Two readers responded to Bob Nine's report of Snow Leopard Macs not being able to log in to Active Directory after going into sleep mode. Both offered advice for how to deal with the issue. The first report was from Bob, updating his previous report with some advice he received from Apple:
We had a breakthrough after I sent the previous email: I called Apple Support. It was a good experience. I signed up on the website and the phone system called me. Talked to the first guy for a few minutes, then he sent me to his manager. His manager did not know, but researched it on their knowledge system. We fixed this very easily. Here is the process:
AD CACHE PROCESS
- System Preferences
- Unlock for Changes
- Login Options
- Network Account Server: Edit (already joined to AD Domain)
- Open Directory Utility
- Unlock for Changes
- Select Active Directory
- Click the Pencil to edit
- Show Advanced Options
- Put a Check in the box for "Create mobile account at login"
Hit OK all the way out, and then login again. It will ask you if you want to create a local copy. Say yes, and you are done. Now I can login OFFLINE. WOO HOO!
If you've tried this
Aaron Hall suggested a different approach, and may have some different circumstances:
We've encountered the situation Bob Nine reports. We found the problem was a combination of things. For us, the problem only occurs when the laptop has network access, can resolve the AD domain controllers in DNS, but can't actually talk to them. In those circumstances, the laptop seems to be ignoring the cached account because it *thinks* it should be talking directly to the DCs, but it can't, and authentication fails. When the laptop has no network access at all (e.g. wireless turned off, or someplace without any wifi), it uses the cached account and works fine.
The laptop thinks it can talk to the domain controllers because it can resolve them in DNS. In our case, we were accidentally allowing out public DNS servers to resolve our internal AD to a private IP address (10.x.x.x range for us, see RFC 1918 for more). This is a misconfiguration. So although the Mac thought it knew the DC's IP address even when it was off the network, it could never talk to the DC and got confused.
Bob's circumstances may be different, but I'd encourage checking how his AD is exposed to the outside world in DNS. The Mac seems to prefer either full connectivity to the AD, or being unable to resolve it at all. Also, variations on this have been addressed on the MacEnterprise listserv several times; he might check the archives or ask there.
If you've seen this
Back to Snow Leoapard Active Directory Tips and Reports.
Another suggestion for AD clients that can't log in after sleep
Jimmy de la Rosa has seen the problem of Macs not being able to log in to Active Directory after going into sleep mode. We've previously reported suggestions to fix this, but de la Rosa offered another approach:
I just came across this post from a year ago. Yes, I've seen this issue and it appears to be related to duplicate entries in the AD domains listed under Search Policy for both Authentication and Contacts. Once the duplicates were removed, the systems were able to authenticate without issue.
If you've seen this issue or tried the suggestions