Login Issues on macOS Clients bound to Active Directory (AD)
Originator: | Balz.aschwanden | ||
Number: | rdar://34972510 | Date Originated: | 10/13/2017 |
Status: | Open | Resolved: | |
Product: | macOS | Product Version: | 10.13 (17A405) |
Classification: | Bug | Reproducible: | Always |
Login Issues on macOS Clients bound to Active Directory (AD) Users can not log on on a macOS client that is bound to AD if the AD home folder path contains a dollar sign ‘$’. - Bind your machine to AD. See Note ‘ad_config_fail.txt’ for the exact configuration. - Log in with an AD user that has never logged in to this machine before. - That user has a dollar sign ‘$’ in its AD home folder path. - Example of such a path as shown in AD: \\mycorp.com\home$\myuser - The user will not be able to log on but will see a prompt: “You are unable to log in to the user account “myuser” at this time. Logging in to the account failed because an error occurred.” - The dollar sign should be escaped correctly. - The user should be able to sign in. Log entries show the following message: authorizationhost: (HomeDirMechanism) ERROR | -[HomeDirMounter mountNetworkHomeWithURL:attributes:dirPath:username:] | PremountHomeDirectoryWithAuthentication( url=smb://mycorp.com/home%%24/myuser, homedir=/home/myuser, name=myuser ) returned 2 Workaround: If the AD home folder is not mounted, the user can log on. This can be achieved by setting “Use Windows UNC path for home = Disabled” ad_config_fail.txt Active Directory Forest = myforest.com Active Directory Domain = myforest.com Computer Account = my-host$ Advanced Options - User Experience Create mobile account at login = Enabled Require confirmation = Disabled Force home to startup disk = Enabled Mount home as sharepoint = Enabled Use Windows UNC path for home = Enabled Network protocol to be used = smb Default user Shell = /bin/bash Advanced Options - Mappings Mapping UID to attribute = uidNumber Mapping user GID to attribute = gidNumber Mapping group GID to attribute = gidNumber Generate Kerberos authority = Enabled Advanced Options - Administrative Preferred Domain controller = not set Allowed admin groups = myadmins Authentication from any domain = Enabled Packet signing = allow Packet encryption = allow Password change interval = 0 Restrict Dynamic DNS updates = not set Namespace mode = domain
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!