|
|
Active Directory Failure
|
|
|
|
Mac Elite
Join Date: Mar 2006
Location: Here
Status:
Offline
|
|
I help run a lab of 20 iMacs (C2D) at a university. I'm having an issue with active directory failing to allow users to log in using their Active Directory accounts. It worked the first few times in December, but now it has just stopped working for no apparent reason. We're running 10.5.6. Any ideas?
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Apr 2002
Location: Illinois
Status:
Offline
|
|
Is it the computer accounts are getting unbound, or is it just certain user accounts are losing the ability to log in?
There's a long standing bug in Apple's Directory Service implementation that causes the DS node to become populated with duplicate information. A disabled account (which appears first) and a working account. It will act as though the account was disabled, when, in actuality, it has not. Use dscl to check that out on a machine that won't let you log in. OS X also has some issues with password propagation (It will cache the old keys and use them), so if they changed passwords lately, it could be the issue as well.
OS X still doesn't play nice with Active Directory, which is, IMHO, the reason Apple still hasn't made significant headway in the enterprise markets.
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Apr 2002
Location: Illinois
Status:
Offline
|
|
You may also want to get in touch with one of the system engineers from Apple. We've had Mike Bombich come out and help us at University of Illinois. He is quite helpful.
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Mar 2006
Location: Here
Status:
Offline
|
|
The computers are unable to log in. The individual accounts continue to work elsewhere. What happens is that we put them on the domain, they work for a day, then they don't work the next day, while Directory Utility shows no change in status. We put 20 on yesterday, and tested them all. Only 5 still work today. We have a local backup account, so it's not as though the machines are down, but I'm not quite sure what is wrong, as I don't know much about Active Directory.
|
|
|
|
|
|
|
|
|
Moderator
Join Date: Jan 2001
Location: Polwaristan
Status:
Offline
|
|
Will they let you login using an SA account? Not a local sysad account but an AD/Domain Controller SA account?
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Mar 2006
Location: Here
Status:
Offline
|
|
Originally Posted by Cold Warrior
Will they let you login using an SA account? Not a local sysad account but an AD/Domain Controller SA account?
Initially, yes. They will log on with anything. Then, after a day or two, they don't.
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Oct 1999
Location: San Jose, Ca
Status:
Offline
|
|
Can you go in and list anything through dscl? Are the computers keeping correct time with your AD server (they must be within 5 minutes... and booting into windows can play havoc with that). Have you made sure that all of your domain controllers have correct DNS information, both forward and reverse? If you log in with a local user, can you get a kerberos ticket from the AD KDC?
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|