Troubleshooting Login Issues
The process for logging in with an Active Directory network user is similar to the process of logging in with a network user from other directory services. You can use the troubleshooting techniques in Chapters 2 and 3, which include scenarios in which Open Directory accesses user records from Active Directory and uses mount, computer, and group records (including attributes for Managed Preferences) from Open Directory.
This section discusses some common problems, but also covers issues that are specific to logging in with an Active Directory user record.
Before you begin, verify that you are not experiencing binding issues; for instructions, see the section “Troubleshooting Binding Issues” later in this chapter.
Try to determine if the login problem is related to identification, authentication, or authorization. Start with identification of the user record. To confirm that you can use the id or dscl commands to identify the user, use the following:
client17:~ cadmin$ dscl localhost read /Search/Users/aduser1
It is possible that DirectoryService is having problems communicating over LDAP to Active Directory. Use a graphical LDAP browser or an ldapsearch query to ensure that you can make LDAP requests authenticating as an Active Directory user:
client17:~ cadmin$ ldapsearch -x -D "cn=dcolville,CN=Users,DC=pretendco,DC=com" -W -H ldap://windows-server.pretendco.com -b "CN=Users,DC=pretendco,DC=com" cn=dcolville homeDirectory [authentication information deleted] dn: CN=dcolville,CN=Users,DC=pretendco,DC=com homeDirectory: \\windows-server\smbhomes\dcolville
Verify that your Active Directory node is listed in your authentication search path.
Check to see if you can authenticate as the Active Directory user. Log in as a local user or local administrator, and then use su to switch identity to the Active Directory user.
Verify that your Kerberos configuration is set up for the Active Directory domain; the file /Library/Preferences/edu.mit.Kerberos should reference your Active Directory Kerberos domain.
Confirm that you can use kinit or the Kerberos application (in System/Library/CoreServices) to obtain a TGT from the Active Directory KDC.
Resolving Time Issues
If the clocks on the Active Directory domain controller and Mac OS X are more than 5 minutes apart, you cannot obtain a Kerberos ticket and you cannot log in. Make sure your Mac OS X computer is in the correct time zone, has the correct daylight saving time settings, and uses the same Network Time Protocol server as your Active Directory servers.
Using the Logs
Use the log file /var/log/system.log and the log files in /Library/Logs/DirectoryService/DirectoryService to gather information if you are experiencing problems logging in. Refer to Chapter 1 for information about enabling DirectoryService logging by sending the USR1 or the USR2 signal to DirectoryService.
Transitioning from a Local User to an Active Directory User
If you want to transition from using an established local user account to a network account, yet continue to use the existing home folder, you must perform these steps:
- On your Mac OS X computer, log in as a local administrator. Open System Preferences and choose the Accounts preference.
- Click the lock in the lower-left corner to authenticate as a local administrator.
- Choose the local account that conflicts with the Active Directory account.
- Click the Remove (-) button in the lower-left corner.
- When prompted, leave the default selected, “Do not change the home folder,” then click OK.
- If the short name of the local user differs from the short name of the Active Directory user, change the name of the home folder. The following command changes the name of the home folder from the local user short name “david” to the Active Directory user name “dcolville”:
client17:~ cadmin$ sudo mv "/Users/david (Deleted)" /Users/dcolville
Change the ownership of the files in the preserved home folder so that the Active Directory user is the new owner. Open Terminal and issue the chown (change ownership) command, which takes the form of
chown [options] owner[:group] file
The option -R changes ownership recursively, so the command changes ownership for the entire home folder. The chown command below changes the owner and group associated with all the files in the home folder:
client17:~ cadmin$ sudo chown -R dcolville:"PRETENDCO\domain users" /Users/dcolville
- Log out as the local administrator account, and then log in as the Active Directory account.
Understanding Mobile Accounts
A mobile account is a local copy of a network user account, with attributes and credentials synchronized at login if the network node is available. A mobile account allows you to log in even when the network directory node is not available. The mobile account concept is not specific to Active Directory, but the Active Directory plug-in provides a checkbox to enable Mac OS X to a create a mobile account when users log in. This enhances the user experience because it caches other information, such as group membership, about Active Directory. Mobile accounts work well when you synchronize the contents of the local home folder with a network home folder, but this is not automatic.
See “Exploring the ‘User Experience’ Advanced Options Pane,” earlier in this chapter, for instructions on configuring the Active Directory plug-in to configure Mac OS X to create mobile accounts. For more information about home folder synchronization, see the section “Managing Mobile User Accounts,” starting on page 502 of Mac OS X Server Essentials, Second Edition, or read Chapter 8, “Managing Portable Computers,” of Mac OS X Server User Management for Version 10.5 Leopard.
Updating Active Directory Indexing
As do other directories, Active Directory indexes the values of commonly requested attributes in order to increase the speed of operations. If your Active Directory implementation contains a large amount of Mac OS X clients, your Mac OS X computers may request attributes that Active Directory does not index. Microsoft provides a downloadable Server Performance Advisor tool that lets you investigate whether there are any attribute queries that could be sped up by better indexing. Use this tool to determine if there are many requests for attributes that are not indexed, and then use Active Directory tools to add the unindexed attributes to the list of attributes to index.
If the computer object is created in one site but hasn’t been replicated to another, you may not be able to log in until the replication takes place. You can force replication to take place with standard Active Directory tools.