Problems Logging on with Network Accounts

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Problems Logging on with Network Accounts

Ian B-4
Dear All,

I am experiencing issues with network users trying to log on to iMac machines running Mavericks on a wired network connecting to network home directories on a Windows 2008 server and managed by a Mac Server running 10.8.

The set up is:

Authenticate using network accounts hosted on a Windows 2008 AD server (wad.westminster.org.uk) with network homes located on another Win2008 server (fileserver.westminster.org.uk). Their is also an XServe running 10.8.4 (wusod3.westminster.org.uk) which is being used to manage the Mac machines, e.g. log in window, etc. All other network services are performed by Windows servers, e.g. DHCP, DNS

The user gets the message:

You are unable to log in to the user account "sam.jones" at this time.

Logging in to the account failed because an error occurred.

Logging in as a local admin user I managed to grab the following (abbrieviated) from Console:.


06/01/2014 07:11:53.745 SecurityAgent[17498] User info context values set for sam.jones
06/01/2014 07:11:53.745 SecurityAgent[17498] Unknown user "sam.jones" login attempt PASSED for auditing
06/01/2014 07:13:02.518 SecurityAgent[17649] User info context values set for sam.jones
06/01/2014 07:13:03.123 NetAuthSysAgent[17669] NAHSelectionAcquireCredential The operation couldn’t be completed. (com.apple.NetworkAuthenticationHelper error -1765328378 - acquire_kerberos failed [hidden email]: -1765328378 - Client ([hidden email]) unknown)
06/01/2014 07:13:03.263 authorizationhost[17656] ERROR | -[HomeDirMounter mountNetworkHomeWithURL:attributes:dirPath:username:] | PremountHomeDirectoryWithAuthentication( url=smb://fileserver.westminster.org.uk/pupils/sam.jones, homedir=/home/sam.jones, name=sam.jones ) returned 13
06/01/2014 07:13:03.350 automountd[17658] mount of /home/sam.jones failed: Permission denied
06/01/2014 07:13:05.805 lsregister[17673] FolderManager: Failed looking up user domain root; url='file:///home/sam.jones/' path=- err=-1 uid=758929900 euid=758929900
06/01/2014 07:13:05.920 lsregister[17673] FolderManager: Failed looking up user domain root; url='file:///home/sam.jones/' path=- err=-1 uid=758929900 euid=758929900


Performing an nslookup on any of the servers returns the correct hostname and IP address.

The system previously worked fine when running Mountain Lion 10.8.2 through to 10.8.5 on the host machines without issue. These machines have just been upgraded to Mavericks and I have even tried the latest update to no avail. In a worst case scenario I could reimage them as Mountain Lion machines, but it would be nice to get it working with Mavericks as users would then have access to apps like iPhoto again.

Any pointers or help will be appreciated.

Regards,


Ian B

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      ([hidden email])
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/macos-x-server/lists%2Bs10970n2h62%40n7.nabble.com

This email sent to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Problems Logging on with Network Accounts

RICE, THOMAS
>I am experiencing issues with network users trying to log on to iMac machines running Mavericks on a wired network connecting >to network home directories on a Windows 2008 server and managed by a Mac Server running 10.8.

>The set up is:

>Authenticate using network accounts hosted on a Windows 2008 AD server (wad.westminster.org.uk) with network homes located >on another Win2008 server (fileserver.westminster.org.uk). Their is also an XServe running 10.8.4 (wusod3.westminster.org.uk) >which is being used to manage the Mac machines, e.g. log in window, etc. All other network services are performed by Windows >servers, e.g. DHCP, DNS

>The user gets the message:

>You are unable to log in to the user account "sam.jones" at this time.

>Logging in to the account failed because an error occurred.

>Logging in as a local admin user I managed to grab the following (abbrieviated) from Console:.


>06/01/2014 07:11:53.745 SecurityAgent[17498]    User info context values set for sam.jones
>06/01/2014 07:11:53.745 SecurityAgent[17498]    Unknown user "sam.jones" login attempt PASSED for auditing
>06/01/2014 07:13:02.518 SecurityAgent[17649]    User info context values set for sam.jones
>06/01/2014 07:13:03.123 NetAuthSysAgent[17669]  NAHSelectionAcquireCredential The operation couldn’t be completed. (com.apple.NetworkAuthenticationHelper error -1765328378 - acquire_kerberos failed >[hidden email]: -1765328378 - Client ([hidden email]) >unknown)
>06/01/2014 07:13:03.263 authorizationhost[17656]        ERROR | -[HomeDirMounter >mountNetworkHomeWithURL:attributes:dirPath:username:] | PremountHomeDirectoryWithAuthentication( >url=smb://fileserver.westminster.org.uk/pupils/sam.jones, homedir=/home/sam.jones, name=sam.jones ) returned 13
>06/01/2014 07:13:03.350 automountd[17658]       mount of /home/sam.jones failed: Permission denied
>06/01/2014 07:13:05.805 lsregister[17673]       FolderManager: Failed looking up user domain root; url='file:///home/sam.jones/' >path=- err=-1 uid=758929900 euid=758929900
>06/01/2014 07:13:05.920 lsregister[17673]       FolderManager: Failed looking up user domain root; url='file:///home/sam.jones/' >path=- err=-1 uid=758929900 euid=758929900

>Performing an nslookup on any of the servers returns the correct hostname and IP address.

>The system previously worked fine when running Mountain Lion 10.8.2 through to 10.8.5 on the host machines without issue. >These machines have just been upgraded to Mavericks and I have even tried the latest update to no avail. In a worst case >scenario I could reimage them as Mountain Lion machines, but it would be nice to get it working with Mavericks as users would >then have access to apps like iPhoto again.


Do any initial login attempts on a machine work or none at all?

Can you double check permissions on the home directory share point just to make sure the are what they should be.

Have you tried mounting the home directory share logged in as local account from the finder? If so does that work? My first thought would be that it is Maverick's new implementation of smb that is causing complications. If you cannot mount the home directory share from the finder try changing the smb in the path to CIFS and see if that works.

tom


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      ([hidden email])
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/macos-x-server/lists%2Bs10970n2h62%40n7.nabble.com

This email sent to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Problems Logging on with Network Accounts

Ian B-4
Hi Tom,

Thanks for your reply.

Please see below...

On 6 Jan 2014, at 17:04, "RICE, THOMAS" <[hidden email]>
 wrote:

>> I am experiencing issues with network users trying to log on to iMac machines running Mavericks on a wired network connecting >to network home directories on a Windows 2008 server and managed by a Mac Server running 10.8.
>
>> The set up is:
>
>> Authenticate using network accounts hosted on a Windows 2008 AD server (wad.westminster.org.uk) with network homes located >on another Win2008 server (fileserver.westminster.org.uk). Their is also an XServe running 10.8.4 (wusod3.westminster.org.uk) >which is being used to manage the Mac machines, e.g. log in window, etc. All other network services are performed by Windows >servers, e.g. DHCP, DNS
>
>> The user gets the message:
>
>> You are unable to log in to the user account "sam.jones" at this time.
>
>> Logging in to the account failed because an error occurred.
>
>> Logging in as a local admin user I managed to grab the following (abbrieviated) from Console:.
>
>
>> 06/01/2014 07:11:53.745 SecurityAgent[17498]    User info context values set for sam.jones
>> 06/01/2014 07:11:53.745 SecurityAgent[17498]    Unknown user "sam.jones" login attempt PASSED for auditing
>> 06/01/2014 07:13:02.518 SecurityAgent[17649]    User info context values set for sam.jones
>> 06/01/2014 07:13:03.123 NetAuthSysAgent[17669]  NAHSelectionAcquireCredential The operation couldn’t be completed. (com.apple.NetworkAuthenticationHelper error -1765328378 - acquire_kerberos failed >[hidden email]: -1765328378 - Client ([hidden email]) >unknown)
>> 06/01/2014 07:13:03.263 authorizationhost[17656]        ERROR | -[HomeDirMounter >mountNetworkHomeWithURL:attributes:dirPath:username:] | PremountHomeDirectoryWithAuthentication( >url=smb://fileserver.westminster.org.uk/pupils/sam.jones, homedir=/home/sam.jones, name=sam.jones ) returned 13
>> 06/01/2014 07:13:03.350 automountd[17658]       mount of /home/sam.jones failed: Permission denied
>> 06/01/2014 07:13:05.805 lsregister[17673]       FolderManager: Failed looking up user domain root; url='file:///home/sam.jones/' >path=- err=-1 uid=758929900 euid=758929900
>> 06/01/2014 07:13:05.920 lsregister[17673]       FolderManager: Failed looking up user domain root; url='file:///home/sam.jones/' >path=- err=-1 uid=758929900 euid=758929900
>
>> Performing an nslookup on any of the servers returns the correct hostname and IP address.
>
>> The system previously worked fine when running Mountain Lion 10.8.2 through to 10.8.5 on the host machines without issue. >These machines have just been upgraded to Mavericks and I have even tried the latest update to no avail. In a worst case >scenario I could reimage them as Mountain Lion machines, but it would be nice to get it working with Mavericks as users would >then have access to apps like iPhoto again.
>
>
> Do any initial login attempts on a machine work or none at all?

I have managed to log in once or twice with my user account, but I am not sure why it worked on these occasions. I think I logged in as a local user first, but it is inconsistent as I tried that again and it failed.

>
> Can you double check permissions on the home directory share point just to make sure the are what they should be.

Permissions are fine I believe on the home directories and I can still log in on the ML machines which I haven't upgraded without issue. I did notice an inconsistency on a couple of accounts though, so I'm reassigning permissions on them just to be sure.

>
> Have you tried mounting the home directory share logged in as local account from the finder? If so does that work?

I have tried this with my account and it appears to mount fine.

I have a note in the back of my mind that this occurred before and someone pointed out to me that it is because the home directory is in a different location that the previous user. I work in a school and have the pupil home directories are hosted on one share and staff on another - does this ring any bells? I think the machines where caching details to speed up mounting the home folders on a server. I can't remember exactly, just a vague memory from the past. Either way, it still works fine in its current state when logging in using a ML machine.

> My first thought would be that it is Maverick's new implementation of smb that is causing complications. If you cannot mount the home directory share from the finder try changing the smb in the path to CIFS and see if that works.

I thought this also, but I did manage to logon once or twice which is when I tested iPhoto and found that it works.

Regards,


Ian
>
> tom



 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      ([hidden email])
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/macos-x-server/lists%2Bs10970n2h62%40n7.nabble.com

This email sent to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Problems Logging on with Network Accounts

RICE, THOMAS
Hi Tom,

Thanks for your reply.

Please see below...

On 6 Jan 2014, at 17:04, "RICE, THOMAS" <[hidden email]>
 wrote:

>> I am experiencing issues with network users trying to log on to iMac machines running Mavericks on a wired network connecting >to network home directories on a Windows 2008 server and managed by a Mac Server running 10.8.
>
>> The set up is:
>
>> Authenticate using network accounts hosted on a Windows 2008 AD server (wad.westminster.org.uk) with network homes located >on another Win2008 server (fileserver.westminster.org.uk). Their is also an XServe running 10.8.4 (wusod3.westminster.org.uk) >which is being used to manage the Mac machines, e.g. log in window, etc. All other network services are performed by Windows >servers, e.g. DHCP, DNS
>
>> The user gets the message:
>
>> You are unable to log in to the user account "sam.jones" at this time.
>
>> Logging in to the account failed because an error occurred.
>
>> Logging in as a local admin user I managed to grab the following (abbrieviated) from Console:.
>
>
>> 06/01/2014 07:11:53.745 SecurityAgent[17498]    User info context values set for sam.jones
>> 06/01/2014 07:11:53.745 SecurityAgent[17498]    Unknown user "sam.jones" login attempt PASSED for auditing
>> 06/01/2014 07:13:02.518 SecurityAgent[17649]    User info context values set for sam.jones
>> 06/01/2014 07:13:03.123 NetAuthSysAgent[17669]  NAHSelectionAcquireCredential The operation couldn’t be completed. (com.apple.NetworkAuthenticationHelper error -1765328378 - acquire_kerberos failed >[hidden email]: -1765328378 - Client ([hidden email]) >unknown)
>> 06/01/2014 07:13:03.263 authorizationhost[17656]        ERROR | -[HomeDirMounter >mountNetworkHomeWithURL:attributes:dirPath:username:] | PremountHomeDirectoryWithAuthentication( >url=smb://fileserver.westminster.org.uk/pupils/sam.jones, homedir=/home/sam.jones, name=sam.jones ) returned 13
>> 06/01/2014 07:13:03.350 automountd[17658]       mount of /home/sam.jones failed: Permission denied
>> 06/01/2014 07:13:05.805 lsregister[17673]       FolderManager: Failed looking up user domain root; url='file:///home/sam.jones/' >path=- err=-1 uid=758929900 euid=758929900
>> 06/01/2014 07:13:05.920 lsregister[17673]       FolderManager: Failed looking up user domain root; url='file:///home/sam.jones/' >path=- err=-1 uid=758929900 euid=758929900
>
>> Performing an nslookup on any of the servers returns the correct hostname and IP address.
>
>> The system previously worked fine when running Mountain Lion 10.8.2 through to 10.8.5 on the host machines without issue. >These machines have just been upgraded to Mavericks and I have even tried the latest update to no avail. In a worst case >scenario I could reimage them as Mountain Lion machines, but it would be nice to get it working with Mavericks as users would >then have access to apps like iPhoto again.
>
>
> Do any initial login attempts on a machine work or none at all?

I have managed to log in once or twice with my user account, but I am not sure why it worked on these occasions. I think I logged in as a local user first, but it is inconsistent as I tried that again and it failed.

>
> Can you double check permissions on the home directory share point just to make sure the are what they should be.

Permissions are fine I believe on the home directories and I can still log in on the ML machines which I haven't upgraded without issue. I did notice an inconsistency on a couple of accounts though, so I'm reassigning permissions on them just to be sure.

>
> Have you tried mounting the home directory share logged in as local account from the finder? If so does that work?

I have tried this with my account and it appears to mount fine.

I have a note in the back of my mind that this occurred before and someone pointed out to me that it is because the home directory is in a different location that the previous user. I work in a school and have the pupil home directories are hosted on one share and staff on another - does this ring any bells? I think the machines where caching details to speed up mounting the home folders on a server. I can't remember exactly, just a vague memory from the past. Either way, it still works fine in its current state when logging in using a ML machine.

> My first thought would be that it is Maverick's new implementation of smb that is causing complications. If you cannot mount the home directory share from the finder try changing the smb in the path to CIFS and see if that works.

I thought this also, but I did manage to logon once or twice which is when I tested iPhoto and found that it works.


I can tell you from our setup that one of the things that has consistently caused issues is the various SMB daemons in play. The one running on the client, the one on the window server, and the one on the SAN where our user home directories are stored. To put it simply each one fights for control with no clear winner. This essentially causes the client to get confused and only remember the credentials of last successful login attempt, which is usually the first user to log in on a client after a restart. The client in turn tries to use the permissions for that user on subsequent logins, thus causing them to fail. There's no way, that i know of, to specify which are the right set of credentials to use unless you use a third party piece of software (typically ADmit Mac) to take control over all the conflicting SMB requests. What we did is to force user home directories to be local (configurable in the AD plugin). This causes a local home directory to get created each time a user logs in on a client machine in turn taking the SMB permissions out of the immediate equation. Using a login script we created redirects to the folders that we want to travel with the user (Desktop, Documents, etc). This process is transparent to the user and with the exception of a few preferences here and there all the information goes with the user and provides the same functionality as pure network home directories.
Why this would suddenly change for you after an upgrade to Mavericks, that I don't know. But its something to consider.

tom

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      ([hidden email])
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/macos-x-server/lists%2Bs10970n2h62%40n7.nabble.com

This email sent to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Problems Logging on with Network Accounts

Ian B-4
In reply to this post by Ian B-4
Hi Oliver,

Thanks for your reply. Please see below:

On 6 Jan 2014, at 19:26, Olivier DUCROT <[hidden email]<mailto:[hidden email]>>
 wrote:

Hi,
did you try to authenticate directly on the server using DSCL before trying to authicate to the AB Service

dscl localhost
cd to the users directory (ex: cd /Active Directory/../Users ) you can use ls to navigate through directories
authonly sam.jones

I can authenticate using dscl as above


Your logs let me think that you are using Kerberos as authentication method, do you ?
Di you try to get a kerberos ticket for that user directly on the server using kinit ?

kinit sam.jones
klist

ex for me:

olivier:~ ducrot$ kinit
Password for [hidden email]<mailto:[hidden email]>:
olivier:~ ducrot$ klist
Ticket cache: FILE:/tmp/krb5cc_1025
Default principal: [hidden email]<mailto:[hidden email]>

Valid starting       Expires              Service principal
06.01.2014 20:24:34  07.01.2014 06:24:34  krbtgt/[hidden email]<mailto:krbtgt/[hidden email]>
renew until 07.01.2014 20:24:28

tell us ..

Authenticated with Kerberos as below:

Last login: Tue Jan  7 07:19:22 on ttys000
hostmachine:~ localadminuser$ kinit sam.jones
[hidden email]<mailto:[hidden email]>'s Password:
hostmachine:~ localadminuser $ klist
Credentials cache: API:67FD92E2-7ECC-497B-9AFC-37D9630DC79B
        Principal: [hidden email]<mailto:[hidden email]>

  Issued                Expires               Principal
Jan  7 07:23:08 2014  Jan  7 17:23:04 2014  krbtgt/[hidden email]<mailto:krbtgt/[hidden email]>


Cheers,


Ian



Le 6 janv. 2014 à 14:40, Ian B <[hidden email]<mailto:[hidden email]>> a écrit :

Dear All,

I am experiencing issues with network users trying to log on to iMac machines running Mavericks on a wired network connecting to network home directories on a Windows 2008 server and managed by a Mac Server running 10.8.

The set up is:

Authenticate using network accounts hosted on a Windows 2008 AD server (wad.westminster.org.uk<http://wad.westminster.org.uk/>) with network homes located on another Win2008 server (fileserver.westminster.org.uk<http://fileserver.westminster.org.uk/>). Their is also an XServe running 10.8.4 (wusod3.westminster.org.uk<http://wusod3.westminster.org.uk/>) which is being used to manage the Mac machines, e.g. log in window, etc. All other network services are performed by Windows servers, e.g. DHCP, DNS

The user gets the message:

You are unable to log in to the user account "sam.jones" at this time.

Logging in to the account failed because an error occurred.

Logging in as a local admin user I managed to grab the following (abbrieviated) from Console:.


06/01/2014 07:11:53.745 SecurityAgent[17498] User info context values set for sam.jones
06/01/2014 07:11:53.745 SecurityAgent[17498] Unknown user "sam.jones" login attempt PASSED for auditing
06/01/2014 07:13:02.518 SecurityAgent[17649] User info context values set for sam.jones
06/01/2014 07:13:03.123 NetAuthSysAgent[17669] NAHSelectionAcquireCredential The operation couldn’t be completed. (com.apple.NetworkAuthenticationHelper error -1765328378 - acquire_kerberos failed [hidden email]<mailto:[hidden email]>: -1765328378 - Client ([hidden email]<mailto:[hidden email]>) unknown)
06/01/2014 07:13:03.263 authorizationhost[17656] ERROR | -[HomeDirMounter mountNetworkHomeWithURL:attributes:dirPath:username:] | PremountHomeDirectoryWithAuthentication( url=smb://fileserver.westminster.org.uk/pupils/sam.jones, homedir=/home/sam.jones, name=sam.jones ) returned 13
06/01/2014 07:13:03.350 automountd[17658] mount of /home/sam.jones failed: Permission denied
06/01/2014 07:13:05.805 lsregister[17673] FolderManager: Failed looking up user domain root; url='file:///home/sam.jones/' path=- err=-1 uid=758929900 euid=758929900
06/01/2014 07:13:05.920 lsregister[17673] FolderManager: Failed looking up user domain root; url='file:///home/sam.jones/' path=- err=-1 uid=758929900 euid=758929900


Performing an nslookup on any of the servers returns the correct hostname and IP address.

The system previously worked fine when running Mountain Lion 10.8.2 through to 10.8.5 on the host machines without issue. These machines have just been upgraded to Mavericks and I have even tried the latest update to no avail. In a worst case scenario I could reimage them as Mountain Lion machines, but it would be nice to get it working with Mavericks as users would then have access to apps like iPhoto again.

Any pointers or help will be appreciated.

Regards,


Ian B

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      ([hidden email]<mailto:[hidden email]>)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/macos-x-server/odlists%40easymac.fr

This email sent to [hidden email]<mailto:[hidden email]>




 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      ([hidden email])
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/macos-x-server/lists%2Bs10970n2h62%40n7.nabble.com

This email sent to [hidden email]