+ Post New Thread
Page 1 of 4 1234 LastLast
Results 1 to 15 of 50
Mac Thread, mac will not log on in Technical; we now have 20 macs that are allowsing students to log on throught the AD. some time the macs will ...
  1. #1
    robertsenior's Avatar
    Join Date
    Jan 2010
    Posts
    43
    Thank Post
    3
    Thanked 1 Time in 1 Post
    Rep Power
    29

    mac will not log on

    we now have 20 macs that are allowsing students to log on throught the AD.

    some time the macs will not let domain users log on even tho the green light is on
    and domain users are avaliable.

    i have seen this on some of the forums but no one has really posted a comment on how to resolve the issue

    does anyone know what is wrong

  2. #2

    Join Date
    Mar 2009
    Location
    Bottom Left
    Posts
    123
    Thank Post
    2
    Thanked 15 Times in 10 Posts
    Rep Power
    14
    Quote Originally Posted by robertsenior View Post
    we now have 20 macs that are allowsing students to log on throught the AD.

    some time the macs will not let domain users log on even tho the green light is on
    and domain users are avaliable.

    i have seen this on some of the forums but no one has really posted a comment on how to resolve the issue

    does anyone know what is wrong
    If this appears to be happening randomly our best 'fix' at the moment is for one of their fellow students to log in and out then the first student can usually log in. Failing that a restart of the Mac in question usually does the job.

    If it is happening with every network user on a Mac, unbind from AD, remove AD object and rebind. We're still in the process of working out why this happens.

  3. #3

    Join Date
    Jan 2008
    Location
    London
    Posts
    21
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    ongoing problem here too

    its an ongoing problem here too and I havent found anyone that knows the real reason why this happens but I'm getting closer to the solution myself.
    Heres the tedious 'dirty fix' -
    log onto the troublesome mac using local admin, typically username "ladmin" if you've been on an Apple Course - thats what they get everyone to setup/use. you should be able to get in as you wont be validating against AD or OD.

    OK - the steps are 1) get off AD & OD, 2) delete the pref files, 3) rejoin AD & OD, 4) log out local admin and log in to the domain user that you want.

    Step1) run Applications>Utilities>Directory Utility. Hopefully you should know how to use the + and - buttons to add and remove entries so I wont go into detail, you just need to remove all the entries then exit out of the Directory Utility, YOU MUST EXIT OUT OF DIRECTORY UTILITY.

    Step2) browse to this folder Macintosh HD > Library > Preferences > Directory Utility > .... delete all of the files within the folder but dont delete the folder itself. (note that the files are just preferance files in xml format and dont bother trying to decipher them as you will find many red herrings, the contents are quite different across various OS X updates so you really aint going to get anywhere are you)

    Step3) go back into directory utility and use the + button to get back onto your win domain and mac server open directory.

    Step 4) zzzzzzzzzz you know, log off and log on as the proper user. Thats It, a dirty fix that you will have to keep doing every week or so until someone finds the real solution.


    Heres some things that I have noticed and some myths debunked:
    Reboot the machine - myth - if you reboot the machine you will probably find that you dont gain anything except having to wait about 5 minutes while it reboots and 'thinks'.

    IP address changes cause this problem - expand your IP range as its too small - myth - so much effort expanding the IP range and the end result is still the same, your mac is not giving you problems because its IP address has changed, your mac's IP address can still change even if you have thousands of spare IP addresses at hand.

    On a dual boot mac you should keep the machine name the same on both the windows and mac side - ABSOLUTELY NOT! - I followed this 'advice' and found that my 'computers' active directory entries for windows got replaced/trashed by the fact that the machines were then listed in AD as having MAC operating systems and then nobody could logon to the domain when using windows instead.

    DNS problems - well I think this is more likely, but why DNS is playing up is another matter. One thing that you may observe is that if you look closely at your machine name on a badly behaving mac, you may see that its changed to something else !, it may have picked up the name of a differnt computer - even the name of a PC computer!! Look closely at your DNS entries, particularly following the forward lookup and reverse lookup, do you notice any stray duplicates, do you notice that reverse entries are missing. I certainly have been observing these things here and have came to the conclusion that my DNS is getting messed up. I suspect that open directory is messing things up but I dont have any hard proof, all I know is that dual-boot computers are causing problems.

  4. #4

    Join Date
    Jan 2008
    Location
    London
    Posts
    21
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    ...and another thing

    sorry I forgot.

    Also on DNS subject, it would appear that the bad Apple mac client uses its last-used IP address to query a reverse lookup on DNS to find out what its computer name is ??!??? yeah it sounds crazy but follow the DNS trail, you will probably find that the only connection between the bad computer name that the bad mac client has got can only be directly linked via DNS using the reverse lookup, why this happens I dont know.
    the problem is that once the IP address is renewed by DHCP you will have to wait for the lease to expire before a issues re-occur.
    Its a tedious problem and not one to easily track down.

    Oh and by the way another myth to solving the problem is configure DHCP so that leases never expire or expire within a day. Both bits of advice seem to be clutching at straws, I tried both configurations, didnt help either way.

  5. #5

    Join Date
    Mar 2009
    Location
    Bottom Left
    Posts
    123
    Thank Post
    2
    Thanked 15 Times in 10 Posts
    Rep Power
    14
    Im not so sure that the problem is DNS related as all of our Macs and the Ubuntu file server described in this topic are all on static IPs and have been since installation.

  6. #6
    somabc's Avatar
    Join Date
    Oct 2007
    Location
    London
    Posts
    2,337
    Thank Post
    83
    Thanked 388 Times in 258 Posts
    Rep Power
    111
    Are you specifying the Domain Controller?

  7. #7
    TomH's Avatar
    Join Date
    Jan 2010
    Location
    Nottingham
    Posts
    47
    Thank Post
    0
    Thanked 5 Times in 5 Posts
    Rep Power
    11
    Does the window just shake, or does it say the home folder cannot be located in the usual place ?

    We see these problems daily with our new customers, and generally the problems can be resolved.

    These days there is no reason why a stable binding cannot be achieved with OSX to active directory.

    The dynamic DNS mentioned below is generally only a cosmetic problem where clients are concerned, so i wouldn't focus to much of your time on it.

    Tom

  8. #8

    bladedanny's Avatar
    Join Date
    May 2009
    Location
    Sheffield
    Posts
    1,275
    Thank Post
    189
    Thanked 305 Times in 227 Posts
    Rep Power
    131
    One thing we've had in regards to Mac login problems is Time, if the times are out then they won't be able to authenticate. I'd check the time before doing anything more complex.

  9. #9

    Join Date
    Jan 2008
    Location
    London
    Posts
    21
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    apple experts

    we've had apple experts in to fix our problem on several occasions, the result is just the same - once the mac is bound to active directory they think the problem is fixed.
    The problem THE REAL PROBLEM is that for some unpredictable reason a mac will 'forget' that its bound and there is absolutely nothing that you can do about it until you unbind/rebind again, this typically happens a few days or weeks after the apple experts have been and gone.

    The apple experts that we've had tend to think that nothing can possibly be wrong cause macs are 'so superior' that nothing could possible be at fault. But I've been on the Apple Certified training courses and the off-the-cuff advice we got was dont rely on any bundled apple service (except the web service), apple may upply pretty-looking software but business critical software it isnt. So though I'm not saying this particular problem is all apple's fault, I think its probably DNS related, dont be suprised if it does turn out to be apple.

    The time thing is again another red herring, yes if the time is out of sync then it will cause problems, but here all of our computers are synced internally to the main server and DHCP provides the correct parameters, everything looks OK on that front. There was an issue regarding daylight saving on the windows side of things but a boot camp patch fixed that problem some while back.

  10. #10
    u8dmtm's Avatar
    Join Date
    Feb 2006
    Posts
    231
    Thank Post
    7
    Thanked 13 Times in 12 Posts
    Rep Power
    20
    We had this problem of few years back and it was due to the times being out between the Mac and the Domain. The root cause was that the CMOS batteries were flat and we ended up replacing every single one. After that and resetting the clocks, the problem went away.

  11. #11

    Join Date
    Jan 2008
    Location
    London
    Posts
    21
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    round and round in circles

    until you have experienced this problem for real then you cannot even begin to guess what the cause is.
    Currently I'm looking at rebuilding DNS, over easter when nobody is using the systems.

    its not a trivial problem, believe me there is no easy fix relating to time-sync, or locked-out accounts.
    you can logon as a local administrator and inspect everything on the mac client, everything looks fine, green lights on directory utility entries, time-synced ok.
    the only thing that I notice that is wrong is that the mac client may have somehow, strangely, inherited a name that it was never originally given. you cannot change the name unless you unbind from the AD & OD and even then the name change will only be affected after a reboot. there are no malicious people going around in the middle of the night hacking the computers or anything that would give a simple explaination. One day you can log on fine the next day you get the shake off.

    Do note that my computers are dual boot macs, that means that the NIC on the network card will obviously be the same if I choose to boot mac or boot windows, but the 'machine name' needs to be different for mac and for windows otherwise the AD entry for that particular computer may be right royally messed up.

    Our Domain was created many years ago and the operating system has been upgraded from win 2k server to win 2003 server. I can visit a neighbouring school which has a similar mac set up to ours except their win 2003 server was a fresh build a in recent years. Comparing our DNS setup to that schools reveals some wild differences, and since that school isnt experiencing the problems we are experiencing then I'm inclined to think thats where the issue lies.
    Also I have to think about what services the mac client may use, there really isnt many services that store info relating to machine name and ip address.

    going back to the weird computer-name-change thing, this was something I stumbled across completely by chance, after all you dont expect it to happen so you diont look in that area.
    Anyone that is experiencing these mac refusal to logon problems please do click the info text found underneath where it says "MAC OS X" on the logon box and note down what it says for the computer name, IP address, etc. you can then investigate your DNS, or AD and follow the trail DNS forward lookup to reverse lookup and note if there are any duplicate entries particularly on the reverse lookup.
    And please do report back here, I would be interested to know.

  12. #12

    Join Date
    May 2006
    Posts
    1,319
    Thank Post
    101
    Thanked 25 Times in 18 Posts
    Rep Power
    25
    Lol. At almost 3am on a saturday morning, I have been thinking over some of the issues we have remaining (yes, I have no life) and the first thread I see is this one, which saves me having to create a new one. We've been having this issue ever since we integrated OD and AD in a triangular setup during the summer last year. I've not had that many complaints, but every now and then someone mentions not being able to log on until they have rebooted the mac. I've had them try and log on in front of me, and then try and log on to the same mac myself, neither set of credentials work so it's not something silly. Once the mac has been rebooted however, all domain users can log on fine - nothing else is changed. When the mac refuses to log any domain users in, the green light is displayed on the login window, specifying that all network accounts are available, as per normal.

    Once I get back into work in the middle of next week, I'll come back to this thread and follow any potential leads. Just glad to know I'm not the only one with issues like this.

  13. #13

    Join Date
    Mar 2010
    Posts
    4
    Thank Post
    0
    Thanked 2 Times in 1 Post
    Rep Power
    0

    OSX not authenticating, but still joined to domain

    Before everyone goes off and destroys their networks or whatever, you may want to try this first:

    1) Join OSX computer to your AD domain

    2) Test to see if joined correctly (see if it logs in)

    3) Open terminal (need to be an admin user on the local machine)

    4) Type: dsconfigad -passinterval 0

    5) Press enter and type your password if it asks

    This should set the trust password refresh interval for the computer to never expire.

    Alternatively, setup and use DeployStudio freeware, closest I've come to finding something useful for macs.

  14. 2 Thanks to dbhbbc:

    HodgeHi (7th September 2010), _Bat_ (12th April 2010)

  15. #14

    Join Date
    Nov 2009
    Posts
    63
    Thank Post
    14
    Thanked 2 Times in 2 Posts
    Rep Power
    10
    I second what dbhbbc says about the passinterval. OS X, by default, changes its AD machine account password every 14 days. However, if the machine cannot contact the domain controller at that time, it seems that the machine still changes its password and AD just doesn't know it!

    When you bind your Macs for the first time, you may want to do so with a script so that you can set the passinterval at the beginning and avoid issues. Bombich has a script that you can take a look at (Bombich.com: Mac OS X Management Custom Shell Script Library). Just plug in your site-specific info and make sure to change the "passinterval" option to 0.

  16. #15

    mac_shinobi's Avatar
    Join Date
    Aug 2005
    Posts
    9,785
    Thank Post
    3,291
    Thanked 1,054 Times in 975 Posts
    Rep Power
    365
    Quote Originally Posted by MarsRed View Post
    I second what dbhbbc says about the passinterval. OS X, by default, changes its AD machine account password every 14 days. However, if the machine cannot contact the domain controller at that time, it seems that the machine still changes its password and AD just doesn't know it!

    When you bind your Macs for the first time, you may want to do so with a script so that you can set the passinterval at the beginning and avoid issues. Bombich has a script that you can take a look at (Bombich.com: Mac OS X Management Custom Shell Script Library). Just plug in your site-specific info and make sure to change the "passinterval" option to 0.
    The script section does not exist anymore

SHARE:
+ Post New Thread
Page 1 of 4 1234 LastLast

Similar Threads

  1. Mac will not log onto network
    By training_needed in forum Mac
    Replies: 8
    Last Post: 29th March 2010, 02:01 PM
  2. Replies: 15
    Last Post: 24th November 2009, 11:17 AM
  3. Replies: 7
    Last Post: 27th August 2009, 11:20 PM
  4. clear old cookies on log off (or log on)
    By ZeroHour in forum Scripts
    Replies: 0
    Last Post: 4th November 2008, 09:32 AM
  5. Can log on Local can't log on to domain
    By speckytecky in forum Network and Classroom Management
    Replies: 16
    Last Post: 25th April 2008, 12:05 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •