Login Issues on macOS Clients bound to Active Directory (AD)

Originator:Balz.aschwanden
Number:rdar://34972510 Date Originated:10/13/2017
Status:Open Resolved:
Product:macOS Product Version:10.13 (17A405)
Classification:Bug Reproducible:Always
 
Login Issues on macOS Clients bound to Active Directory (AD)

Users can not log on on a macOS client that is bound to AD if the AD home folder path contains a dollar sign ‘$’.

- Bind your machine to AD. See Note ‘ad_config_fail.txt’ for the exact configuration.
- Log in with an AD user that has never logged in to this machine before.
- That user has a dollar sign ‘$’  in its AD home folder path.
- Example of such a path as shown in AD: \\mycorp.com\home$\myuser
- The user will not be able to log on but will see a prompt: “You are unable to log in to the user account “myuser” at this time. Logging in to the account failed because an error occurred.”

- The dollar sign should be escaped correctly.
- The user should be able to sign in.

Log entries show the following message:
authorizationhost: (HomeDirMechanism) ERROR | -[HomeDirMounter mountNetworkHomeWithURL:attributes:dirPath:username:] | PremountHomeDirectoryWithAuthentication( url=smb://mycorp.com/home%%24/myuser, homedir=/home/myuser, name=myuser ) returned 2


Workaround:
If the AD home folder is not mounted, the user can log on. This can be achieved by setting
 “Use Windows UNC path for home  = Disabled”


ad_config_fail.txt
Active Directory Forest          = myforest.com
Active Directory Domain          = myforest.com
Computer Account                 = my-host$

Advanced Options - User Experience
  Create mobile account at login = Enabled
     Require confirmation        = Disabled
  Force home to startup disk     = Enabled
     Mount home as sharepoint    = Enabled
  Use Windows UNC path for home  = Enabled
     Network protocol to be used = smb
  Default user Shell             = /bin/bash

Advanced Options - Mappings
  Mapping UID to attribute       = uidNumber
  Mapping user GID to attribute  = gidNumber
  Mapping group GID to attribute = gidNumber
  Generate Kerberos authority    = Enabled

Advanced Options - Administrative
  Preferred Domain controller    = not set
  Allowed admin groups           = myadmins
  Authentication from any domain = Enabled
  Packet signing                 = allow
  Packet encryption              = allow
  Password change interval       = 0
  Restrict Dynamic DNS updates   = not set
  Namespace mode                 = domain

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!