Sunday, November 27, 2011

Shaking login: duplicate accounts

We had a user who couldn't log into any bound Mac but was able to log into Windows machines.  After much swearing and consternation we found that there was already a user with the same login and pre-Windows 2000 name as our user in a different domain of our forest.

Macs search forest-wide for authentication information and the PCs only look in the current domain.  Thus all user accounts must be unique everywhere within a forest or the duplicate user will be unable to log in.  By changing the login and pre-Windows 2000 names of the user in our domain he was able log in.

Mac savvy readers might point out that there is a tick box in Directory Services that says "Allow authentication from any domain in the forest".  One might think that un-ticking that would force the Macs to only look to the domain it is a member in for authentication information but this is incorrect.  In practice we have found that this tick-box does nothing at all and Apple admits that it is of little use.

Keep in mind that when you bind a Mac and then look in the Search Policy it displays "Active Directory/All Domains".  Therefore it will look in all available AD domains in the forest for authentication information.