# cannot login using domain credentials



## gandalf01 (May 31, 2007)

o.k. so I now have my MacBook Pro bound to the domain. It has a computer account viewable in the Active Directory. Great!
However, after this I then expected to be able to enter my domain credentials at the OS LoginWindow instead of logging on using a local account but it wont work......anyone know what may be the problem here ?

MacBook Pro running OSX 10.4.9 bound to MS Active Directory on Windows 2003 server.

Thanks in advance


----------



## Giaguara (May 31, 2007)

Applications > Utilities > Directory Access

Is in that application Active Directory ticked? Click on the lock to be able to check and edit settings if needed. When lock is open, doubleclick on Active Directory to open its settings. What is the Active Directory Domain? Does that look correct there?
There is also Show Advanced Options below .. so create mobile account (do you want that on or off?), mappings, and administrative settings. Something in the settings for Active Directory could be incorrect.

If you change any settings, restart the Mac after and try again. Does it work then or will it still occur?


----------



## gandalf01 (Jun 5, 2007)

Giaguara said:


> Applications > Utilities > Directory Access
> 
> Is in that application Active Directory ticked? Click on the lock to be able to check and edit settings if needed. When lock is open, doubleclick on Active Directory to open its settings. What is the Active Directory Domain? Does that look correct there?
> There is also Show Advanced Options below .. so create mobile account (do you want that on or off?), mappings, and administrative settings. Something in the settings for Active Directory could be incorrect.
> ...


Have checked Directory Access setting and there are entries in the Active Directory Forect and the Active Directory Domain fields.
Under the Authentication tab it is set to  Custom path, under Directory Domains there is /Netinfo/DefaultLocalNode which is greyed out and below that is says /Active Directory/All Domains.
When I attempt to login at the OSX LoginWindow, the window just 'shakes'. Do not get an error at all. Im not sure its communicating with the AD to authenticate, it seems to quick to refuse the credentials.
The computer does still remain bound to the domain and has a computer account in the Workstations OU on the AD.
Does anybody have any ideas why I can't log into OSX using AD login details ?


----------



## gandalf01 (Jun 11, 2007)

Just to let you know, I can now log into my 'bound' Mac using my domain credentials by unchecking the option: 'Allow authentication from any domain in the forest' which can be found in the Active Directory plug-in in Directory Access.


----------



## tomikat2001 (Jun 19, 2008)

None of the above has worked for me, I have even tried to unbind from the Active Directory Domain and bound back to the domain. This did not work either. Can someone assist me with this problem?


----------



## Giaguara (Jun 19, 2008)

Tomikat, are you using Mac OS X *10.5*?
In this case this will be done differently:

Open Directory Utility and click Services.

If the lock icon is locked, unlock it by clicking it and entering the name and password of an administrator.
In the list of services, select Active Directory and click the Edit (/) button.
Enter the DNS name of the Active Directory domain you want to bind to the computer you&#8217;re configuring.
The administrator of the Active Directory domain can tell you the DNS name to enter.

If necessary, edit the Computer ID.
The Computer ID is the name by which the computer is known in the Active Directory domain, and it&#8217;s preset to the name of the computer. You might change this to conform to your organization&#8217;s established scheme for naming computers in the Active Directory domain. If you&#8217;re not sure, ask the Active Directory domain administrator.

(Optional) Set advanced options.
If the advanced options are hidden, click Show Advanced Options and set options in the User Experience, Mappings, and Administrative panes. You can also change the advanced option settings later.

Click Bind, authenticate as a user who has rights to bind a computer to the Active Directory domain, select the search policies you want Active Directory added to (see below), and click OK:
- Username and Password:  You may be able to authenticate by entering the name and password of your Active Directory user account, or the Active Directory domain administrator might need to provide a name and password.
- Computer OU:  Enter the organizational unit (OU) for the computer you&#8217;re configuring.
- Use for authentication:  Use to determine whether Active Directory is added to the computer&#8217;s authentication search policy.
- Use for contacts:  Use to determine whether Active Directory is added to the computer&#8217;s contacts search policy.
When you click OK, Directory Utility sets up trusted binding between the computer you&#8217;re configuring and the Active Directory server. The computer&#8217;s search policies are set according to the options you selected when you authenticated, and Active Directory is enabled in Directory Utility&#8217;s Services pane.

With the default settings for Active Directory advanced options, the Active Directory forest is added to the computer&#8217;s authentication search policy and contacts search policy if you selected &#8220;Use for authentication&#8221; or &#8220;Use for contacts.&#8221;

However, if you deselect &#8220;Allow authentication from any domain in the forest&#8221; in the Administrative advanced options pane before clicking Bind, the nearest Active Directory domain is added instead of the forest.

You can change search policies later by adding or removing the Active Directory forest or individual domains. 

(Optional) Join the server to the Active Directory Kerberos realm.
On the server or an administrator computer that can connect to the server, open Server Admin and select Open Directory for the server. Click Settings, then click General. Click Join Kerberos, then choose the Active Directory Kerberos realm from the pop-up menu and enter credentials for a local administrator on this server.

WARNING: Advanced options of the Active Directory plug-in can map you to the Mac OS X unique user ID (UID), primary group ID (GID), and group GID attribute to the correct attributes that have been added to the Active Directory schema. If you change the setting of these mapping options later, users might lose access to previously created files.
IMPORTANT: If your computer name contains a hyphen you may not be able to join or bind to a Directory Domain such as LDAP or Active Directory. To establish binding, use a computer name that does not contain a hyphen.


----------



## xexen (Aug 26, 2009)

On our network we have had users that used to be able to login to their computers stop being able to login. (Login window shakes like they entered the wrong password or username)

This is how I have fixed these issues:

If your machine is bound to Active Directory and your managed mobile user cannot login but other users can try these fixes:

Tiger (10.4):

Run /Applications/Utilities/NetInfo Manager.app browse to Users look for duplicate entries. Remove one of the duplicates. Whatever users are having problems logging in, remove that username from NetInfo Manager. Save and exit out of NetInfo Manager. Try to login as problem user. Save and exit NetInfo Manager. Now try to login as the problem user. You should be able to login now. Sometimes account lockouts are caused by the "Property" of "authentication_authority" having the "Value" of ";DisabledUser;" Which would keep that user from showing up in System Preferences - Accounts.

Leopard:

Run as administrator the command:

rm -rf /private/var/db/dslocal/nodes/Default/config/Kerberos:*.plist

After the previous command you find that cant login run the command:

*** Substitute $username for the problem username

dscl localhost -delete /Local/Default/Users/$username

Hope these instructions help someone.


----------

