Mobile users unable to log in using Open Directory (OD) credentials when not on company LAN
Recently did a clean installation of Mac OS X Server 10.6.7 and configured Open Directory to manage user accounts/access and permissions. Also created several Computer accounts using Workgroup Manager and added their Hardware UUIDs.
Also set-up a Group in Workgroup Manager called 'mobile' and established preferences in Workgroup Manager -> Preferences -> Mobility to create the users Home folder on the server but to keep a sync copy on the local machine.
Also set up DNS on the same server correctly as from what I read before creating this post, improper DNS settings can wreak havoc with OD.
The problem is that when a user that is a member of the 'mobile' group takes their MacBook Pro home, they are unable to log in using their OD credentials.
Coming from a Windows world, it is clear that the user's login credentials are not stored locally in the event that the OD server is not accessible.
Therefore my questions is . . .
How do I allow mobile users to log in when they are away from the office but then sync when they reconnect to the office network?
Also set-up a Group in Workgroup Manager called 'mobile' and established preferences in Workgroup Manager -> Preferences -> Mobility to create the users Home folder on the server but to keep a sync copy on the local machine.
Also set up DNS on the same server correctly as from what I read before creating this post, improper DNS settings can wreak havoc with OD.
The problem is that when a user that is a member of the 'mobile' group takes their MacBook Pro home, they are unable to log in using their OD credentials.
Coming from a Windows world, it is clear that the user's login credentials are not stored locally in the event that the OD server is not accessible.
Therefore my questions is . . .
How do I allow mobile users to log in when they are away from the office but then sync when they reconnect to the office network?
ASKER
I have set the preference in Workgroup Manager -> Preferences -> Mobility -> Account Creation -> Creation to always create the mobile account for Users that are a member of the 'mobile' group. I have set the "Manage" option to "Always" perform this action and not to prompt the user (therefore a mobile account is created in all instances).
I have also verified that there is no local account on the MacBook Pro in question with the same user name as the OD account.
I have also verified that there is no local account on the MacBook Pro in question with the same user name as the OD account.
Before troublshooting the server i'd Open System preferences on the Client machine, click accounts and check the user account has the word mobile beneath it
ASKER
lloydforth1 - Yes indeed I have validated that when logged in the user account is listed as type "Mobile" in the manner that you specify.
Where does OS X store the cached OD credentials in the event that the OD server is unavailable? In the User's Home folder?
Where does OS X store the cached OD credentials in the event that the OD server is unavailable? In the User's Home folder?
ASKER
Comment: In other OD deployments I have observed both "Mobile" and "Managed" appear under a user account.
In the current deployment that I am describing the word "Managed" does not appear. Could that be part of the problem?
In the current deployment that I am describing the word "Managed" does not appear. Could that be part of the problem?
Indeed i have seen the same.
Can you log in as a admin and check the logs, you would need to check the /var/log - secure log
Can you log in as a admin and check the logs, you would need to check the /var/log - secure log
ASKER
Yes however I will have to do that tomorrow as the laptop in question is no longer accessible.
How do I make a User profile both 'mobile' and 'managed'?
How do I make a User profile both 'mobile' and 'managed'?
Hi,
If the User is not prompted, is the user Home folder created under /Users ???
If not, there is your problem!
Remove the limitation not to promt for local user creation - make sure you create a Mobile User when logging in, and the the user account is under /Users (or where ever you allow it to store it) !!
Otherwise the user is booted over the network and nothing is local on the Mac.
When you are logged in as the user, you can also Cmd-Click on the foldername in the window and see the path to the folder - should be local. See screenshot.
path-to-folder.PNG
If the User is not prompted, is the user Home folder created under /Users ???
If not, there is your problem!
Remove the limitation not to promt for local user creation - make sure you create a Mobile User when logging in, and the the user account is under /Users (or where ever you allow it to store it) !!
Otherwise the user is booted over the network and nothing is local on the Mac.
When you are logged in as the user, you can also Cmd-Click on the foldername in the window and see the path to the folder - should be local. See screenshot.
path-to-folder.PNG
ASKER
Yes I have validates that the users Home folder is on the local machine
Screen-shot-2011-03-30-at-4.24.0.png
Screen-shot-2011-03-30-at-4.24.0.png
Hmm, strange then.
And - just to make sure:
Does the login screen shake, or does it just take like 2 min. to auhenticate?
You can test by simply disconnecting the network(s)
And - just to make sure:
Does the login screen shake, or does it just take like 2 min. to auhenticate?
You can test by simply disconnecting the network(s)
ASKER
It shakes as though the password is incorrect
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks marook!
I have looked at the logs via console but to tell you the truth my expertise in reviewing system events is much better in Windows.
Can you tell me what type of event I should be looking for to help me sift through the data (there is a lot!)?
I have looked at the logs via console but to tell you the truth my expertise in reviewing system events is much better in Windows.
Can you tell me what type of event I should be looking for to help me sift through the data (there is a lot!)?
ASKER
Still a huge delay in on login when off network
There is a setting, I believe it's when you bind to the directory, to prompt for mobile account creation. This is separate from synced home folders.
I use this setting with our AD users on the macs and it works great.
If you already have a local user folder with the name of the OD user then this may cause you problems and you may have to save the current user folder, create a new one, copy items back from old one.