Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Enthusiast Zone > Networking > OS X Leopard 10.5.8 stops allowing AD login

OS X Leopard 10.5.8 stops allowing AD login
Thread Tools
carterx
Mac Enthusiast
Join Date: Jan 2007
Location: Canada
Status: Offline
Reply With Quote
Nov 25, 2009, 04:46 PM
 
Hardware & OS X Verion
I have a few hundred Macs that are running anywhere between Mac OS X Leopard 10.5.6 - 10.5.8 (Most are 10.5.8 but there are a few labs that require a lower OS version due to software). The computers range from iMac G5's, Mac Pro's & iMac Intel Core 2 Duo's.

Our AD (Active Directory) has been setup using Windows Server 2003 & Windows Server 208


Network Setup
All Macs are setup to log into the clients via the AD plug'n. Binding is smooth and we never have an error with binding. All computers are sorted and placed into the proper bins. When a user goes to login they put in their user ID/Password as if they were at a PC (Windows) desktop and the user is granted access to login.


The Issue
We can have the entire building imaged, up & running with a working AD login without any issues but after so many weeks AD login stops working. The clients almost all drop the ability to allow an AD user to login. It's totally random when this happens. When we look at the Directory Utility everything still looks good. It's green stating that it can reach the AD server but just does not allow users to login.

When this happens it's not just random clients but whole labs. If I have two labs I imaged one day they usually both stop working the same day. What's more odd is that a lab I imaged just a couple days after the ones that stopped working has no issues at all and allows users to login ..... but with that being said I'm almost guaranteed that within a couple days that lab will stop working as well.


The Quick Fix
The fix to resolve this as quick as possible is to basically unbind each client or dump the directory prefs. and rebind to AD. With a few hundred Macs this is a problem especially where it really only works for a few weeks.

Currently I have changed the campus over to a single OD user to allow students to login when AD breaks but this is not our solution that we want. We use AD because this allows for tracking of which users log into each machine, who's in what lab, print accounting and more. The OD user is just a backup but it's pretty much in full use as we can not find or resolve the AD dropping issue.



From what I have read online the issue should have been resolved with the OS X Leopard 10.5.7 update but this is in the case here. Again, we are running Mac OS X Leopard 10.5.6 - 10.5.8 and this issue exists on each version of the OS.

We are running out of ideas on how to fix this and what could be causing this. We though it may have been DNS due to having some duplicates in the system but this issue was cleared up a few months ago and we have not had any more issues with DNS when it comes to that.

I'm in the middle of building a Mac OS X Snow Leopard 10..6.2 image to see if this will help but as we have a few hundred machines and 14 campus's in total we do not have the aprox. $15K+ that is required to upgrade all intel machines to Snow Leopard.

I'm going to continue searching the net for fix, cause and whatever else I can find on this but so far nothing has helped.

If you have a suggestion or any ideas I would be happy to try.

Thanks!


Below are links to articles that in some way talk about this issue or similar incidents to what we are having that I have look at:

Leopard problems: Active Directory Integration – Now Definitely Fixed in 10.5.2! Random Transmissions
Leopard and Active Directory - The macosxhints Forums
Mac OS X v10.5: Binding to Active Directory stops working
Mac OS X 10.5: Verifying DNS consistency for Active Directory binding
Special Report: Mac OS X Leopard Cross-Platform Issues

.
     
carterx  (op)
Mac Enthusiast
Join Date: Jan 2007
Location: Canada
Status: Offline
Reply With Quote
Feb 12, 2010, 11:50 AM
 
ISSUE
For sometime now we have had an issue with the Macs keeping bound to AD (Active Directory). For some reason they lose the ability to authenticate which would usually happens after a couple weeks of a Mac being bound to AD.
This has been pretty consistent for over a year now, which has prevented us from using AD for user authentication. In turn we had to go to using a local “Student” user on the Macs but with a local user we lose the ability to track printing with PCounter and the tracking of users login info.

CAUSE
You should only be having this issue if you are using the following together:

• Mac OS X 10.5+
• AD (Active Directory) for Authentication
• Faronics Deep Freeze

What I found online is that there is a 14 day password renewal period that is a standard 'recommended' by Microsoft in order to keep a good level of trust between client computers and Active Directory server(s).
For everyday use this is not something to worry about but in a lab setting that uses Faronics Deep Freeze the 14 day password renewal will cause issues. When a Mac is bound to an AD server a private unique key is created between the two. Due to the default 14 day password renewal the Mac looks to the AD server to renew this key but if frozen this key does not get changed and in turn, though the status of AD still shows green and functional users will not be able to authenticate with an AD account.
If you do not run Deep Freeze you will not experience this issue.

SOLUTION
To solve this issue there are three solutions:

1. Disable or uninstall Deep Freeze.
2. With an individual client/image install, you can run the following Terminal command that will change the password expiration time. dsconfigad -passinterval 0
Setting the system to a password renewal period of “0” ignores the need to check the authenticated account that binds the client Mac to AD and requesting a new private key.
3. If you are using Deploy Studio for lab imaging you just need to set the “Password Change Interval” by using the ‘Active Directory binding task” found in the Deploy Studio Workflow options as seen in the following image.



MY TEST

For my test I imaged 12 Macs in our common area. Prior to this test I was un-binding & re-binding all of these Macs to AD aprox. every 2 weeks so that students could continue to print from their credited account. Since I reimaged these computers with the “Password Change Interval” set to “0” I have not had one computer drop from AD and lose the ability to have users login with AD credentials. ** In short, if you are running Mac, AD & Deep Freeze you need to set the password expiration time to “0” to prevent AD authentication from breaking.

More info on this can be found here:
TwistedMac - Fix/Solution for using Mac OS X with AD authentication

.
     
Snow-i
Professional Poster
Join Date: Dec 2006
Location: Maryland
Status: Offline
Reply With Quote
Feb 17, 2010, 09:44 PM
 
thanks for posting this follow up info. Very interesting.
     
jacquesd
Fresh-Faced Recruit
Join Date: Mar 2010
Status: Offline
Reply With Quote
Mar 12, 2010, 10:55 AM
 
Hey guys, While this fix that has been posted seems to help some people it does not seem to apply to me. I am seeing the same exact issues, except we have never used deepfreeze in our network. We have computers whos bindings show up green and look like they are functioning normally but they will not allow anyone to log in until it has been unbound and rebound back in. I was wondering if anyone else has been seeing this problem without the use of deep freeze?
     
carterx  (op)
Mac Enthusiast
Join Date: Jan 2007
Location: Canada
Status: Offline
Reply With Quote
Mar 12, 2010, 11:59 AM
 
I know there was a similar issue without DeepFreeze but that was with a lower update of 10.5 which if you are running the latest update of 10.5.8 you should not see this issue.

Do you have an idea roughly how many days the bind works before breaking. If it's around the 14 day mark then .... though DF is not installed it would appear that the password interval is causing the issue.

Try running the command
dsconfigad -passinterval 0

and see if that helps. Do you build lab images or support individual machines.

Carter
     
   
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 07:10 PM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,