[lmadden]

Hi, the latest 10.5.3 has the same result of invoking parental controls, however, it does not give the error message splash screen. My guess is if you look at the account you can’t log in with in the Accounts pref pane, you will see the parental control checkbox has a check in it.

Apple has been able to reproduce this “bug” and is working on the issue. It only happens (as far as I know) if you bind to a child domain. If you bind to your forest root, it should be fine.

Do you have to bind to Active Directory? Can you get away with local login machines? We are currently reverting back to local login on the macs that are coming in Leopard only. Once this issue is resolved, we’ll then bind them to AD and life will be good.

Lisa

[lmadden]

Hi,

Well, guess what? Apple has been able to duplicate my problem. We point the AD plug in to look in a specific field in AD for the UID, and the plug in works the first time, then on a restart it loses its brain and forgets about the UID. Can’t find one, so brings up the Parental Controls.

At least I know it is not something I was doing incorrectly.

We looked at Centrify, and I hear several folks going to WWDC will be talking to them next week. Also looked at Thursby’s AdmitMac. Would rather stick with Apple if possible since it is already in place.

You know the gov’t. We hate to spend money when we don’t have to 🙂

I’ll post once problem is resolved.

Lisa

[lmadden]

Our problem here seems to be that we cannot bind a Leopard 10.5.3 mac to a child domain. If i bind to the forest root domain, I’m fine. I tried moving just the computer account to the forest root, but leaving the user account in the child, and it does not work. We can’t move both to the forest root, or those that log into both mac and pc won’t log into the pc!! Not that that is a big problem, ha ha….but it would be inconvenient for them I am sure!

I downloaded the latest 10.5.3 seed yesterday and loaded it on my test mac, with same result. One log in is fine and it creates the mobile account as it should. If you shut down or reboot, it lets you log back in with no apparent errors, but you cannot open any applications (can’t be found). If you physically look on the HD, the applications folder and the library folder have the red circle/white line thru them, and when you do a “get info” the folders dissappear. Not deleted, but invisible!! You can’t do anything. Another reboot, and you will not be able to log in even though the mac says network account is available. No one will log in, ever.

I’ve got a bug report open with Apple, and I’d suggest you do the same if you have a developer license. Your issue sounds different than mine.

Lisa

[lmadden]

First, I did find out that printing is not working right in 10.5.2.

Second, just loaded the latest seed from Apple for 10.5.3 and they told me it would fix the Parental Control issue at next log in with domain credentials. Well, it does not fix it. The error screen does not come up, but there won’t be a third log in.

In fact, more strange behavior, at least on a PPC mac….. Second log in brings up message that my user account can’t be found, it is either moved or deleted. Huh? But, it continues to log me in, with all ?? in the dock. I look in the /Users folder and my user folder has a red circle with minus sign in it. I click on it and try to do a “get info” and the whole folder literally disappears! Gone.

Still working with Apple to fix the AD bind issue, but now we have another thing to worry about!!

Lisa

[lmadden]

Hi,

I am so wrapped up in trying to get the Leopard mac to bind to AD, have not tried anything else. I will definitely test the printing thing though, since we have to take all admin rights away (gov’t you know), it will be a royal pain if only an admin can add something as simple as a printer!!

I’ll post response hopefully soon,

Lisa

[lmadden]

Me again. Just got a response from Apple to my bug report where they say this is a known issue and has been reported to their Engineers. I don’t know of anything else I can do at this time, except stick with Tiger and on Leopard-only macs, make them local log in until this is fixed.

Just letting you all know.

Lisa

[lmadden]

Hi,

Your issue is not the same as my issue. I know once I shut down, waiting for the Network Account Available green light does take a minute (not much more and usually less), and once it is green I have no problem logging in. The problem is as soon as the desktop starts to come up, so does the Parental Control screen which says I have one hour to use the mac…. I can switch that to rest of day, but after that NO ONE is logging in with domain account.

If you then look in the Accounts pane, ALL accounts, whether local, domain, admin, standard, have the enable Parental Controls check box below the Allow User to Administer Computer check box. For MY account I just logged in with, this box is checked. Even if I uncheck it, it does not matter. If I open Parental Controls from that screen, the only accounts that show up are Standard accounts, no admin acccounts. Yet the box is there for all accounts…..

This only happens on our domain. I can bind to the forest root and shut down, log in no problem. AND it only happens if I am on the network. If I shut down, pull the ethernet cable, I can log back in with cached credentials no problem.

Still testing. Was able to run dscl for my user account after problem occurred, but don’t see anything hinky in the output. Am going to rebind and try again when account is functional and see if there is something in there that is different.

YOUR problem could be that you have to disable Bonjour. I don’t know how to do that, sorry, so if you know how, please post here 🙂

Thanks,

Lisa

[lmadden]

I did not think it was the Xserve either, but had to prove it to the PC folks that it was not ME causing my own problem.

My servers are not in my bldg, so now have to drive 4+ miles to go reboot it, which I really did not want to do. Sigh….

I got the same error, if you have not guessed.

We looked at Centrify, and now can’t remember why we did not go with them.

We’ll be switching to one agency wide domain here within the next year, and I know the Apple plug in won’t work. don’t know why, so we’ve been looking at third party software. Right now Thursby’s Admit Mac is top of the list. Have you looked at that?

We’re going to try having my computer account in one domain and the user account in the forest root to see if i can log in….OY….this just gets funner and funner.

Lisa

[lmadden]

going to try shutting down my Xserve today. I do not think it is interferring, but to rule it out, this is all i can think to do. I hate doing it, as it is in another bldg, so will have to drive 4 miles to turn it back on….grrr….

Will post when we have the “fix.”

Lisa

[lmadden]

Hi,

Thanks for the post. Unfortunately with a gov’t computer we can’t show list of users, so have to keep it as it is. But, it sounds like yours is a different issue. You don’t get the parental controls screen pop up on log in second time, do you? That is what is happening here. If I pull the ethernet cable, then log in it works. Something is being pushed from somewhere on our network that is causing this manifestation (infestation????).

I bound to the forest root today with no problem. However, while we can move computer accounts there, we cannot move user accounts or if they also log into a pc, they won’t log in there. Aaaaarrrghhhhh….

Am going to try putting some packet type sniffers or something on Monday. Macs are coming in Leopard only now so can’t take them backward. HAVE to get this working soon!!

I’ll definitely post when we find what the hell is being pushed and from where. Getting closer…..

Lisa

[lmadden]

Hi again,

I have a developer’s license, so already have the latest seed update for 10.5.3. It does NOT fix the Parental Control issue. It does fix having to put the DNS info in the Hosts file, however, so that is positive.

I have an open ticket (bug report) with Apple and just sent them this morning more debug logs and server logs from my test mac. We’ll see if they can decipher them!!

However, in a conversation with our Apple rep, he thinks it has something to do with the AD schema. I am not an AD guru by any means, and our AD guy just grunts and shrugs and walks away.

I did try another test yesterday. I bound the mac to AD, logged in with domain credentials and it created my local account on the fly as it always does. I shut down, pulled the ethernet cable, and it let me log back in with cached credentials no problem. I put the cable back in, no problem. I shut down, kept cable in, logged back in, and whoosh parental controls came up. Something is being pushed over the network, obviously, but I don’t know from where. Is it thru AD or maybe somehow Workgroup Manager on my Xserve is still pushing some residual file? There is NO MCX plist on the system, but there is one in the user preferences folder. I delete it, but to no avail. I look at it, but it doesn’t have anything in there that would be a clue.

Still stumped here, but working closer (I think).

Lisa

[lmadden]

I am just happy to find someone else with this issue!

I logged a bug report ticket with Apple, but so far all I’ve been asked for are the debug and server log files. Have not heard boo since then. Time to follow up I guess….

Someone suggested it might have something to do with Workgroup Manager. Do you use that? Ours is not enabled as far as i can tell. Am going to try shutting down that server and see if problem recurs. If not, then that is a good call. If so, at least it was ruled out.

If I find something out, will post here.

Lisa

[lmadden]

Hi again,

I tried that “fix,” and actually thought it worked. But it didn’t. Shut down, rebooted, and it let me log in with no Parental Control message. Yay…..

I would have been happy with the kluge fix, and almost started doing the happy dance.

Shut down, rebooted, and nowayjose was I logging in.

So, the only thing that changed was that now it does not warn me Parental Controls is invoked.

I am wondering if somehow Workgroup Manager is interferring. As far as I can tell, we have it turned off. The pc AD guy says that AD does not point to the workgroup manager server anyway, but I don’t know what else to think at this point.

Any other ideas?

thanks again,

Lisa

PS: your slowness might have something to do with Bonjour. I’ve seen that on the forums.

[lmadden]

I found out the domain I can bind to and that keeps letting me log back in with domain credentials is running Server 2003 R2. Ours regular domain is not running R2. Not sure yet if this is the problem….

If this were my ONLY job, I could devote 100% of my time to it, but unfortunately it is one of many hats I wear….

I’ll keep plugging away, however, as we definitely cannot deploy Leopard till this is fixed and I have about 350 or more macs here at this NASA center.

Lisa

[lmadden]

Update on the Leopard AD bind issue with Parental Controls…..

I was able to bind to AD on another domain here with no problems, shut down, rebooted, logged back in, NO parental control error message. Shut down again, rebooted, logged in, all is great!!

Rebound to our regular domain, problem resurfaced!

So, this leads me to believe the problem is either with the version of AD we are using or perhaps something in the configuration.

Just wanted to post an update.

Lisa Madden
NASA

[Author]

Posts