 Mbps – Full Duplex
Sep 7 13:17:17 Art-EMac09 configd[38]: AppleTalk startup
Sep 7 13:17:17 Art-EMac09 /sbin/kerberosautoconfig: Kerberos configuration not updated, cannot contact all nodes on search path
Curious, are the home folders on a Windows Server or a Mac server? This is very similar to problems I’ve had using afp or smb shares for home folders on OS X 10.3.9 clients.
My home sharepoints were created on an OS X server and I found that if I just had empty home shares that the users had full access to they could mount them after login, but they could not be used as a true home folder (with the disable local home switch in the AD plugin). I even found that if I took an old or local home folder and copied it the network share location and then chown ownership to the user it still would not work. I needed to make new home folders using the template home folder, and then copy all the old data to the new home. Then it acted like a true home folder and would mount during login and stop giving the “home folder is located smb/afp” message.
Oh, sorry, reading your logs suggest it is a windows server. Still it should be possible to copy the default home template to windows share points. The other guys helping you know way more, but I suspect that when you force the share to act like a Mac home folder it needs to have a certain set of folders inside with the proper permissions. Unlike windows, I don’t believe the Mac clients will create them if they are not present.
Rats! This now started happening to me!! I mean after everything was working just fine.
I have AD and OD setup. The client machines work and are on 10.3.9. Yesturday all users logged in. Today many don’t. It seems random. I user will try. It will authenticate against AD, then present them with the OD group choice (if they belong to more than one group), then it will stop and give them the “unable to login at this time” error.
A different user can then sit down at that very machine and log it without problem. I’ve tried re “chown” ing their home directory and no dice. I’m still digging, but what would cause this? How can I fix it?
I’m getting some of these exact errors in the logs of some 10.4 iBooks which are authenticating against AD, but ‘trying’ to download managed preferences/MCX settings via Open Directory.
In summary.. I recently rebuild OD on my 10.5 Server due to various corruptions and the fact that the guy that set it up left Kerberos running before making it an OD master and the whole thing wouldnt authenticate to AD at all. Anyway. Thats all fixed, and a bunch of 10.5 clients on a wired lan (same VLAN) and bound anonymously are all working fine and happily pulling down managed prefs without issue.
However, my 10.4 iBooks running wirelessly on another VLAN will bind to OD, and I am obviously using the DIRADMIN account to authenticate to create a visible account in Workgroup Manager. However, thats where it all goes wrong. The client then kicks up a load of complaints as below
BSD/local shows as red in authentication & contents panes of directory access also, explaining the 14008, but this has to be present or it will not allow my AD users to log in due to using network home directories (it kicks off about them being on an SMB or AFP share).
Anyway, I have deleted the contents of the Directory Service folder, and cleared the /config/mcx_cache in NetInfo Manager as I have been advised on various other forums, before rebooting and rebinding. All to no avail whatsoever, and the same log messages crop up time and time again.
While I’m no network/wireless guru, could it be that the LDAPv3 port is not being allowed to communicate from the Wifi VLAN to the X-Serves, or is it just something stupid going on in 10.4 that I havent nailed yet???
I’m desperate for a bit of help on this one, so all suggestions appreciated.
Oh yeah, just realised inadvertantly that I’ve provided the solution to the original problem described, while asking for help myself…
Add /BSD/Local to the authentication and contents search paths in directory access to fix the login problem.. :o) (even if it shows as red) and put it ABOVE active directory and LDAPv3.
You will notice 10.5 does this automatically and you cant remove the option. 10.4 does not.
Comments are closed