OSX Lion and AD

[Sfac]

Hi all, I'm trying to make Active Directory users to be able to log offline in Lion.
In SL there weren't problems, i just join the domain, check in Directory Utility "Create mobile account at login" and the home folder was created in /Users/ folder. User login credentials were saved locally and offline login was active.
In Lion i can't make it work, "create mobile account at login" option give me no home directory (i think its looking for a remote home folder, getting info from domain PDC), "force local home..." do the trick, but I'm not able to log offline, Lion keep telling me no network login available.
Anyone else having this problem?

Thanks all and sorry for my english!

 

[nesl247]

I have the exact same issue. Odd thing is that it worked during Developer Preview 2 or 3, forgot when I did a reinstall for a clean Lion Developer setup.

 

[eritho]

I have a similar problem. I can join the domain an while connected to the domain network i can log on but i get the an error message saying it does not find the home folder where it is expected. I have set homefolder to be local but still it does not work and it will not create mobile users.

 

[nesl247]

I was able to get this fixed. Here's how I fixed it:

Try

cd /System/Library/CoreServices/ManagedClient.app/Contents/Resources/

and then use "./createmobileaccount" from that location with the verbose flag.

The initial symptoms can be due to:

* Enforcing a FileVault Master password in Open Directory MCX policy when no such password has been set on the client.

* A lack of a complete OD compatible schema in your LDAP directory (probably not the problem in this case...)

* The remnants of a local user record who matches *either* the GUID or username of the attempted Mobile Account, either as a plist sitting around in /var/db/dslocal/nodes/Default/users or the home directory in /Users/*username*

Try the verbose flag. It really should indicate what's gone wrong. Admittedly so should your syslog, but this is easier to parse.

http://arstechnica.com/civis/viewtopic.php?f=19&t=158659

Worked for me. Make sure your home directory doesn't exist when you do this. You'll need to login to another user, rm -r /Users/<username>

Log out and into the user with the issue. Go to Go -> Utilities or Finder -> Applications -> Utilities -> Terminal and then copy and paste

cd /System/Library/CoreServices/ManagedClient.app/Contents/Resources/
./createmobileaccount

Worked here with no issues. No idea what we have to do this.

 

[eritho]

Almost getting there but i get an error message when running ./createmobileaccount

*** node authentication failed: 5000 (failed to connect)
How can i find out what it is actually trying to connect to?
Let me know if you need any output from any of the log files as i have no clue as to what could be helpful for you guys.

 

[nesl247]

Dumb question, but you are connected to the domain either via VPN or being on the LAN that the server is located at correct?

 

[eritho]

I am connected to the domain onsite.

 

[nesl247]

Run the command and when you do, monitor (via the console app) system.log. There should be some output there about it, please post it here.

One thing that I've learned recently with my companies new IBM i Series, is if something fails, start from scratch. Try unbinding from the domain, restart, bind, login as the desired mobile user and then run the createmobileaccount.

And just because I've learned to not assume anything, make sure that the user you are logging in as is considered a domain admin or whatever group you specified in the directory setup to be considered an admin. If you didn't do this, go to System Preferences -> Accounts -> Login Options -> Edit the Network Account Server -> Directory Utility -> Edit Active Directory -> Make sure Allow Administration By is checked under Administrative under Advanced Options.

I'm not sure if the command when run via the console is required to have be an administrator or not. But it's less of a hassle to try with an admin first than without.

 

[eritho]

Tried on a cleanly installed Lion now. Same error message. Under Users & Groups the network account server light is green. But still i get the *** node authentication failed: 5000 (failed to connect).

The console just showes an entry for the command beeing run (./createmobileaccount) but it does not return any error messages.

Just to be clear. The machine is only joined in a active directory domain so far.

 

[myfootsmells]

noticing the same issue. manually creating my home account doesn't work.

 

[nesl247]

Open a terminal window and do a tail -f /var/log/system.log and in another window run the createmobileaccount command. It should definitely be outputting something to system.log.

Sounds like it might be a DNS issue if it can't connect. Have you changed /etc/hosts at all, is your client pointed to the AD's DNS server?

 

[gurm42]

I suspect that many of the people having problems are on a .local network. It's been common (recommended, even) practice in Microsoft-land to make your internal domain <mycompany>.local for some time now, and ever since Apple introduced Bonjour they've had lackluster compatibility with AD as a result.

I can't even get Lion machines to create mobile accounts. I'm running a 2003/2008 mixed domain (2003 Native Functional Level) and Snow Leopard works ok if I turn up the mdns timeout from 2 to 5. Lion, however, takes literally 3-5 minutes to decide it will accept AD logins, and when it does I can't make the mobile account so it's UTTERLY useless for the Macbooks in our environment.

Sadly, this is pretty much par for the course with Apple. I don't expect it to be fixed any time soon, either, as I've been waiting for this integration to be fixed since Leopard. It's been a long few years.

- G

 

[WFM]

I've encountered a similar problem. Here's the weird thing..

- If my AD user has a home folder assigned, a mobile account is not created locally on my mac.

- If my AD user does not have a home folder assigned, a mobile account is created locally on my mac.

So I thought that I could remove the home folder on my AD user, log onto the mac (to create the local mobile account), and then reinstate the home folder on AD. BUT, for some reason, it doesn't appear to create the mobile account once the user has logged onto the mac!

Has anyone found a way around this please?

 

[WFM]

Just to let you know that running through the ./createmobileaccount from the earlier post from nesl247 fixed the problem for me - many thanks.