Network accounts do not login in

Similar Messages

• ApacheDS (LDAP) Network Accounts Never Can Login

  I have been fighting with LDAP via ApacheDS for days attempting to get Mavericks to actually authenticate against the LDAP server.
  Here is the path that I have taken:
  ApacheDS is setup with simple authentication (disabled everything else for the moment after attempting to login every which way).
  Here is an example of the LDAP setup:
  dc=example,dc=com
  ou=usersuid=username
  cn=Full Name
  sn=Name
  displayName=FullName
  userPassword=hash
  uid=username
  ou=groups
  cn=Users
  cn=Administrators
  Then I went to Users and Groups, Allow network users to login is checked
  Joined a Network Account Server
  (When looking at edit, it shows a green indicator)
  I setup a custom mapping under LDAPv3 which contains:
  Seach Base: ou=users,dc=example,dc=com
  Users: inetOrgPerson
  AuthenticationAuthority: uid
  NFSHomeDirectory: #/Users/$uid$
  PrimaryGroupID: #20
  RealName: cn
  RecordName: uid
  UniqueID: uid
  UserShell: #/bin/bash
  I can see the information in the Directory Editor from the LDAP server, Search Policy has the network accounts right after the local accounts.
  When attempting to login, it just shakes... Here is the only items that I can see in the opendirectoryd.log:
  2014-01-04 10:26:50.785452 CST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/ldap.bundle'
  2014-01-04 10:27:06.734300 CST - 22.805 - Client: opendirectoryd, UID: 0, EUID: 0, GID: 0, EGID: 0
  2014-01-04 10:27:06.734300 CST - 22.805, Module: ldap - failed to retrieve LDAP server schema - LDAP error - 50
  2014-01-04 10:27:07.031977 CST - 22.823.826 - Client: opendirectoryd, UID: 0, EUID: 0, GID: 0, EGID: 0
  2014-01-04 10:27:07.031977 CST - 22.823.826, Node: /LDAPv3/example.com, Module: ldap - __odnode_copy_record_block_invoke: 4101 No predicates provided
  Anyone have any ideas?

  I was able to activate the debug log in the Leopard client machine, but I don't know how to look from another machine via SSH... Could you explain a bit the procedure? Is it possible to try to log in as a network user and then, after failure, log in as an admin account and check the log with Console?
  Today I found out that Snow Leopard clients are also not able to log in... Similar problem in Directory Utility:
  This is what I found in the log for this machine (tried to log in with two different accounts):
  25/04/12 20:09:17          SecurityAgent[321]          User info context values set for XXX
  25/04/12 20:09:18          authorizationhost[320]          Failed to authenticate user <XXX> (tDirStatus: -14103).
  25/04/12 20:09:25          SecurityAgent[321]          User info context values set for YYY
  25/04/12 20:09:25          authorizationhost[320]          Failed to authenticate user <YYY> (tDirStatus: -14103).
  Couldn't find much about this in Google.
  I'm starting to feel really disappointed about this!
  (sorry for the delay in answering, been abroad...)

• After recent upgrade one of my accounts will not login

  Sending of password for user ******at.gmail.com did not succeed. Mail server pop.gmail.com responded: Web login required: https://support.google.com/mail/bin/answer.py?answer=78754
  Since the upgrade last week I am getting this constantly for one of my accounts. I have 42 email accounts and all have lived happily in Thunderbird for some years, but despite lowering the security in Gmail and changing the password, Thunderbird still has a problem with just this one account.
  Any suggestions?

  Maybe check with the app developer and ask if their app works with iOS8? Otherwise you might want to identify the app if you would like some help with troubleshooting. Others can then tell you if it is working on their devices.

• Mountain lion server network accounts are not mounting network home directory, rather its creating a blank local directory

  I have set up a scratch mountain lion server with open directory.  copied over old user account directories and added my users that match the directory ids.  Currently if a networked user logs into a networked computer, instead of mounting the network home directory, its creating a local home directory.  suggestions?
  thanks,
  Dave

  Additional info: it appears that certificates are not working either: setting up ical: "the certificate for this server was signed by an unknown certifying authority."...

• Network accounts freeze at login

  I have a lab with a mix of 10.4 and 10.5 machines connected to a leapord server. Thought the day when users login the login screen locks up and users are forced to restart the computer. After they restart the computer they are able to login. The machines are connected to a server that is set to open directory master.

  Hi There,
  We still have that problem with 10.5 clients only. See my previous post
  http://discussions.apple.com/message.jspa?messageID=8613415#8613415
  Let me know if you find a fix, i have almost given up o this one.
  Kevin

• Cannot login into network accounts when there is no network connectivity

  Hey guys
  quick question here if anyone can help.
  What has been done: backuped user's home folder, binded the mac to AD, logged in as the user's AD name, copied everything from the backup into the new user's home folder, users can work flawlessly.
  What is wrong is when they leave the office, after a few hours they cannot login anymore to their AD username. Is there something i missed?
  The network accounts do not appear in system preferences.
  Thanks

  On your client machine login screen, type in ">console" (without quotes) in the username field and hit enter. Try and login with your network account username and password. What error messages do you get in console?
  Taylor

• Local login capability for network accounts?

  Hi all,
  I'm setting up a local network at an office servicing about 20 different client machines (mostly just MacBooks). The goal of this is to accomplish some basic administrative taks, such as checking the status of/enforcing disk encryption, password strength policies, caching software updates, etc.
  Currently everyone is logging onto their machines locally and ideally we could have them merged into network accounts through a box that we have running OS X Server. I've got that set up and working with test accounts, but given that our users sometimes are working off-site or from home, I need a solution that could allow people access to their accounts when the server is unavailable (any time they are not on our local network). Is this possible? Are there any other workarounds that aren't too awkward?
  Thanks!

  There are three main types of user account.
  Local only - defined on the local machines with files being stored on the local machine
  Network only - defined on a server with files being stored on a server
  Mobile account aka. Portable Home Directories - defined on a server but when user first logs in to a Mac configured for this type of account their account is copied to the Mac along with their home directory, and thereafter password changes are synchronised between the server and Mac
  Most often Mobile accounts are used with laptops but this is not compulsory.
  You will need to use ProfileManager to manage the Macs and be able to configure a group of Macs to use Mobile Accounts. This is under Mac only - Mobility, and you want to then configure "Create Mobile Account when user logs in to Network Account".
  Note: With older OS versions you could set this up with Workgroup Manager and Managed Preferences but Mavericks needs you to do this via ProfileManager. ProfileManager is however backwards compatible with Lion and Mountain Lion versions.

• Lion 10.7.3 and Kanaka 2.7 "no network accounts available"

  Server is OES2SP3 on SLES10.4. Kanaka 2.7 installed and configured,
  OS10.6 clients have no trouble authenticating via plugin and all
  expected volumes mount.
  On iMacs running OS X 10.7.3, installing the plug-in and configuring
  it results in a succesful authentication test in the directory utiliy.
  However, on bootup the login screen shows a red flag next to the
  username and the message "network accounts are not available".
  If we authenticate as a local user, command-k will successfully
  connect to the server and mount volumes as desired. I have checked
  afptcpd.conf on the server and verified that AUTH_NAM is set to DHX2
  Any suggestions on where to look next?
  Thanks,
  DG

  DeVern,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://support.novell.com and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://forums.novell.com/faq.php
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://forums.novell.com/

• Time Machine Backups Accessible to Network Accounts?

  So I've decided to scrap portable home directories in our office and switch to network accounts for all but one user (she uses both an iMac and a MacBook Air). Everyone has an iMac at their desk and I have two Mac Mini servers running Mountain Lion Server. Server A runs DNS, directory services (and holds all user accounts), filesharing, etc. Server B runs netinstall, filesharing, and Time Machine (connected to a G-RAID fw800). Server A backs up to the G-RAID through Server B. Server B also backs up to the G-RAID.
  The first thing I discovered while testing the new configuration (no local users on the iMacs) is that network accounts do not support file history in iWork documents. You can revert to a previous version of a document using pages as long as it's open but once you close it, there's no more history. I figure, that's ok. They can use Time Machine to browse previous versions of their files. Not so...
  I can enable time machine, select the network disk, and authenticate with the user's password. When it tries to perform a backup, it fails, saying it cannot find the disk. I'm skeptical that it would work even if it could connect, since it would only make a backup of the client computer's local account (right?).
  I can add the network mount for the time machine backups to the users' docks since the open directory server backs up, but they have to navigate through a forest of confusing folders to find what they're looking for. This is pretty much the exact path:
  network>server A>backup>backups.backupdb>server HD>2013-10-03-162217>server hd>users>rachel>documents>thatfileyouneed.pages
  There's got to be a better way to do this.
  I want Rachel to be able to sit down at her desk, log in, and work on her files (mainly pages and numbers files). I'd like for her to be able to revert back to a previous version of her file without having to navigate through a maze of folders. Her workstation, when logged out, has nothing of value stored on it.
  TL;DR - Can network users logged into an account held on a server, that's backed up through another server, click on the time machine icon and browse their files? Is there a way to get file history working on a network account?
  Oh, and the stupid trackpad>natural scrolling settings keep resetting every time I log the test machine into her account on the server. What's up with that?

  Time Machine icon in the dock will not do anything unless Time Machine is enabled.
  Check the box marked Show Time Machine in menu bar in the preference pane. You do not have to enable TM to do that. The menu item will be grayed, but you can still hold down the option key and select Browse Other... All valid local TM volumes will appear in the list that opens, including disk images that are hosted on a network volume but mounted locally.
  when the drive where the backups are stored is selected, clicking the icon (even an option click) throws up an error message.
  That's a separate issue. How did you set up this volume as a backup destination? How are you backing up local files on the clients now?

• Can not login to a network account.

  I dont typically support macs, but I have a client with an odd issue that I can not solve.
  He has a Macbook Pro with OSX 10.6.
  He logs in using his network account, authenticating against an OSX 10.5 server.
  When he tries to to login, it appears as if he has a bad password.
  His account is able to login just fine on other Macbooks in the company. (So I'm assuming his network account and password are fine)
  Other users are able to log into HIS Macbook just fine, inclusing new accounts that have never before logged into this Macbook. (So I assume his macbook is communicating just fine with the OSX server)
  When I go into the accounts list in the Macbook, his account is not there. It's missing.
  If I try to create an account with his name, I'm told the account already exists.
  We ran diskutility to repair the permissions on the drive, but this did not fix the issue.
  Any ideas?
  On the windows support side I would simply rebuild the users profile.. I'm not sure what the equivilent is on the mac side.

  I'm having a similar problem. Could you let me know how to eliminate the mobile account using the command line?
  Thanks!

• Cannot login to network account (leopard client and server)

  Up until now, I have used local accounts on my leopard server. I want to start experimenting with OD prior to implementing. I created a new user account in the /LDAPv3/127.0.0.1 domain, and have bound my leopard client to the server using directory utility. On the login screen, "Network Accounts Available" has a green button to the left of it. When I try and login to the server account, the login window just shakes. At first, I could enter the password and then it would prompt me for a new password. Trying to enter a new password would not allow me to login. I went back to server admin and disabled the "require new password" setting, (as well as the other good security policies)...
  I have also reset the password in WGM, and made sure to disable all the security stuff there too...
  Lastly, I have deleted the server in directory utility, rebooted, then added it back in, and rebooted again...
  I still cannot login to the server account, the login screen just shakes
  Does anyone have an idea of what settings and or logs I can check to try and narrow down what is going on?
  Thanks in advance....

  to close out the thread, I have working dns on my network, but I did not have dns enabled on my server. I enabled the dns service and entered just the info for my server, then assigned my server and client to use the server's ip addy as the primary dns server. Next, I created the home directory.
  Once both steps were done, I was able to log in from my client to my server based account...
  FYI-I found a document on afp548.com called "leopard server: advanced setup, rsync backup and automated reporting" that walks you right thru the process...Here is the link, it's a very useful doc....
  http://www.afp548.com/filemgmt_data/files/Leopard%20Server%20Quickstart%20Guide. pdf
  thanks again boomboom_uk and woVi, your suggestions were spot on....

• One iMac cannot login to network accounts

  We have a small network with Lion (10.7.5) Server running on a Mac Pro and a variety of 8 iMacs and Mac minis that use the server for file sharing and network accounts. The client Macs are running a mix of Mountain Lion (10.8) and Mavericks (10.9). They have all 'joined' the 'Network Account Server' using the 'Login Options' section of the Users & Groups preference pane. And, except for one iMac, all the clients can log into network (or mobile) accounts from the server -- both ones that have previously been logged into on that machine and ones that haven't. However, one of the iMacs will not log into a network account. There are a few local accounts and logging into them is no problem. But every time we try to log into a network account on this iMac, the login dialogue just does the 'invalid login' shake. It seems not to check the login credentials with the server.
  As far as I can tell, this iMac is set up the same as all the others. It is certainly joined the Network Account Server and there is a green dot by the server name in the Users & Groups preference pane. I have removed and re-added the server from there a few times, and I've even reinstalled Mavericks on this iMac (it is running 10.9.2). I haven't been able to find anything that has helped to solve this problem. Does anyone know why one iMac would refuse to use the network logins from the server when the others work? Or what I can do to gain further information?
  Many thanks.

  On your client machine login screen, type in ">console" (without quotes) in the username field and hit enter. Try and login with your network account username and password. What error messages do you get in console?
  Taylor

• Cannot login to network accounts from client computer

  Hi. I'm setting up my first OS X Server setup for home use...I'm not creating a very complicated setup, but I've been working through the setup one step at a time.
  Right now, I'm just running the DNS, File Sharing, and Open Directory services. I setup a couple of Network User accounts, and I wanted to try using one of the accounts to log in to a Mac client (running Mountain Lion) on the network. When the machine first comes up, I get a message that says 'Network Accounts Unavailable,' and if I try to log in, I get the error message saying 'You are unable to log in to the user account "xxxxx" at this time. Logging in to the account failed because an error occurred.'
  If I stop and restart the Open Directory service, I get the following messages in the Open Directory Log:
  2013-02-15 09:11:01.017801 EST - Unregistered node with name '/LDAPv3/127.0.0.1'
  2013-02-15 09:16:19.139744 EST - Registered subnode with name '/LDAPv3/127.0.0.1'
  Not sure if this is the source of the problem, but these are the only messages that are coming up if I turn the Open Directory off and then on again.
  If anyone has any experience with this, or any suggestions, I'd greatly appreciate it!
  Thanks!
  If it helps:
  Running OS X Mountain Lion (10.8.2) with Server (v2.2.1)
  Client Machine is a VMWare Fusion VM Running Mountain Lion (10.8.2)

  On your client machine login screen, type in ">console" (without quotes) in the username field and hit enter. Try and login with your network account username and password. What error messages do you get in console?
  Taylor

• Can't Login With Network Account After Upgrade To Yosemite Server 4

  I've been putting off this troubleshooting for a while now, and after trying everything I could find, decided to post.
  - After upgrading my server to Yosemite with Server 4, and my MacBook to Yosemite, I can no longer login with any network accounts.
  - I was on clean installs of Mavericks before the upgrade.
  - I'm using SSL for the OD, with a GoDaddy cert, the same one that was working on Mavericks.
  - I've tried removing the laptop's binding using the Users and Groups preferences dialog, which does not remove the laptop's entry from Open Directory, so I manually deleted the record on the server.
  - I then choose to Join again, and it looks as though everything goes through, but I still cannot login with a network account.  Also, when rejoining, it does not create a binding on the server.
  - If I use the Directory Utility->Services->LDAPv3, and add it that way, entering the FQDN and checking Encrypt..., Use for auth and Use for contacts, it asks me for the directory admin username and password, and does in fact create the binding on the server, but I still cannot login.  What's strange about that method, is that it forces the use of the IP address of the server, rather than the FQDN, like I entered it, which would of course have problems, because the certificate's common name is the server's FQDN.  It does not allow me to change from using the IP address, graying out that field.
  - I've also tried destroying the OD and restoring from archive to no avail.
  It looks like many users have hit dead ends with this, with some having success by completely formatting and setting up a new iteration of the server, but I will not be doing that.  However, I'll be happy to try any other suggestions.
  Thanks for your time,
     -- Mike

       Okay, I've finally resolved the issue, thanks to the Apple Enterprise tech support team.  I'm thinking they wouldn't mind if I share this information, but I can't guarantee that this will work on your system or, worse yet, degrade your system further.  However, that's fairly unlikely, just make sure you have plenty of backups before you begin any troubleshooting session.
       So I was told to perform the following instructions, which I did, line for line.  The part about closing Server.app seems a given, but I'm not sure why they want you to open Server.app at the the end (maybe taken out of context from some other instructions?).  I did it anyway, but you should be able to begin testing, on a client workstation, right after rekerberizing is complete.  I did, however, need to reboot my client, login as local admin, and then binding would proceed, and network users are able to login again.  The engineer also let me know to expect an error, something like the following: "2015-03-11 21:58:38 +0000 Error synchronizing removal of attribute draft-krbPrincipalACL from record 72519e4c-7ac7-15e4-bd42-10adb1944cbc: 77013 result: 16 No such attribute" - this is apparently normal, and did in fact happen in my experience.
  So here's the fix:
  - Quit Server.app (don’t just close the window)
  - On the Open Directory Server, execute these Terminal commands:
    - sudo mkdir /var/db/openldap/migration/
    - sudo touch /var/db/openldap/migration/.rekerberize
    - sudo slapconfig -firstboot
  - Open Server.app
  And that's it.  I did nothing else on my OD server, just logged out.  Immediately tried binding on my MacBook client, it failed, I rebooted, tried again, it worked quickly, and I'm able to login with network user accounts again.

• Cant login multiple network accounts on the same client?

  Setup:
  I have created a simple Lion Server on a new i7 Mac Mini. I have configured Open Directory in Master mode and have setup 4 user accounts. I have enabled the File Sharing service and checked the "Make available for home directories" option on the "Users" file share. I have configured each of the 4 user accounts to use this location as the home folder. I have connected my client machines (all OSX Lion) to the Network Account Server.
  Problem:
  I can log one user into the client machine, but when using "Fast User Switching" and logging on as the second user I get the following error:
  "You are unable to log in to the user account "guestaccount" at this time. Loggin to the account failed because an error occured"
  In the console if I search for that user account the related error message is:
  11-07-31 12:30:54.993 PM authorizationhost: ERROR | -[HomeDirMounter mountNetworkHomeWithURL:attributes:dirPath:username:] | PremountHomeDirectoryWithAuthentication( url=afp://inntaserver01.local/Users, homedir=/Network/Servers/inntaserver01.local/Users/guestaccount, name=guestaccount ) returned 16
  Any thoughts as to why the Home Folder "mounter" failed in this scenario?

  Historically you have never been allowed to use Fast User Switching to log in multiple network logins on the same client machine. This certainly applied with Tiger, Leopard, and Snow Leopard. I have not yet personally tried this with Lion.
  I believe that the underlying reason for this not being allowed is down to how AFP volumes are mounted. The AFP mount becomes 'owned' by the user that triggers the login. With a network login the first user becomes the owner and this means subsequent attempted network logins are denied access to that share and hence cannot access their home directories.
  With Tiger, Leopard, and Snow Leopard servers, one could configure network home directories to be shared via NFS instead of AFP. NFS gets treated a lot different in terms of mounting, and is done more at a system level than a user level. While again I have not personally tried Fast User Switching with NFS shared home directories, this approach is specifically recommended by the authors of AquaConnect (a Macintosh Terminal Server solution) in order to allow multiple logins on the same Terminal Server. This seems to be for the same underlying reason. Using NFS does certainly work for use with AquaConnect and also works for the competing iRAPP Terminal Server product as well.
  Unfortunately, Lion Server while it can be made to run an NFS server, will not let you configure using NFS for sharing home directories. I have actually reported this as a 'bug' in Lion server.
  Neither the authors of AquaConnect or iRAPP have actually tested this scenario with Lion server yet, but AquaConnect do plan to investigate it. It could make it considerably more difficult to use their products.
  So in summary, using NFS to share network home directories in theory would avoid the problem and can be done with a Tiger/Leopard/Snow Leopard server, but cannot be done with a Lion server. It is possible however to mix Lion with older server versions. This might for some people be a possible workaround.
  PS. A bonus side-effect of using NFS shared home directories was that this allowed badly written software like Adobe's applications which are otherwise notorious for having major issues with network logins and home directories to work without errors. As an example Adobe Acrobat Pro introduced a bug in version 7.0 which prevented it being able to print-to-PDF (one of the major reasons to buy Acrobat Pro). It tooks two years for them to eventually fix this in Acrobat Pro 8.1 (I know because I spent that two years nagging them to fix it and was a beta tester). Unfortunately they then reintroduced the bug in Acrobat Pro 9.0. Fortunately I discovered this side-effect got round the issue although a clunkier workaround was also possible for Snow Leopard clients by redirecting certain folder paths.