We had a user who couldn't log into any bound Mac but was able to log into Windows machines. After much swearing and consternation we found that there was already a user with the same login and pre-Windows 2000 name as our user in a different domain of our forest.
Macs search forest-wide for authentication information and the PCs only look in the current domain. Thus all user accounts must be unique everywhere within a forest or the duplicate user will be unable to log in. By changing the login and pre-Windows 2000 names of the user in our domain he was able log in.
Mac savvy readers might point out that there is a tick box in Directory Services that says "Allow authentication from any domain in the forest". One might think that un-ticking that would force the Macs to only look to the domain it is a member in for authentication information but this is incorrect. In practice we have found that this tick-box does nothing at all and Apple admits that it is of little use.
Keep in mind that when you bind a Mac and then look in the Search Policy it displays "Active Directory/All Domains". Therefore it will look in all available AD domains in the forest for authentication information.
No comments:
Post a Comment