Yes, thats a static map. Normally, the AD plugin auto-generates the UID based on some of the AD attributes. For your users who are finding a -2 value, is there any chance they are getting bad data from the directory? Is the value correctly mapped? If you look at their user record using ADSI Edit or even workgroup manager, can you tell if that field is being correctly populated? My guess is something is wrong with the attribute, or the mapping and you could uncheck the box to map the UID, and your users could login fine (assuming their cached credentials are cleared).
--DH On Sep 4, 2008, at 4:19 PM, Simon, Gary wrote: I’m mapping the UID to a field that was added to our Active Directory schema, which is our unix user id field. I guess you could call that static? On 9/4/08 5:10 PM, "Daniel Hoit" <email@hidden> wrote: Are you mapping the UID to a static attribute in Directory Access/Directory Utility? --DH On Sep 4, 2008, at 11:59 AM, email@hidden wrote: I have submitted this as a bug to Apple, but I am curious to see if anyone else has seen this problem: ------------------------------------------------------------------------------------------------------------------------------------- We are seeing an increasing amount of our Active Directory users that are being locked out from logging into Mac OS X after their initial login. The are able to login once, but after that they are no longer able to login with their Active Directory credentials. If you look at their account after a failed login attempt in the Accounts preference panel (advanced options) you see that the User UID is now set to -2 (nobody user). We are using mobile accounts on all of our Mac OS X computers. These same users are able to log into a Windows XP computer in the same Active Directory domain with their same credentials, but cannot log into any Mac OS X system in the domain. If you try to read the record using the dscl read command you get the following error message: <dscl_cmd> DS Error: -14136 (eDSRecordNotFound) You can see that the record exists by doing a dscl ls command on the users directory, but cannot read the actual record. The user cannot log in even if the computer has been disconnected from the network as the cached record seems to be broken. Comparing a "broken" user record to a "working" user record did not seem to shed any light on the problem. ------------------------------------------------------------------------------------------------------------------------------------- Gary Daniel Hoit System Management Solutions Group Lawrence Livermore National Laboratory Email: email@hidden <mailto:email@hidden> Phone: 925.424.5256 Pager: 877.402.6321 Daniel Hoit System Management Solutions Group Lawrence Livermore National Laboratory Phone: 925.424.5256 Pager: 877.402.6321 |