Avatar of rcctech
 asked on

Macs on Active Directory Gone Haywire - No connection and unable to login


We have a mixed Apple/Microsoft environment running on Windows Server 2008.  About a month ago, I transitioned all of our Mac users to Active Directory instead of using a local user account on their machine.  That transition went relatively smooth.  The only hoop I had to go through was to manually add the IP address of the domain controller as the DNS in each Mac's Network Preferences.  All users have been transitioned to using Active Directory and setup with Mobile accounts so they can function when their at home and not connected to the domain controller.  Everything was working well - for a few weeks.

Earlier this week, I began getting reports from Mac users being (1) unable to login (2) not being able to access the shared drives on the server.  
     - Lion users have been able to continue logging in and using their computers, as you would expect with the mobile accounts setup.  Lion users can also still access the shared drives.
     -  Snow Leopard users are now unable to log into their computer at all sometimes.  Occasionally, they are able to log into their machines after a full reboot.  But, once logged in, they still cannot administrate their machines.  It says the username/password is bad.  The admin account I've been using is also not accepted, so I have no way of getting admin privileges on these SL machines.  SL users are also unable to connect to the Shared Drives on the server.  They get past authenticating fine, and get as far as the Shared List, but once making a selection from the list, Finder freezes trying to open it.

So, there's couple problems going on, but it seems to me the source of the problem is the server.  I'm hoping to resolve the connection issue, and hoping that will get my Snow Leopard users back up and running without needing Admin privileges for their machines.

Using a Lion machine to troubleshoot, I have found...
     -  The login screen shows the red dot and says "Network Accounts Unavailable"
     -  But, after logging in (to an existing mobile account), the "Network Account Server" option in Account Prefs under "Login Options" is green.  
     -  Trying to authenticate for admin priveleges with a server admin account fails.  I can only authenticate with an existing mobile account.
     -   I unbinded from the domain, and when attempting to reBind, I receive the error:
Unable to add to server.   Node name wasn't found.

I expected this based off of the problems I'm having, but didn't realize it would be so hard to rectify.

In order to reBind, I have tried:
     - Deleting computer account from the AD and restarting client machine
     - Restarting server
     - Binding from GUI in prefs, and dsconfigad command in terminal. Same results
     - Deleting all entries with my computers name from Forward DNS Lookup on the server
     - Connecting via a different WiFi network, and by wired
     - Deleting and readding IP address of server as DNS on the mac network prefs.

I'm out of ideas not, but this causing some pretty major issues for us.  I could greatly use some help.  I'm a production guy, not really an IT guy.

Active DirectoryWindows Server 2008Mac OS X

Avatar of undefined
Last Comment

8/22/2022 - Mon

I forgot to mention that the error I receive in Console, is:

5/23/12 5:28:27.017 PM opendirectoryd: GSSAPI Error:  Miscellaneous failure (see text (Clock skew too great (negative cache))


5/23/12 5:30:43.818 PM System Preferences: -[ODCAddServerSheetController handleOtherActionError: gotError: Error Domain=com.apple.OpenDirectory Code=2000 "Unable to connect to server" UserInfo=0x4001770c0 {NSLocalizedDescription=Unable to connect to server, NSLocalizedFailureReason=Node name wasn't found.}, Node name wasn't found.

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question

Thanks for the article.

Based on my multiple computer issue simultaneously, I think it's a server issue.  It looks like there are some updates I need to look at the folks mentioned in that thread, so I'm going to look at the log and see what updates have been installed in the past week.  And, hopefully something is available to fix whatever has happened.

I'm not sure about your second error, but the first means that your clock on the client does not match that of the server. For Kerberos and therefore login to work correctly, the client computer and server clocks must be with a few seconds of each other. You need to point your clients to the same time server as the AD server at the least. It is even better to use the AD server as the time server and point the clients to it. When the time difference (skew) is too great, you will get the errors you are describing.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.

My comment adds the specific solution to my problem, which was found in a very lengthy thread provided by amenezes.