OSX 10.11 Clients, Golden Triangle Authentication

Discussion started by cfriit, Nov 25, 2015.

  1. cfriit macrumors newbie

    Nov 1, 2012
    Hey all,

    We have a Mac OSX 10.6.8 Server system joined to our Microsoft Active Directory Domain (2008 domain level, 2008 R2 servers) in a Golden Triangle configuration (Windows AD handles auth, logon scripts served from OSX Server).

    We're able to bind Macs running 10.11 to our AD/OD and have users log in. Mobile accounts are created for these users as they log on, with an appropriate folder being created under /Users. Our problem is as follows, and only applies to systems running 10.11.
    1. After successfully authenticating, users don't see their Dock right away and can't use Spotlight.
    2. After waiting 3 minutes, Spotlight responds slowly, resulting in keypresses being registered every 10-30 seconds. Attempts at opening programs within Spotlight results in a message reading "you can't open application INSERTPROGRAMNAMEHERE because it may be damaged or incomplete"
    3. After waiting 4 minutes, their Dock appears with placeholder icons (like TextEdit document, but with a ruler, pencil and paintbrush) except for Finder. Attempts to run programs from the dock result in a message reading, "you can't open application INSERTPROGRAMNAMEHERE because it may be damaged or incomplete" except for Finder. Finder opens, but shows nothing under /Applications except an empty Utilities folder.
    4. Waiting another 10 minutes results in programs showing up under /Applications, but it sometimes takes an additional 5 minutes before their icons show properly and then all programs open properly without the aforementioned error message.
    5. The dock icons stay as generic icons except for Finder and iCal, unless you wait a bit longer, and then the original icons are restored by opening each program on the Dock once... except for LaunchPad. Recreating the dock configuration restores the proper looking icons, except for three programs (Pages, Numbers, Keynote) which show a question mark.
  2. DJLC macrumors 6502a


    Jul 17, 2005
    Mooresville, NC
    The only thing I can think of that might cause that is using Workgroup Manager to push managed preferences or anything else on the 10.6.8 server that might mess with anything within the users' home folders. Are the home folders synced back to the server / were they initially created on the server, another client, or the 10.11 clients?

    If you are indeed using Workgroup Manager, try moving one of the 10.11 clients into an OU with no associated managed preferences. If that solves it, it's time to look at migrating to Profile Manager (or something like Filewave or Casper, depending on the size and budget of your organization).

    You mention you're using the 10.6.8 server to push login scripts. What happens if you disable those for one of the affected client machines / user accounts?

    Otherwise I'm not sure what else might cause this. FWIW, I run 10.10 w/ Server.app 4 in a Magic Triangle configuration with Profile Manager and Munki. We didn't have any issues updating from 10.10 to 10.11 on our client machines. I'm holding off on a server upgrade for now.

