[lmadden]

Hi again,

The weirdness continues. Was able to log back into mac with domain credentials after it has sat at login screen for 1.5 days. I did not touch nor do anything in the interim….

I logged off, logged back in, no problem. I ran permission repair and it fixed some issues with Cups, Directory Service, and Parental Controls.

I shut it down, rebooted, logged back in, and voila! Parental Control box came back up. After setting it to rest of day it let me log in, but nothing could be used. Every folder had a lock on it.

I saw that my account did have Parental Controls enabled. I unchecked that.

Shut down, rebooted, and absolutely cannot log back in with domain account. Can, however, log in with local machine account. I checked and my own account is in the Accounts pane, and my user folder is still in the Users folder, so at least those did not get deleted. But, I cannot log in.

I have sent the appropriate debug logs plus a screen shot of the Parental Control error (taken with trusty Treo camera phone), to Apple.

Right now I have put that mac into a different OU, after removing it from the normal one in AD, and will see if this makes any difference. Maybe there is some strange policy preventing normal login. But why it would happen with 10.5 and NOT 10.4 is anyone’s guess.

If none of this works, I’m going to look further into the dscl you suggest above. Just wanted to post an update.

Lisa

[lmadden]

Hi MacTroll….

See responses below:

When regressing AD issues it’s best to go step by step and see where the breakage occurs.

It sounds like you’ve successfully bound to AD through the GUI? [b]YES. Works fine on 10.4.11 macs. I used my own AD account to test with so know account not locked[/b]

If that’s the case, before logging out of that session you can determine if the bind is actually working or not. [b]I will wipe the mac tomorrow and start over and try this. forgot to mention that I check to be sure Parental Controls is NOT enabled, and it’s not, so not sure what is causing that behavior.[/b]

1) First using the “dscl” command from the CLI, see if AD is showing up as a valid directory store and ensure that you’re able to read user accounts through dscl. This test to see that binding actually occurred. [b]Okay, here is some real stupidity. I’ve never done dscl in Terminal, so what argument should I put in? dscl “what?”[/b]

2) Use the “id” command from the CLI to “id user” where use is a known good AD shortname. This test to ensure that users are actually able to be read out of the domain.

3) if all that works now do a “su user” where user is a known good AD user that you know the password to. This tests to ensure that you can actually authenticate as a user.

4) Now go to the login window and attempt to login as an AD user.

In your case it sounds like you were, at least at one time, able to login as a domain user on the system? Which would imply that things are working as far as authentication goes. [b]Yes, first log in with domain credentials works. NO local account with same short name on system, so AD creates it on the fly. As long as you stay logged in everything works fine. When you shut down, reboot, and try to log in again, it lets you, but then invokes parental controls and that is all she wrote.[/b]

If you’re getting the parental controls, it seems as if you’ve been chained to a policy, either locally or from a network service. I’d use the mcxquery command to see if that’s the case.[b]Hmmm, will try this, as I do believe it is something specific on this domain. Other domains here do not have the problem, but of course, trying to get the AD person to even admit the problem might be in that configuration is like pulling teeth.

[/b]I’d also use dscl to see what the user record actually looks like and ensure that you don’t already have a local account with the same shortname. [b]I know there is no local account with same shortname as I am able to use same account to log into my 10.4.11 macs bound to AD with no problems. I may also try, after one log in with domain credentials, to pull the ethernet cable, and see if it lets me log in with cached credentials with no issues. I will post tomorrow sometime. Thanks for your input.[/b]

[lmadden]

Hi all, I am having similar issues with binding a 10.5+ mac to AD using Apple’s plug in. 10.4 worked like clockwork, no issues and easy to co.

Now, on a clean install mac, here is what I did and the result:

Wiped mac and loaded 10.5 off DVD.
Ran software update all the way to latest and greatest in system software.
Loaded the seed 10.5.3 as was told this fixed all. it didn’t.
Added local admin account and was able to successfully log in with that.
Ran permission repair and booted to single user mode and ran fsck -y just in case there was something else hinky there it would fix.
Shut mac down, rebooted, and logged in with local account to verify it still worked. It did.
Bound to AD. It came up and said it found an existing account and did I still want to join. Yes.
Put in my domain admin credentials and it bound no problem.
Logged off, then logged in with domain account, no problem.
Shut down, rebooted, tried to log back in with domain account, and after logging me in, but before desktop came up, the parental controls screen comes up and says I have 1 hour to use the mac. Hmmm….
Even if you tell it to allow you to indefinitely use mac, the next time you go to log in, no way jose. It just shakes.

I deleted machine account out of AD and re-added it.

Deleted the Directory Access info out of the preferences folder and rebooted mac so it would create new vanilla folder.

Rebound to AD, no problem, but it did not alert me to an existing account, just went ahead and bound.

At the log in screen, it tells me a network account is available,yet it will absolutely NOT let me log in with domain credentials. The only way to “fix” this is to wipe the mac and start over.

Has anyone seen this behavior? I need to deploy Leopard to about 350 macs here and cannot do it until this issue is solved.

Any help is appreciated.

Lisa
Software Engineer
NASA

[Author]

Posts