Shaking login: duplicate accounts

We had a user who couldn't log into any bound Mac but was able to log into Windows machines.  After much swearing and consternation we found that there was already a user with the same login and pre-Windows 2000 name as our user in a different domain of our forest.

Macs search forest-wide for authentication information and the PCs only look in the current domain.  Thus all user accounts must be unique everywhere within a forest or the duplicate user will be unable to log in.  By changing the login and pre-Windows 2000 names of the user in our domain he was able log in.

Mac savvy readers might point out that there is a tick box in Directory Services that says "Allow authentication from any domain in the forest".  One might think that un-ticking that would force the Macs to only look to the domain it is a member in for authentication information but this is incorrect.  In practice we have found that this tick-box does nothing at all and Apple admits that it is of little use.

Keep in mind that when you bind a Mac and then look in the Search Policy it displays "Active Directory/All Domains".  Therefore it will look in all available AD domains in the forest for authentication information.

Macs not logging in: duplicate AD names

Problem: A user in EMEA can't log into their AD bound Mac. After investigation it is found that a duplicate name exists in another forest (North America). We have been working around this by renaming one of the accounts.

Possible solution (being tested now): from a command line on the user's machine type disconfigad –namespace domain name and then log in with domain\shortname

See this link for more details: http://archive.netbsd.se/?ml=macos-x-server&a=2008-09&t=8621106