Symptom
After binding a Mac AD account log-ins fail (shaking login). Console logs report the following:
SecurityAgent[735] Could not get user record for 'username' from Directory ServicesSecurityAgent[735] User infor context values set for usernameSecurityAgent[735] unknown-user (username) login attempt PASSED for auditingSecurityAgent[735] Could not get the user record for 'username' from Directory Services
kinit [username] will generate a Kerberos ticket
id [username] will produce a list of LDAP info for the AD account
login [username] fails
Solution
If you see the Console log errors as described above it generally means that the computer is not able to create a mobile account at log-in. Try creating a mobile account from Terminal first:
sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/
createmobileaccount -n username
sudo createhomedir -c -u username
Log out and back in with the user's AD credentials.
Showing posts with label shaky login. Show all posts
Showing posts with label shaky login. Show all posts
Sunday, December 18, 2011
Sunday, November 27, 2011
Shaking login: duplicate accounts
We had a user who couldn't log into any bound Mac but was able to log into Windows machines. After much swearing and consternation we found that there was already a user with the same login and pre-Windows 2000 name as our user in a different domain of our forest.
Macs search forest-wide for authentication information and the PCs only look in the current domain. Thus all user accounts must be unique everywhere within a forest or the duplicate user will be unable to log in. By changing the login and pre-Windows 2000 names of the user in our domain he was able log in.
Mac savvy readers might point out that there is a tick box in Directory Services that says "Allow authentication from any domain in the forest". One might think that un-ticking that would force the Macs to only look to the domain it is a member in for authentication information but this is incorrect. In practice we have found that this tick-box does nothing at all and Apple admits that it is of little use.
Keep in mind that when you bind a Mac and then look in the Search Policy it displays "Active Directory/All Domains". Therefore it will look in all available AD domains in the forest for authentication information.
Macs search forest-wide for authentication information and the PCs only look in the current domain. Thus all user accounts must be unique everywhere within a forest or the duplicate user will be unable to log in. By changing the login and pre-Windows 2000 names of the user in our domain he was able log in.
Mac savvy readers might point out that there is a tick box in Directory Services that says "Allow authentication from any domain in the forest". One might think that un-ticking that would force the Macs to only look to the domain it is a member in for authentication information but this is incorrect. In practice we have found that this tick-box does nothing at all and Apple admits that it is of little use.
Keep in mind that when you bind a Mac and then look in the Search Policy it displays "Active Directory/All Domains". Therefore it will look in all available AD domains in the forest for authentication information.
Thursday, October 20, 2011
"You are unable to log in to the user account [account name] at this time.
Problem: an AD bound Mac shakes off login attempts and returns a message that says:
"You are unable to log in to the user account [account name] at this time. Logging in to the account failed because an error occurred."
There are two things to to try:
First, update the Automounter master map as outlined in this Apple KB article:
http://support.apple.com/kb/TS3346
Secondly, if the user has a home folder path specified in their AD profile (Profile tab), remove it.
"You are unable to log in to the user account [account name] at this time. Logging in to the account failed because an error occurred."
There are two things to to try:
First, update the Automounter master map as outlined in this Apple KB article:
http://support.apple.com/kb/TS3346
Secondly, if the user has a home folder path specified in their AD profile (Profile tab), remove it.
Friday, September 30, 2011
Shaking Log-on in OS X: The Ongoing Saga
Yet more things to check if a bound Mac refuses to allow authentication by an AD user:
Open the user's AD profile in Active Directory Users and Computers (ADUC) and click on the "Accounts" tab. Check that both the log-on name and pre-Windows 2000 name are the same, that both are unique on your network and that the user is entering the name exactly as it appears in the profile.
Open the user's AD profile in Active Directory Users and Computers (ADUC) and click on the "Accounts" tab. Check that both the log-on name and pre-Windows 2000 name are the same, that both are unique on your network and that the user is entering the name exactly as it appears in the profile.
Monday, April 11, 2011
Shaking Login: corrupt Kerberos file
Apple has informed us that sometimes anti-virus software can corrupt the kerberos files found in:
/var/db/dslocal/nodes/Default/config/
They suggest that a trouble shooting step for a shaking login should be to remove all the Kerberos files in the above directory.
sudo /var/db/dslocal/nodes/Default/config/
rm Kerberos*
then restart.
/var/db/dslocal/nodes/Default/config/
They suggest that a trouble shooting step for a shaking login should be to remove all the Kerberos files in the above directory.
sudo /var/db/dslocal/nodes/Default/config/
rm Kerberos*
then restart.
Thursday, December 9, 2010
Can not log in to bound Mac using an AD account
Symptom
A Mac that has been bound to the AD will not allow log-in from a particular AD user. Other AD accounts are able to log-into the bound Mac and the user can log-into other computers.
This is generally a symptom of a corrupt account on the computer. You have several options to remedy the situation.
Solutions
Scenario One: You are migrating a local account to a domain account. You have bound the computer and are attempting to log in for the first time using the user's AD account and you get a shaking log in or an error "you are unable to log into the user's account". Follow these steps to create a new local account, migrate the user’s data to that account then create an AD account and migrate the data to the AD account.
Scenario Two: Sometimes having a UNC path to a home folder in AD prevents a user from logging in. In this case the user can not log into any Mac but loggin into a PC works.
Open the user's AD account and go to the Profile tab. If there is a UNC path to a home folder, remove it. Wait for replication and attempt to log in again.
Scenario Three: You have bound the computer and are attempting to log in for the first time using the user's AD account and you get a shaking log in or an error "you are unable to log into the user's account".
Other users can log in using their AD accounts. Checking System Preferences/Users DOES NOT show an account for the user that is unable to log in.
It is possible that the AD profile was partially created but that the process failed somewhere along the way. You first need to check if the profile exists on the computer even though it is not in "Users".
http://support.apple.com/kb/DL1071
After you have installed Admin Tools follow these steps to remove the problem account:
A Mac that has been bound to the AD will not allow log-in from a particular AD user. Other AD accounts are able to log-into the bound Mac and the user can log-into other computers.
This is generally a symptom of a corrupt account on the computer. You have several options to remedy the situation.
Solutions
Scenario One: You are migrating a local account to a domain account. You have bound the computer and are attempting to log in for the first time using the user's AD account and you get a shaking log in or an error "you are unable to log into the user's account". Follow these steps to create a new local account, migrate the user’s data to that account then create an AD account and migrate the data to the AD account.
- Log in as root
- Unbind the computer and delete the entire /Library/Preferences/Directory Service folder and the edu.mit.kerberos file
- Restart the computer
- Log in as root
- Go to System Preferences/Accounts
- Create a new local account for the user
- Do not use the same name as the user’s AD account
- Do not use the same name as the existing account
- Go to Users and locate the user’s old home folder
- Select all the folders in the old home folder and drag them into the new home folder for the account you just created. When it prompts you select Replace All
- Go back to the Desktop hit Shift-Apple-U to open the Utilities folder
- Launch Terminal
- Type cd /Users
- Type chown –R [user name]:staff /Users/[user name]. For example: chown –R tsmith:staff /Users/mlewis
- Remember, you are doing the above command on the newly created home folder- the one you copied all the data into
- Use the newly created account name for “user name”
- Re-bind the computer
- Log out and then back in with the user’s AD account
- This will create a new blank profile
- Log out and back in as root
- Go to Users and locate the local home folder you created in a previous step (the one you moved all the data into and did a “chown” on)
- Select all the folders in the folder and drag them into the newly create home folder (it will have the user’s AD name) When it prompts you select Replace All
- Go back to the Desktop hit Shift-Apple-U to open the Utilities folder
- Launch Terminal
- Type cd /Users
- Type chown –R [user name]:staff /Users/[user name]. For example: chown –R tom.smith:staff /Users/tom.smith
- Log out and back in using the user’s AD account credentials
- Their desktop icons should appear
- Go to Users/[user name]/Library/Keychains and rename the login.keychain to login.keychain.old
Scenario Two: Sometimes having a UNC path to a home folder in AD prevents a user from logging in. In this case the user can not log into any Mac but loggin into a PC works.
Open the user's AD account and go to the Profile tab. If there is a UNC path to a home folder, remove it. Wait for replication and attempt to log in again.
Scenario Three: You have bound the computer and are attempting to log in for the first time using the user's AD account and you get a shaking log in or an error "you are unable to log into the user's account".
Other users can log in using their AD accounts. Checking System Preferences/Users DOES NOT show an account for the user that is unable to log in.
It is possible that the AD profile was partially created but that the process failed somewhere along the way. You first need to check if the profile exists on the computer even though it is not in "Users".
- Open a Terminal window
- Type "dscl localhost"
- Type "cd /Local/Default/Users
- Type "ls"
- If the problem user's account is displayed you must remove it
http://support.apple.com/kb/DL1071
After you have installed Admin Tools follow these steps to remove the problem account:
- Go to Applications/Server
- Launch Workgroup Manager (WGM)
- At the connection screen enter an address of "localhost" and the UID and password of the local machine administrator
- In WGM click on the "Accounts" icon
- Make sure you are authenticated to /Local/Default
- Click on the single-user icon above the search menu
- Find the problem account in the list and click on the "Delete" icon
- Exit WGM and attempt to log into the machine again with the user's AD account
Monday, March 15, 2010
Mac User can't log in: computer bound to AD
In the ongoing saga of Mac users unable to log into a bound machine, we add this to the list:
A user could log into bound PCs but was unable to log into any bound Mac. The user would get a shaky login screen with a cryptic message.
The problem was the user's AD account had a home folder set in their AD "profile" tab that pointed to an invalid share.
We have also seen the same problem with SMB shares full-stop. Removing the home folder path in the AD account allowed the user to log in.
A user could log into bound PCs but was unable to log into any bound Mac. The user would get a shaky login screen with a cryptic message.
The problem was the user's AD account had a home folder set in their AD "profile" tab that pointed to an invalid share.
We have also seen the same problem with SMB shares full-stop. Removing the home folder path in the AD account allowed the user to log in.
Thursday, July 30, 2009
Shaky login on Mac
Normally shaky logins are caused by missing or corrupt edu.mit.kerberos files so always check that first but you might also want to look at the user's e-mail address in AD too.
We had a user who couldn’t log into any bound Mac using his AD account however he could log into a PC. On the Macs, he would get a shaky login box and a cryptic error saying “you can’t log in at this time”.
Checking his AD account I noticed that he didn’t have a secondary SMTP of @corp.ipgnetwork.com. I added the SMTP, waited for replication and then he was able to log in.
We had a user who couldn’t log into any bound Mac using his AD account however he could log into a PC. On the Macs, he would get a shaky login box and a cryptic error saying “you can’t log in at this time”.
Checking his AD account I noticed that he didn’t have a secondary SMTP of @corp.ipgnetwork.com. I added the SMTP, waited for replication and then he was able to log in.
Subscribe to:
Posts (Atom)