A Mac that has been bound to the AD will not allow log-in from a particular AD user. Other AD accounts are able to log-into the bound Mac and the user can log-into other computers.
This is generally a symptom of a corrupt account on the computer. You have several options to remedy the situation.
Solutions
Scenario One: You are migrating a local account to a domain account. You have bound the computer and are attempting to log in for the first time using the user's AD account and you get a shaking log in or an error "you are unable to log into the user's account". Follow these steps to create a new local account, migrate the user’s data to that account then create an AD account and migrate the data to the AD account.
- Log in as root
- Unbind the computer and delete the entire /Library/Preferences/Directory Service folder and the edu.mit.kerberos file
- Restart the computer
- Log in as root
- Go to System Preferences/Accounts
- Create a new local account for the user
- Do not use the same name as the user’s AD account
- Do not use the same name as the existing account
- Go to Users and locate the user’s old home folder
- Select all the folders in the old home folder and drag them into the new home folder for the account you just created. When it prompts you select Replace All
- Go back to the Desktop hit Shift-Apple-U to open the Utilities folder
- Launch Terminal
- Type cd /Users
- Type chown –R [user name]:staff /Users/[user name]. For example: chown –R tsmith:staff /Users/mlewis
- Remember, you are doing the above command on the newly created home folder- the one you copied all the data into
- Use the newly created account name for “user name”
- Re-bind the computer
- Log out and then back in with the user’s AD account
- This will create a new blank profile
- Log out and back in as root
- Go to Users and locate the local home folder you created in a previous step (the one you moved all the data into and did a “chown” on)
- Select all the folders in the folder and drag them into the newly create home folder (it will have the user’s AD name) When it prompts you select Replace All
- Go back to the Desktop hit Shift-Apple-U to open the Utilities folder
- Launch Terminal
- Type cd /Users
- Type chown –R [user name]:staff /Users/[user name]. For example: chown –R tom.smith:staff /Users/tom.smith
- Log out and back in using the user’s AD account credentials
- Their desktop icons should appear
- Go to Users/[user name]/Library/Keychains and rename the login.keychain to login.keychain.old
Scenario Two: Sometimes having a UNC path to a home folder in AD prevents a user from logging in. In this case the user can not log into any Mac but loggin into a PC works.
Open the user's AD account and go to the Profile tab. If there is a UNC path to a home folder, remove it. Wait for replication and attempt to log in again.
Scenario Three: You have bound the computer and are attempting to log in for the first time using the user's AD account and you get a shaking log in or an error "you are unable to log into the user's account".
Other users can log in using their AD accounts. Checking System Preferences/Users DOES NOT show an account for the user that is unable to log in.
It is possible that the AD profile was partially created but that the process failed somewhere along the way. You first need to check if the profile exists on the computer even though it is not in "Users".
- Open a Terminal window
- Type "dscl localhost"
- Type "cd /Local/Default/Users
- Type "ls"
- If the problem user's account is displayed you must remove it
http://support.apple.com/kb/DL1071
After you have installed Admin Tools follow these steps to remove the problem account:
- Go to Applications/Server
- Launch Workgroup Manager (WGM)
- At the connection screen enter an address of "localhost" and the UID and password of the local machine administrator
- In WGM click on the "Accounts" icon
- Make sure you are authenticated to /Local/Default
- Click on the single-user icon above the search menu
- Find the problem account in the list and click on the "Delete" icon
- Exit WGM and attempt to log into the machine again with the user's AD account
No comments:
Post a Comment