Active Directory users are unable to logon to Apple computers when the ‘Create mobile account at login’ box is ticked for OSX 10.6 users. The computer is bound to the domain, in the correct OU, and you can get user information from directory services with commands like id, su
Common log messages you see around this issue:
com.apple.DirectoryServices[15] Enter machine password:
com.apple.DirectoryServices[15] DNS update failed!
SecurityAgent[735] Could not get user record for 'username' from Directory Services
SecurityAgent[735] User infor context values set for usernameSecurityAgent[735] unknown-user (username) login attempt PASSED for auditing
SecurityAgent[735] Could not get the user record for 'username' from Directory Services
Work around:
To still have the mobile accounts enabled (for users who are not always connected to the network for authentication) mobile accounts need to be manually created for each user of a computer.
The following should be run in a terminal window to do this:
cd /System/Library/CoreServices/ManagedClient.app/Contents/Resources
sudo ./createmobileaccount –n
sudo createhomedir -c -u
http://discussions.apple.com/thread.jspa?threadID=2131654
I'm having the same/similar issue with one user, only on this one machine. His account works on a 10.5 machine, a 10.6 that was upgraded from 10.5, and a 10.6 factory installed.
ReplyDeletesu130:Resources localmin$ sudo ./createmobileaccount -v -n jdoe -p SecretPassWord
createmobileaccount built Oct 16 2009 06:41:53
verbose output on.
user name = "jdoe"
home path = "(null)"
user password = "SecretPassWord"
prompt for password = FALSE
encrypt new home = FALSE
create as external account = TRUE
home sync new account = FALSE
effective home path = /Users/jdoe
*** authentication failed!
Using the same commands for a different user works...