Active Directory and Lion -Network accounts are unavailable

Discussion in 'Mac OS X 10.7 Lion' started by s.p.xosder, Jul 15, 2011.

  1. macrumors newbie

    Joined:
    Jun 23, 2010
    Messages:
    9
    #1
    Any other developers connect their machines to an Active Directory domain? Since installing 10.7, I am unable to connect to my domain. At the login screen, there is a message stating that "Network accounts are unavailable".

    I can confirm that the computer is able to ping the Domain Controller and during the bind process, the machine recognizes the computer account in AD and asks if I want to join the existing account.

    I have attempted both an upgrade install and a fresh install and both had the same result. Thanks in advance for help!:D
     
  2. macrumors newbie

    Joined:
    Nov 20, 2008
    Messages:
    21
    #2
    We're having the same problem. None of our Lion machines will bind to the AD, not even the Xserves. I can sometimes get them to bind but they will randomly stop allowing network logins, even though the AD shows green in the directory utility. The same machine will work just fine if it's re-imaged to Snow Leopard but Lion just won't cooperate with the Active Directory. We're running Windows Server 2008 R2.
     
  3. macrumors newbie

    Joined:
    Jun 23, 2010
    Messages:
    9
    #3
    Update: not quite there yet

    So, I've been messing around with this for the better part of the weekend, and I found a few things.

    First, I had to turn on the mobile account creation option in the directory utility. Without that being on, I couldn't get it to work at all. If I asked it to prompt me at login and I said not to create the mobile account, it caused issues, so I am now allowing it to create the account.

    Second, I'm not sure why, and I didn't want to believe it, but I seem to have better luck if the login settings are set to "List of Users" and not "Name and Password".

    I've also turned off the wireless and removed my Open Directory settings. Not sure if those matter, but I wanted to rule them out.

    On machines that still don't connect, I use the dscl command and browse the domain manually from within terminal. Somehow this seems to help too. It still isn't close to 100% and a restart can cause the machine to not login again even if it was working before.
     
  4. macrumors member

    Joined:
    Jul 17, 2011
    Messages:
    41
    #4
    Have had it working for 2 months or so now, and ran into absolutely zero issues. Just set it up the same way I did with Snow Leopard. I use a slight variation of the "golden triangle" setup.

    Computers
    Mixture of 10.5.8, 10.6.8, and 10.7.0

    Active Directory
    Windows Server 2003 R2

    Open Directory
    Mac OS X 10.6.8 Server

    Bind information:
    Active Directory first, then Open Directory. The users log in with their Active Directory account, therefore you MUST use mobile accounts. I could be wrong, but it is my understanding you can't use standard managed accounts unless they are logging in with an Open Directory account. Lastly, I reorganize the Search policy where it searches for the Open Directory server first, and then the Active Directory. Reboot, then done.

    The result allows me to manage the Mac computers from the Open Directory server, while the users still log into their Active Directory accounts. My network is setup where I manage the Macs on a per-computer basis rather than a per-user basis. I have gotten it to work on a per-user basis before, but the permissions were patchy at best. But, since it wasn't really necessary for my network, it wasn't a huge loss.

    Several of the Mac Pros are connected to an Xsan through fiber and a private vlan. That setup requires a master Xsan controller and a backup Xsan controller, both running 10.6.8 and both are physically separate servers from the Open Directory server. Permissions on the Xsan are managed on an Active Directory user basis (since all of my servers are dual-bound to Active Directory and Open Directory, just like my other Macs). I also have 4th Xserve machine that is running several 10.6.8 virtual machines that I use as web servers, development servers, etc.

    The only thing I haven't tested yet is 10.7.0 Server. The only reason why is I haven't is because I have not heard anything regarding virtual machines and 10.7.0. Obviously you have to install regular Mac OS X Lion before you can install server software, and previously it was against Apple's terms to install a regular copy of Mac OS X on a virtual machine. So I'm afraid that means I can't run 10.7.0 Server through virtual machines since it requires the installation of Mac OS X first.
    On top of this, I typically wait for the first few patches before I upgrade any servers, so as of right now the plan is to wait until December vacation before I upgrade any of my servers.

    Having said that, I'm running into all kinds of stupid issues with Lion that are non-network related that will probably force me to wait until December vacation to upgrade any of my machines. (I work at a University, so the prime time to upgrade computers is during the summer and winter break.)

    Hopefully that was well-explained enough to help. If not, let me know.
     
  5. macrumors member

    Joined:
    Jul 17, 2011
    Messages:
    41
    #5
    For kicks and giggles I installed Lion Server on a Mac Pro just to see what issues I would run into.

    Long story short, Lion Server is gonna need a lot of work if Apple hopes to have it work within a Active Directory environment. Right now the only purpose it has is to suck electricity out of the wall and dazzle me with its single blinking LED. Worthless. Completely worthless.
     
  6. macrumors newbie

    Joined:
    Dec 15, 2004
    Messages:
    5
    #6
    We had the same problem here and found the fix today. After binding to the domain, when you go back to the directory utility you will notice the Apply button is greyed out. You need to click on the lock to lock the settings. Quit directory utility, and click on the lock for Users and Groups.

    We did not check the mobile account setting
     
  7. macrumors newbie

    Joined:
    Jul 22, 2011
    Messages:
    2
    #7
    - Install Lion
    - Log into your local admin account
    - Set the machine name to "XXX" and remember this name
    - Open Directory Utility
    - Open Active Directory
    - Set the Comuter ID to "XXX"
    - (Optional) Show Advanced Options, check "Create mobile account...", uncheck "Require confirmation..."
    - Click BInd
    - Enter in your admin domain credentials
    - Hit OK
    - Log the directory utility by clicking the lock in the lower right corner
    - Log out of the local admin profile
    - Log in as any domain user
     
  8. macrumors newbie

    Joined:
    Jul 25, 2011
    Messages:
    7
    #8
    Re: Active Directory and Lion -Network accounts are unavailable Reply to Thread

    So what's the trick to logging into Lion w/ your domain account? The local admin and user accounts I've created and bound to my AD service just prompt me for a password - no domain affiliation. Logging in as Guest gives me the option to include my Windows domain login but won't accept my Windows password. This was all working fine via Snow Leopard - seems related to my recent Lion update. Did run a permissions check/repair as advised but have no way of logging in per my AD account. Seem to recall w/ Snow Leopard as separate account related to AD in the login screen?

    Thanks!

    Scott
     
  9. macrumors newbie

    Joined:
    Jul 21, 2011
    Messages:
    13
    #9
  10. macrumors newbie

    Joined:
    Jul 27, 2011
    Messages:
    12
    #10
    I've folloed both jonritters and Mack Daddy's suggestions but doesn't work.

    Repair permissions, changing the search path's order to get the apply button activated and locking the settings doesn't work. It's flawless with SL, but Lion's driving me nuts. Any other suggestions? Still having problems here =-(
     
  11. macrumors 601

    derbothaus

    Joined:
    Jul 17, 2010
    Messages:
    4,057
    #11
    Same here. Just started widespread testing. Stopped after bind. No accounts available. Just not working with exact same and/or slightly modified AD settings.
    Is it me or is Directory utility acting a little weird? It will unlock and change settings back at differing intervals. I had to fight to bind and not have my settings changed. Win 2008 vanilla. 10.6 implementations are flawless. I tried all the above fixes to no avail.
     
  12. macrumors newbie

    Joined:
    Jul 27, 2011
    Messages:
    12
    #12
    I've setup a working SL machine to try to see what's wrong, The SL machine get for example the search paths /Active Directory/All Domains and the Lion machine get the /Active Directory/DOMAIN/All Domains, but the directory utility still doesn't give an error message (if i change the searchpath DU gives the error cannot connect to auth database).. On the SL machine i have an option "allow network users to login to this computer" but not on the Lion machine i'll reinstall Lion since i've done too many settings to track hehe.
     
  13. macrumors newbie

    Joined:
    Jul 26, 2011
    Messages:
    10
    Location:
    Norway
    #13
    I'm experiencing the exact same thing. In another forum post here somone suggested to me that i try running /System/Library/Coreservices/ManagedClient.app/Contents/Resources/createmobileaccount after joining the domain but it does not work.

    My users who upgraded their all ready domain-joined Snow Leopard to Lion cannot log in. They are asked to change their password when trying to log on.
     
  14. macrumors newbie

    Joined:
    Jul 27, 2011
    Messages:
    12
    #14
    Well i reinstalled and the windows are the same so it's problably meant to be missing that option. Still haven't found a way to login with AD accounts.
     
  15. macrumors newbie

    Joined:
    Jul 26, 2011
    Messages:
    10
    Location:
    Norway
    #15
    Here is the link to the other forum thread regarding this topic. OSX Lion and AD
     
  16. macrumors newbie

    Joined:
    Jul 27, 2011
    Messages:
    12
    #16
    That issue regards no home folder gets created and not beeing able to login OFFLINE, we're online and can't even login with an AD account.
     
  17. macrumors newbie

    Joined:
    Jul 26, 2011
    Messages:
    10
    Location:
    Norway
    #17
    Yeah, sorry guess your right.
     
  18. macrumors newbie

    Joined:
    Jul 27, 2011
    Messages:
    12
    #18
    Please keep anything coming, other stuff can point one in the right direction ;) Really stuck hehe
     
  19. macrumors newbie

    Joined:
    Jul 26, 2011
    Messages:
    10
    Location:
    Norway
    #19
    I some how thing the two issues are related.

    Have you tried doing:
    Code:
    sudo dsconfigad -add yourdomain.com -mobile enable -localhome enable -computer computername -username "domainadmin" -password "SomePassword" -ou "CN=Computers,DC=yourdomain,DC=com"
    
    You can off course remove the -mobile and -localhom attributes if you don't use them. Do
    Code:
    dsconfigad -help
    for the complete command options.
     
  20. macrumors newbie

    Joined:
    Jul 27, 2011
    Messages:
    12
    #20
    dsconfigad: The daemon encountered an error processing request. (10002), also trying without mobile and localhome, but same error =(

    Where's the logfile for dsconfigad? system.log doesn't show anything when i execute the command
     
  21. macrumors newbie

    Joined:
    Jul 26, 2011
    Messages:
    10
    Location:
    Norway
    #21
    Had you done an unbind before you ran dsconfigad?

    I have not been able to locate any logfile for dsconfigad.
     
  22. macrumors newbie

    Joined:
    Jul 27, 2011
    Messages:
    12
    #22
    Yup, unbound before, but after a restart today it worked. Ran the command both with localhom/mobile and without and restarts, waiting at the login window for about 3mins and the dot is still red, network accounts unavailable.
     
  23. PUG, Aug 1, 2011
    Last edited: Aug 1, 2011

    PUG
    macrumors newbie

    Joined:
    Aug 1, 2011
    Messages:
    3
    #23
    My Domain Admins installed some automatic updates over the weekend on the Domain Controller servers. This morning I rebound the Lion machine and it seems to be working now.
     
  24. PUG, Aug 1, 2011
    Last edited: Aug 1, 2011

    PUG
    macrumors newbie

    Joined:
    Aug 1, 2011
    Messages:
    3
    #24
    deleted
     
  25. macrumors 601

    derbothaus

    Joined:
    Jul 17, 2010
    Messages:
    4,057
    #25
    Could you possibly get any info on the patch and/or final version you are running that fixed it for you?
     

Share This Page