Problem with AD accounts not caching
 

I have a Win2K3-native AD, everything works as it should except for one thing:

I cannot cache a user acocunt for offline operations (e.g. when we cannot contact a DC). F&P sharing, DHCP, DNS, etc. work just fine. In fact, account caching works on another laptop (also known as a "mobile account" in OS X terms).

On my PB with 10.4.2 (started with 10.4, worked fine previously in 10.3.9), when attempting to create a mobile account, it simply states that it cannot be created.

Anyways, I'm not sure where to go from here. It really makes my PB useless when away from my home network -- I can't even launch Terminal because it states I don't have permission (while I'm actually an Ent/Domain Admin which has Administrative privs on the laptop).

I'm not using home directories, I'm just looking for cached credientials.

One thing I've noted, this account is *not* recorded in NetInfo while other accounts are.

Did you add your AD server in the Authentication tab of Directory Access ?
Which options did you enable when you did the bind ? You can always post back the result of the following terminal command:
dsconfigad -show
Obviously, do take out any specific info such as the server address and other sensitive info.

I had the same problem on one Mac. I searched, searched, and searched, posted, posted, and posted. Others have had the same problems and there was never any fix. I ended up having to do an archive and insall (NOT preserving users and networking) to get it to function normally again.

Hum... this is very odd then. I never ran into this issue myself. A note though... I always did the bind with a fresh install for which I did not keep settings so I may accidentally have gone around the issue without knowing.

Yeah, All Domains are shown. Here is the dsconfig:

You are bound to Active Directory:
Active Directory Forest = domain.net
Active Directory Domain = domain.net
Computer Account = pb

Advanced Options - User Experience
Create mobile account at login = Enabled
Require confirmation = Disabled
Force home to startup disk = Enabled
Use Windows UNC path for home = Disabled
Network protocol to be used = smb:
Default user Shell = /bin/bash

Advanced Options - Mappings
Mapping UID to attribute = not set
Mapping user GID to attribute = not set
Mapping group GID to attribute = not set

Advanced Options - Administrative
Preferred Domain controller = dc.domain.net
Allowed admin groups = DOMAIN\domain admins,DOMAIN\enterprise admins
Authentication from any domain = Enabled

Advanced Options - Static maps
None
--------------------------

Here is what I'm getting in the system log:

Sep 6 21:36:43 pb loginwindow[2151]: Login Window Started Security Agent
Sep 6 21:36:51 pb /System/Library/CoreServices/mcxd.app/Contents/Resources/MCXCacher: DSCacheRecord(): dsAddAttributeValue() == -14131
Sep 6 21:36:51 pb /System/Library/CoreServices/mcxd.app/Contents/Resources/MCXCacher: CreateMobileAccount(): DSCacheRecord(user, kDSStdRecordTypeUsers) == -14131
Sep 6 21:36:51 pb /System/Library/CoreServices/mcxd.app/Contents/Resources/MCXCacher: CopyUser(0, NULL) == -14131

Sep 6 21:36:51 pb /System/Library/CoreServices/mcxd.app/Contents/MacOS/mcxd: MCXD.createMobileUserAccount() "/System/Library/CoreServices/mcxd.app/Contents/Resources/MCXCacher -U user -h /Users/user" == 205
Sep 6 21:36:56 pb loginwindow[2151]: Login of user "user" NOT recorded in /var/log/lastlog because UID (2025376732) is greater than 100000
Sep 6 21:36:56 pb loginwindow[2151]: lwMountWithArrayOfPaths: Skipping mount, final urlString was NULL

Sep 6 21:37:02 pb login: User login user (2025376732) not logged in lastlog. UID too large.

------------

The domain Administrator account can log in and cache, so can another user account on the domain. I can't find any information about MCXCacher errors on Google. You'd think Apple would have a decent KB with these potential error messages ;)

Do the other accounts appear in Netinfo once they've logged in ? Check to see what kind of UID they get...
Also, try in the terminal, while logged in withg an AD account the following:

lookupd -d
This will bring up a prompt (as this first line gets you in the lookupd program)
Then type in the following including caps
userWithName (then hit enter and once the : is added after what u just typed in, type in the username for which you are having an issue and see if it will bring up results). Whats the UID indicated for it there ?

Yes they do. Here is an example UID according to NetInfo Manager:
1684179073

Greater than 100,000 there, too! Here is what is recorded in the console while logging on:

It is 2025376732 for my non-caching user. Looks like it is the same as what the console is recording.

Regarding userWithName, for my user it shows approximately a dozen lines worth of information, for users that cache, it shows perhaps 2 pages worth of information.

My user, for example, doesn't show any of the following info:

smb_acctFlags
smb_group_rid
smb_logon_time
smb_primary_group
smb_pwd_last_set
smb_sid

Then the problem may be with your account in AD... Make sure its got the same settings the other ones do... Also, is it possible that your account is on a different domain server than the other ones ?

Well, the account is an Ent/Domain Admin and adsiedit shows it having similar properties to other accounts (not identical of course when it comes to user type, for instance). And this did work when I was on 10.3, so something changed with 10.4. In fact, it worked the same day I did a scratch and install when I got my 10.4 disk.

There is only one DC.

Hum..> this is realy getting to be a weird one... Have to look into it some more tomorrow at work before giving you an answer.

Any new ideas? :)

No dice up to now... I haven't been able at all to reproduce the same issue. One thing though: Can you try enabling the Windows UNC path option to see if this fixes it ?

Enabling that option didn't do it.

By the way, I'm not the only one with this problem but I certainly can't do the work around as the last poster suggested:

http://discussions.info.apple.com/we...ce.0@.68aed893

Okay, this is now fixed. The only difference (over looked this one) was that I had two certificates attached to my domain account for EFS. That was it...I now have a cached user account.

Could I ask exactly what you did ? Did you simply un-link the certificates form the user account ? Also, what kind of certs were they (just trying to get as much info as I can to post on the AD thread as another AD fix and also so I can try to figure out exactly what can trigger this) ?

I removed them from my user account and they were "Basic EFS" certs. There were two identical certs but for overlapping periods of time.

Thanks for the information.
Do you think the issue was mostly with having certificates or having two overlapping ones ?

Upgrade to 10.4.3
 

Apple fix this problem. Please Install 10.4.3.... :)

Where did you see that ? I look ed at the 10.4.3 documentation on the Apple site and didn't see any AD stuff mentioned... Did I read an incomplete report or is it just that you installed the update and now you have no problems with certificates ?

I didn't see anything in regards to 10.4.3 doing anything with AD either. My accounts were working fine after removing the two certs under 10.4.2 and then adding back a single cert.

I was refering to this gentleman's post... I wanted to know where he got the information he is stating.

Well, they don't always include all the minute details of the bug fixes (unfortunately), but they do mention AD specifically:

I would have prefered... "We actually finally updated Samba so you can access DFS !

How do you remove certificates attached to a domain account for EFS
What is EFS?
I am getting similar logon error in my logs
Nov 7 15:29:50 imac-g5-2 loginwindow[439]: lwMountWithArrayOfPaths: Skipping mount, final urlString was NULL

Thanks,
Lance

Go to the user account properties using the Active Directory Users & Computers MMC. Click on Published Certificates to see the CA-issued certs.

EFS is Encrypting File System. It provides (on XP by default) AES-256 encryption of files and/or folders on the NTFS file system.

http://www.microsoft.com/resources/d..._overview.mspx

Anyone else still receiving this error? I have a PowerBook running 10.4.5 and have been seeing this error in my console. My UID is 1 billion and some change...but under the 2 billion limit. I'm not sure if this error is just a Red Herring, or an actual problem.