+ Post New Thread
Results 1 to 6 of 6
Mac Thread, AD Integrated 10.9 - Login Error Cannot Log in at the time in Technical; Hello, Our AD integrated network users are having some problems. Occasionally random users on random macs will get the message ...
  1. #1

    Join Date
    Jan 2014
    Posts
    21
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Unhappy AD Integrated 10.9 - Login Error Cannot Log in at the time

    Hello,

    Our AD integrated network users are having some problems. Occasionally random users on random macs will get the message "Cannot login to %USER% at this time please try again later". Restarting the Mac fixes the issue and they can login as normal.

    No idea what is causing this!


    Any suggestions?

    Joel.

  2. #2
    AntonioRocco's Avatar
    Join Date
    Oct 2008
    Location
    South Yorkshire
    Posts
    268
    Thank Post
    10
    Thanked 113 Times in 95 Posts
    Rep Power
    41
    Unlike PCs Macs are very choosy about the environment you place them in. They're a little like Goldilocks because everything has to be 'just right'.

    With that in mind I would start with the usual suspects. In no particular order these tend to be:

    1. DNS
    2. Where possible avoiding the use of a .local domain
    3. If home folders are hosted on another server (i.e. not on the DC) or a network resource such as a NAS, make sure you specify the FQDN of that share when defining the home folder location in the Profiles tab. It's a good idea to do this anyway. Don't forget to add an A and PTR Record for that resource in case you haven't done so already.
    4. DNS
    5. Check permissions allow at least traverse/read rights from the parent folder downwards to user homes
    6. Disable IPv6 on client workstations
    7. Did I mention DNS?

    How to check DNS? On any mac client login as the local admin and launch the Terminal App. You'll find it in /Applications/Utilities. Once launched use nslookup and verify you can resolve your DC on the forward and reverse pointers. Something like:

    nslookup yourdc.yourdomain.yourtld
    172.16.16.254

    nslookup 172.16.16.254
    yourdc.yourdomain.yourtld


    By default the AD plug-in is set to re-authenticate mac workstations every 14 days. If your AD environment has no such requirement it's a good idea to disable the setting, which you can't using the GUI. Back to Terminal again and issue this command:

    sudo dsconfigad -show

    At the prompt key in the local admin's password. There's no echo in Terminal so you won't see this being typed. Inspect the settings. If you see an entry that lists 14 days issue this command:

    sudo dsconfigad -passinterval 0

    Issue the first command again and verify the setting has taken.

    Hopefully the above should begin to help you track the problem down or at least help us help you a little more?

    Antonio Rocco (Apple Consultants Network)
    Last edited by AntonioRocco; 29th January 2014 at 09:13 PM.

  3. #3

    Join Date
    Oct 2012
    Location
    Pittsburgh
    Posts
    1
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Do you have Mobile Accounts setup in your AD settings on the Macs? This essentially sets up a local profile for each user similar to on a PC. If they can't contact the network, at least they can log in.

  4. #4

    Join Date
    Jan 2014
    Posts
    21
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Thanks for your reply. We didn't set up Mobile accounts when we deployed the machines. If they had mobile accounts would their settings still get saved to the network and documents redirected?

  5. #5

    Join Date
    Jan 2014
    Posts
    21
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Quote Originally Posted by AntonioRocco View Post
    Unlike PCs Macs are very choosy about the environment you place them in. They're a little like Goldilocks because everything has to be 'just right'.

    With that in mind I would start with the usual suspects. In no particular order these tend to be:

    1. DNS
    2. Where possible avoiding the use of a .local domain
    3. If home folders are hosted on another server (i.e. not on the DC) or a network resource such as a NAS, make sure you specify the FQDN of that share when defining the home folder location in the Profiles tab. It's a good idea to do this anyway. Don't forget to add an A and PTR Record for that resource in case you haven't done so already.
    4. DNS
    5. Check permissions allow at least traverse/read rights from the parent folder downwards to user homes
    6. Disable IPv6 on client workstations
    7. Did I mention DNS?

    How to check DNS? On any mac client login as the local admin and launch the Terminal App. You'll find it in /Applications/Utilities. Once launched use nslookup and verify you can resolve your DC on the forward and reverse pointers. Something like:

    nslookup yourdc.yourdomain.yourtld
    172.16.16.254

    nslookup 172.16.16.254
    yourdc.yourdomain.yourtld


    By default the AD plug-in is set to re-authenticate mac workstations every 14 days. If your AD environment has no such requirement it's a good idea to disable the setting, which you can't using the GUI. Back to Terminal again and issue this command:

    sudo dsconfigad -show

    At the prompt key in the local admin's password. There's no echo in Terminal so you won't see this being typed. Inspect the settings. If you see an entry that lists 14 days issue this command:

    sudo dsconfigad -passinterval 0

    Issue the first command again and verify the setting has taken.

    Hopefully the above should begin to help you track the problem down or at least help us help you a little more?

    Antonio Rocco (Apple Consultants Network)
    Thanks for you reply Antonio.

    I'm pretty sure our DNS is working as it should but will double check on Monday. I think the issue is not with the AD authentication, as it does not shake the password box (which it used to do when our DNS was a bit wonky) it does try to login but is almost as if it cannot find the home folder which is saved on a Mac OS X Server.

  6. #6

    seawolf's Avatar
    Join Date
    Jan 2010
    Posts
    969
    Thank Post
    12
    Thanked 285 Times in 217 Posts
    Blog Entries
    1
    Rep Power
    175

    AD Integrated 10.9 - Login Error Cannot Log in at the time

    Quote Originally Posted by jthornton1605 View Post
    Hello,

    Our AD integrated network users are having some problems. Occasionally random users on random macs will get the message "Cannot login to %USER% at this time please try again later". Restarting the Mac fixes the issue and they can login as normal.

    No idea what is causing this!


    Any suggestions?

    Joel.
    I would look at the console logs on a computer suffering this issue. It's best to do this immediately after getting the error. Just login on a local account and pull up console. Search for the username that tried to login. You should find a more non-descriptive error than the "cannot login...at this time" error message.

    When I recently encountered this error for our student user accounts following a migration of student home drives to a new file server, the console revealed that the error was due to the home drives failing to mount, which stopped the login. A quick inspection revealed a very small problem with permissions on the home drive that once resolved fixed all login errors.
    Last edited by seawolf; 1st February 2014 at 08:19 AM.

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 19
    Last Post: 31st January 2011, 08:51 AM
  2. ISA error 64 logging in to webpages
    By MK-2 in forum Internet Related/Filtering/Firewall
    Replies: 0
    Last Post: 3rd June 2010, 11:40 AM
  3. Management Console error (wont log in)
    By eastb in forum Learning Network Manager
    Replies: 0
    Last Post: 26th January 2009, 10:35 AM
  4. Replies: 4
    Last Post: 19th September 2008, 11:06 AM
  5. Cannot log in as root
    By Teth in forum *nix
    Replies: 3
    Last Post: 30th November 2007, 02:37 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •