LDAP Authentication "Network Accounts Unavailable" on 10.8

Similar Messages

• Network Accounts Unavailable but not on all machines

  Hi
  I have a client with a Dual processor XServe G5 running 10.4.8 server, their Macs are also on 10.4.8 and they are setup with Network Home Directories.
  In the last few weeks, I have had intermittant problems with a couple of the machines that don't seem to be able to log onto their accounts in the morning when first switching the machines on. Clicking on the status line in the login window in this instance shows "Network Accounts Unavailable".
  To solve this I have been logging in remotely as admin to the machine(s) in question, deleting the LDAP configuration in Directory Access, re-configuring, rebinding and then logging out. When doing this, the Network Accounts are then shown as available and the user can log in normally.
  Interestingly, when I get to the point of deleting the configuration, it says that it can't contact the LDAP server, and asks if I want to force a disconnection and I guess this is why the user can't get to their network account in the first place, because it can't see the LDAP server?
  However, other machines on the network, don't have this problem and can log in after a restart or shutdown with no problems. Why would it do it on just a couple of machines? Could it be the network switch?
  None of these machines are connected via a wireless connection, they are all hard wired into a small 5 port switch, which in turn is wired back to the main switch in their rack and this is a 10/100 Allied Telesyn unit.
  Any ideas as to what I can do to resolve these intermittant issues. It's becoming a pain to have to resolve this every morning for the client when they come in.
  Thanks
  Paul
  PowerBook G4 17"   Mac OS X (10.4.8)  
  PowerBook G4 17"   Mac OS X (10.4.8)  

  Hmm, seems I solved it by tweeking with the broadband router.
  (I fed it with a backup DNS, and reactivated DoS firewall)
  Does neither explain why another PC worked well alongside this one,
  nor why another OS gave other results.
  Maybe just a broadband router inconsistency, anyway, l'll consider this fixed for now.

• Active Directory - Network Accounts Unavailable after reboot

  The issue I'm having with Snow Leopard is that I can bind accounts to AD and on the first boot it works perfectly. It shows Network Accounts Available and I can login using an AD account. After I reboot and on every boot after the first it then shows Network Accounts Unavailable. I logged in as local admin and it shows it is bound to the domain and it has a green light under the Directory Utility for the domain.
  Here are the main bits of info regarding this problem:
  1. Computer is bound to domain on first boot using Deploy Studio's firstboot script. This works brilliantly on 10.5 and only became a problem on 10.6.
  2. On first boot, it binds to the domain correctly and shows Network Accounts Available. I can log in using a network account and everything is peachy.
  3. If I reboot the machine, the status on the loginbox changes to Network Accounts Unavailable and has a red light.
  4. If I've logged in to an AD account on first boot, it will log in even with the red light present (it is a mobile account). This is working properly.
  5. If I try to log in using an account that has never logged in before, it will not log it in.
  6. If I login in as local admin and check the Directory Utility, it shows the machine as being properly bound to the domain and has a green light even thought the login box shows a red one.
  These are all the facts surrounding this issue that I have at the moment. I am booting up a 10.5 image right now that is freshly imaged and will report back its behavior using the same AD binding script that is being used on the 10.6 image.

  Quick Update on the 10.5 AD Binding test I said I was doing.
  Every time I reboot on 10.5, it says Network Accounts Unavailable for a few seconds and then switches to Network Accounts Available.
  On Snow Leopard, it never switches to Network Accounts Available, it stays stuck on unavailable.
  Thanks in advance,
  Nate

• Network Account Unavailable

  On login window it tells me network accounts are unavailable. I can log in to local accounts and the computer is connected to our network but I just can't login to the network accounts. I repaired permissions and ran Disk Warrior to no avail. Any ideas. Thanks

  What Interfaces in Network>Show:>Network Port Configurations are checked ON?
  What IP and such are shown in Network>TCP/IP tab?
  In System Profiler>Networks, what is shown as active?

• 10.5.8 Client suddenly stops authenticating network accounts

  Hello,
  We have an Xserve running OS X Server 10.6.8, and connected to it via OD are a mix of 10.5 (PPC) and 10.6 (Intel) clients. Everything was working fine until one day the network accounts on one of the 10.5 clients stopped authenticating (anyone trying to login to their accounts on that computer got the shaking login box). On further testing, it was revealed that you could still log in, but with outdated passwords, leading me to believe that there was some communication error between the server and the client about updating Manged Client preferences, or about updating passwords if they had been changed elsewhere.
  Attached are console logs linked to any attempt to login with a network account and the current password associated with it (HAIL is the name of the computer):
  05/09/2012 14:25:56 com.apple.loginwindow[189] MCXCCacheMCXRecordAndGraph(): [localNode createRecordWithRecordType:dsRecTypeStandard:Computers name:"HAIL"] == -14131 (Unable to set value(s) for dsAttrTypeStandard:HardwareUUID in record HAIL.)
  05/09/2012 14:25:56 com.apple.loginwindow[189] MCXD.getComputerInfoFromStartup: MCXCCacheGraph() == -14131 (Unable to set value(s) for dsAttrTypeStandard:HardwareUUID in record HAIL.)
  05/09/2012 14:25:56 com.apple.loginwindow[189] MCXD.getComputerInfoFromStartup: MCXCCacheGraph() == -14131 (Unable to set value(s) for dsAttrTypeStandard:HardwareUUID in record HAIL.)
  05/09/2012 14:25:56 com.apple.loginwindow[189] MCXD.getComputerInfoFromStartup: MCXCCacheGraph() == -14131 (Unable to set value(s) for dsAttrTypeStandard:HardwareUUID in record HAIL.)
  Steps I have taken to rectify this that have failed:
  - Unbinding and rebinding the client to the server.
  - A forced Managed Client preferences refresh.
  - Resetting all computer preferences in Workgroup Manager to default for this computer.
  - Using disk utility to check and fix permissions on the local drive.
  None of it has worked, and any help would be appreciated.
  Thank you,
  Raghuvir Kasturi

  Something that I've been looking at along with this problem is that my master directory no longer has a DNS name when looking at it's configuration in Server Admin.
  I can see the server, people can also log in up to 10.5.2, and I can see it with an nslookup, but I'm not sure why I cannot see a DNS name in the admin.
  Quick information about our setup: We have an OD Master and two OD Replicas. The master is where our faculty and students logs in to and faculty stores their data, the replicas are where the students store their data.
  One of our techs here is trying to remember how to do it, but apparently our old apple tech had set up one of the replica servers to act as a DNS server which would then give the master server it's DNS name...I guess the DNS server had one entry which was the master, and then the master pointed itself to that DNS server to get it's information.
  Does anyone have any information on this or how I can get it to work?
  To see what it looks like in Server Admin, please check http://i41.tinypic.com/15nvqlt.jpg

• Over Wireless - Network Accounts Unavailable

  I have seen a couple of posts on this site in regards to this topic, but nothing seems to have worked. Here is what I have...
  I have an OS X Server (10.4.5) that is my OD master.
  I have a wired/wireless network. Clients are authenticating just fine over the wired network. Clients cannot authenticate over the wireless network (Airport APs that are NOT distributing IP addresses, that is done via a DHCP server).
  I have several teachers with laptops, but they are using mobile accounts, so when the login, it appears as a local account to the machine and the login without issue. The server then synchronizes just fine.
  I have setup a couple wireless eMacs around the building recently, and have given them static IP addresses (though I would prefer to use my DHCP server which is seperate from my OD server), yet they are not talking to the network or the OD server, it appears, until after a local account is logged in. At that point, I can logout and then log back in using an account setup in WorkGroup Manager.
  I have noticed on the login screen that even though there is a static IP address, it is not appearing on the login screen when I scroll through the machine attributes, which hints me to the thought that the machine is not yet on the network. I also cannot ping the machine or hit it with Remote Desktop.
  I have tried clearing out the LDAP directory settings and reinstalling them from the wireless network to no avail. I have also attempted to clear out the directory settings in the /Volumes/HD/Library/Preferences/DirectoryService settings, also to no avail.
  Any help would be appreciated.

  I unfortunately cannot help with your situation, but it seems that you work in an educational environment as I do, and you might be able to help me. I've been running mac networks for a long time, with Xserves since they came out. I currently manage a wired/wireless network with an Xserve G5 as OD master. Up until last week, at any given time, the most clients we had accessing the server at once was about 60 wired computers and maybe 10-15 wireless and things ran beautifully. We just started using 60 new laptops and everything has gone to crap. After 6 months with ZERO server crashes/downtime, I've had 2 crashes in the last week. Even before the crashes, with about 100 clients accessing the network, everything was painfully slow. Portable home directories is not an option because we're not up to 1:1 yet. This is new territory for me. Can you give me an idea of the number of wired/wireless clients you manage? Any suggestions on what upgrades come first, like RAM? I have an Xserve G4 not being used. Any ideas on the best way to use it to help? Thanks for any help you can provide.
  Xserve G5 DP   Mac OS X (10.4.4)   1 gig RAM

• Cannot login to network accounts from client computer

  Hi. I'm setting up my first OS X Server setup for home use...I'm not creating a very complicated setup, but I've been working through the setup one step at a time.
  Right now, I'm just running the DNS, File Sharing, and Open Directory services. I setup a couple of Network User accounts, and I wanted to try using one of the accounts to log in to a Mac client (running Mountain Lion) on the network. When the machine first comes up, I get a message that says 'Network Accounts Unavailable,' and if I try to log in, I get the error message saying 'You are unable to log in to the user account "xxxxx" at this time. Logging in to the account failed because an error occurred.'
  If I stop and restart the Open Directory service, I get the following messages in the Open Directory Log:
  2013-02-15 09:11:01.017801 EST - Unregistered node with name '/LDAPv3/127.0.0.1'
  2013-02-15 09:16:19.139744 EST - Registered subnode with name '/LDAPv3/127.0.0.1'
  Not sure if this is the source of the problem, but these are the only messages that are coming up if I turn the Open Directory off and then on again.
  If anyone has any experience with this, or any suggestions, I'd greatly appreciate it!
  Thanks!
  If it helps:
  Running OS X Mountain Lion (10.8.2) with Server (v2.2.1)
  Client Machine is a VMWare Fusion VM Running Mountain Lion (10.8.2)

  On your client machine login screen, type in ">console" (without quotes) in the username field and hit enter. Try and login with your network account username and password. What error messages do you get in console?
  Taylor

• Lion Clients 10.7.4 show network accounts are unavailable and server is not responding when binding to Snow Leopard server 10.6.8

  Hello,
  I am running Snow Leopard Server 10.6.8 and my clients are Lion 10.7.4.  While testing I had no issues binding 10.7.4 to our 10.6.8 server's OD.  I created a 10.7.4 image to push to all of our machines and in the beginning of last week I was able to push the image and get the machines to bind with OD and apply preferences on these machines through workgroup manager.  Towards the end of the week though this stopped working.  Now any time I bind a 10.7.4 client to OD it allows me to perform an authenticated bind and the machine shows up in workgroup manager but immediatley after binding the client the status jelly next to the OD server in the directory list is red and says "This server is not responding".  If I reboot the client I get a notification that "Network accounts are unavailable" at the login screen.  My preferences from workgroup manager are also not applying, which is my main concern because without workgroup manager my mac server is somewhat pointless as we use it for very little else. 
  I've since tried to bind a snow leopard machine (10.6.8) and this still is working with a green status jelly.  I've also built a lion machine from scratch, updated to the 10.7.4 combined update and am still getting the same issue where it shows the server is not responding when binding to OD.  I then applied the subsiquent OS update after the 10.7.4 combined update but the problem still persists.
  Is anyone else having this issue?  Any help would help me keep my sanity.
  Thanks,
  Dane

  Have you had any luck finding a solution to this?  The only thing I have found was to unbind and then bind without authentication.  Any help with progress on your end would be appreciated!
  Nick.

• WPA2 Enterprise Network Accounts are unavailable

  I'm going to admit upfront that I am a Windows admin. I have attempted Google searches, Apple support searches, and I'm coming up without answers that are working. It's possible that I'm overlooking the answers in front of my face, but any help would be appreciated.
  Our network is WPA2 Enterprsie Authentication (LEAP) is with AD Username and password.
  I have bound OS X to AD.
  I can authenticate to the WPA2 network after local login.
  I have created IPCU profiles to include the WPA2 certificate and network ID.
  I have created OS X Lion "Server" profiles with the WPA2 information.
  I have set the directory utility Active Directory configuration to Create mobile account at login, do not require confirmation. Use UNC path to derive home drive location. Map UID, User GID, and Group GID to AD attributes. Allow authentication from any domain in the forest.
  I have set wireless to prefer only our WPA2 network.
  At the logon prompt, I am told "Network accounts are unavailable"
  Is it possible to setup so that at the logon prompt it can take the username and password and attempt to authenticate to our WPA 2 and process the AD account login (the parts applicable to OS X)?
  We have great success setting up the OS X machines with a local account "linked" to an AD account, but I'd rather have it function semi-close to the way our Windows machines authenticate, as network endpoints. I do realize this is sort-of against the grain of the Apple perspective, but these are not personal computers, so I'd like them to play nice with the business network.
  Anyhow, I'm probably missing something obvious, but would appreciate anyone being willing to show me the way.
  Thanks!

  I do believe it's fairly normal... one of the crazy things about a fully cooperative multitasking OS, it can try to connect before the Interfaces are up & ready.
  Found a work-around. This command adds a delay, in this case 45 seconds, before displaying the Login Window.
  defaults write /Library/Preferences/com.apple.loginwindow StartupDelay -int 45
  If the Login Window UI detects that the network servers are available when it starts, it will skip the delay, also if network servers become available before the delay expires, the Login Window UI cancels the delay and displays.
  Kent
  http://discussions.apple.com/thread.jspa?messageID=10338123#10338123

• ApacheDS (LDAP) Network Accounts Never Can Login

  I have been fighting with LDAP via ApacheDS for days attempting to get Mavericks to actually authenticate against the LDAP server.
  Here is the path that I have taken:
  ApacheDS is setup with simple authentication (disabled everything else for the moment after attempting to login every which way).
  Here is an example of the LDAP setup:
  dc=example,dc=com
  ou=usersuid=username
  cn=Full Name
  sn=Name
  displayName=FullName
  userPassword=hash
  uid=username
  ou=groups
  cn=Users
  cn=Administrators
  Then I went to Users and Groups, Allow network users to login is checked
  Joined a Network Account Server
  (When looking at edit, it shows a green indicator)
  I setup a custom mapping under LDAPv3 which contains:
  Seach Base: ou=users,dc=example,dc=com
  Users: inetOrgPerson
  AuthenticationAuthority: uid
  NFSHomeDirectory: #/Users/$uid$
  PrimaryGroupID: #20
  RealName: cn
  RecordName: uid
  UniqueID: uid
  UserShell: #/bin/bash
  I can see the information in the Directory Editor from the LDAP server, Search Policy has the network accounts right after the local accounts.
  When attempting to login, it just shakes... Here is the only items that I can see in the opendirectoryd.log:
  2014-01-04 10:26:50.785452 CST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/ldap.bundle'
  2014-01-04 10:27:06.734300 CST - 22.805 - Client: opendirectoryd, UID: 0, EUID: 0, GID: 0, EGID: 0
  2014-01-04 10:27:06.734300 CST - 22.805, Module: ldap - failed to retrieve LDAP server schema - LDAP error - 50
  2014-01-04 10:27:07.031977 CST - 22.823.826 - Client: opendirectoryd, UID: 0, EUID: 0, GID: 0, EGID: 0
  2014-01-04 10:27:07.031977 CST - 22.823.826, Node: /LDAPv3/example.com, Module: ldap - __odnode_copy_record_block_invoke: 4101 No predicates provided
  Anyone have any ideas?

  I was able to activate the debug log in the Leopard client machine, but I don't know how to look from another machine via SSH... Could you explain a bit the procedure? Is it possible to try to log in as a network user and then, after failure, log in as an admin account and check the log with Console?
  Today I found out that Snow Leopard clients are also not able to log in... Similar problem in Directory Utility:
  This is what I found in the log for this machine (tried to log in with two different accounts):
  25/04/12 20:09:17          SecurityAgent[321]          User info context values set for XXX
  25/04/12 20:09:18          authorizationhost[320]          Failed to authenticate user <XXX> (tDirStatus: -14103).
  25/04/12 20:09:25          SecurityAgent[321]          User info context values set for YYY
  25/04/12 20:09:25          authorizationhost[320]          Failed to authenticate user <YYY> (tDirStatus: -14103).
  Couldn't find much about this in Google.
  I'm starting to feel really disappointed about this!
  (sorry for the delay in answering, been abroad...)

• Authentication - same account name on 2 LDAP servers

  We have our mac clients set up to authenticate against 2 LDAP servers, one Open Directory, one eDirectory - to keep things easy for our users I want to use the same login username for both OD and eDirecotry users - we basically have users logging into both Windows and Macs, I want a specific set of users to have home directories on our Mac server (only when logging into the the Macs), and to pick up their Windows home directories when logging onto Windows machines. I have the Mac server set above the eDirectory server in the Directory Utility search policy (client machines), but when I log in with a network account I am prompted to choose which account to use (eDir or OD similar screen to having managed users in different groups where you are prompted to choose your profile at login). I thought that by specifying the order in the search policy the client machine would authenticate the first account found rather than prompting for which account to use. Any one know of a way to make this happen - ie set up identical accounts on both LDAP servers and have the macs authenticate the first account found on the server specified in the Directory search policy instead of offering a choice? I hope this makes sense. I know it would be easier to mount a network share on the mac server for certain users and have all the accounts authenticate via eDirectory, but I have to do it this way. Anyone have any advice??

  I am having exactly the same problem, also with an iMac and a MBP. My iMac is about 6 weeks old, and I migrated via Time Machine. I can read the files from the connected machine, but cannot write, regardless of which is the host. Permissions are all fine.
  I did notice one thing: the UUID number for the accounts is the same (accounts have same name as with darrylh). You can find this under System Preferenes>Accounts and right click or control-click on the account name after unlocking it. I am working with Apple support on this, but no resolution yet. I suspect that the UUID (Universally Unique ID) should not be the same on two machines, but I don't know the consequences of changing it or which one to change.
  Thanks.

• "network accounts are unavailable"

  Hi,
  I just upgraded to Lion and now I cannot log in to my mac using my network account.  I checked and the computer is still joined to our windows domain.
  Any ideas?  Nothing has changed on our network so I am assuming it's a Lion issue. Thank you for any help you can provide.

  Okay, some more information from my side - I am running a W2008 R2 PDC where:
  I am able to bind any 10.6 based machine and use the network login
  It was the same for a 10.7 machine which was upgraded from 10.6 (AD was already configured on 10.6)
  Having my first machine installed from scratch with 10.7.1, I am not anymore able to get the network login working. I read several articles describing this issue offering different solutions - without luck!
  Here is what I tried:
  Configure AD with standard Mac OS X tools:
  - Joining the domain works without any issue
  - Network Account Server in System Preferences shows green
  - Login after restart displays 'network accounts are unavailable'
  Did try to add custom Search path, static IP address, verified DNS settings and search domains, reboot after each step, un-/rebind to domain several times w/o 'create home directory' and 'allow administration'
  Also downloaded CentrifyDC Express for Mac: it also did join well to the domain but as well as the standard Mac OS X procedure it does not let me login (ADCheck verifying the global parameters if the conditions are fine to be able to find the DC in the DNS etc. reports no issues)
  From what I learned so far, it must be the configuration which is being written. Most probably I would guess it works fine if you once have created the setup under SL?
  Personally I was not able to find such issues as "sometimes it's working, sometimes not...".
  This is really annoying !
  Any more ideas on that???

• Can't login after Mountain Lion upgrade (Network accounts are unavailable)

  I performed a Mountain Lion upgrade on a 2011 MBP running Lion this weekend. The Mac may have been set up to connect to an AD server with my user account, but I thought I had disabled that months ago... aparently not. I performed the upgrade at home not on the corporate network.
  On first bootup after the Mountain Lion upgrade I'm stuck at the login screen unable to login with my local account or the admin account. I get the "red dot" next to the username field with the "Network accounts are unavailable" pop up. I'm plugged in to the ethernet network at work now... no luck.
  I tried booting into the repair disk and repairing disk permissions. Still no luck.
  Any ideas? I'd happily do a fresh install but I need to get a handful of files off the machine first.

  No worries with the basic questions... it's important to cover all the bases. Thanks so much for the input.
  - I'm trying to log in with the same username I would use to ssh in... so yes.
  - I don't know if the account was a mobile account. The Mac was given to me configured about a year ago, configured to be on the domain. I since have used it on and off many networks without considering it was set up to be on a domain.
  - Never had a problem logging into the machine before the mountain lion install, although to be honest it was very very rarely ever rebooted.
  - I've plugged it into ethernet and let it sit for quite some time. It's still telling me Network accounts are unavailable and I'm unable to login with my personal or admin account.

• 10.7.3 Network accounts are unavailable.

  I installed Lion on my work computer yesterday from a USB drive and I got the message that "Network accounts are unavailable".  Today I updated to 10.7.3 hoping that might do the trick and still get the same message.  Any ideas of how I should deal with this?

  Well then you will need to Log back into the networked resources. How you go about that I'm not sure.
  Look in Users & Groups, Login Options, Network Account server. you will have to unlock that section and type in your local password.

• Network accounts are unavailable - OS X Lion 10.7.4

  My OS X Lion 10.7.4 Mac is successfully binded to my MS DC. However, every time doing reboot I keep receiving "Network accounts are unavailable" with red dot color and after few seconds it goes away.
  Can anyone experienced this kind of behavior and how to resolved this? I have searched around in google but no luck to get rid this annoying message.
  I hope anyone would share their knowledge.
  Thanks.

  I do believe it's fairly normal... one of the crazy things about a fully cooperative multitasking OS, it can try to connect before the Interfaces are up & ready.
  Found a work-around. This command adds a delay, in this case 45 seconds, before displaying the Login Window.
  defaults write /Library/Preferences/com.apple.loginwindow StartupDelay -int 45
  If the Login Window UI detects that the network servers are available when it starts, it will skip the delay, also if network servers become available before the delay expires, the Login Window UI cancels the delay and displays.
  Kent
  http://discussions.apple.com/thread.jspa?messageID=10338123#10338123