Re: [Fed-Talk] "Bad" Active Directory records as far as Mac OS X is concerned..?
Re: [Fed-Talk] "Bad" Active Directory records as far as Mac OS X is concerned..?
- Subject: Re: [Fed-Talk] "Bad" Active Directory records as far as Mac OS X is concerned..?
- From: "Simon, Gary" <email@hidden>
- Date: Thu, 4 Sep 2008 16:15:14 -0600
- Acceptlanguage: en-US
- Thread-topic: [Fed-Talk] "Bad" Active Directory records as far as Mac OS X is concerned..?
Title: Re: [Fed-Talk] "Bad" Active Directory records as far as Mac OS X is concerned..?
Here is what I have tried so far:
- I have upgraded a computer to the latest 10.5.5 apple seed. I still get the dscl error when trying to read the “broken” accounts. I am waiting to get one of the “broken” users to try to actually login with the new seed.
- I unbound from Active Directory. Unchecked the box to map the User UID. Rebound to AD. - Still got the dscl error on those particular accounts.
Gary
On 9/4/08 12:58 PM, "Gary Simon" <email@hidden> wrote:
I have submitted this as a bug to Apple, but I am curious to see if anyone else has seen this problem:
-------------------------------------------------------------------------------------------------------------------------------------
We are seeing an increasing amount of our Active Directory users that are being locked out from logging into Mac OS X after their initial login. The are able to login once, but after that they are no longer able to login with their Active Directory credentials. If you look at their account after a failed login attempt in the Accounts preference panel (advanced options) you see that the User UID is now set to -2 (nobody user).
We are using mobile accounts on all of our Mac OS X computers.
These same users are able to log into a Windows XP computer in the same Active Directory domain with their same credentials, but cannot log into any Mac OS X system in the domain.
If you try to read the record using the dscl read command you get the following error message:
<dscl_cmd> DS Error: -14136 (eDSRecordNotFound)
You can see that the record exists by doing a dscl ls command on the users directory, but cannot read the actual record.
The user cannot log in even if the computer has been disconnected from the network as the cached record seems to be broken.
Comparing a "broken" user record to a "working" user record did not seem to shed any light on the problem.
-------------------------------------------------------------------------------------------------------------------------------------
Gary
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden