Parallels Desktop for Mac
Parallels Desktop 5.0 for Mac Run all the applications you need without switching between Windows and Mac OS X! Better integration of Mac and Windows. Supports Windows 7 Aero, with graphics peformance up to 7 times greater than before. Supports Apple trackpad gestures, new Crystal mode, speech recognition, good notebook battery life, and more.

Active Directory and Leopard Tips and Reports

Working with Leopard and Microsoft Active Directory networks

Buy New! Toast 9 Titanium

Updated October 21, 2009

On This Page:

- Intro
- Active Directory Fixes in Leopard Updates
- Reader Tips and Reports:

Comment on this page below.

AirPort and PCs

Cross-platform software deals from Amazon

Check out Amazon for a copy of Running Windows on Macs or " + contact + " for Boot Camp

Parallels Desktop for Mac
VPN Client for 300+ VPN gateways

Windows XPWindows VistaAccess your Mac OS X partition from
Boot Camp

VPN Tracker
Run Windows on a Mac

MacDrive 7

VMware Fusion

Office 2008 for

Mac OS X

Mac OS X 10.5 Leopard for $109

Compresses and decompresses in Mac, Windows, and Unix archive formats, and more types of files than any other solution. Also encodes/decodes Windows email encoding formats.

Image, audio compression: StuffIt's advanced compression technology can compress cross-platform file formats that are already compressed, including MP3, PDF, Photoshop, TIFF, PNG, GIF, BMP. It increases compression of JPG files to 30 percent. StuffIt uses a different compression algorithm for each type of file to get optimized reduction in size. The compression is lossless, without degrading the image or sound quality. It can also re-compress zip archives.

Buy New! Toast 9 Titanium

For your Mac: Blu-ray burning, HD, Tivo,
iPhone Streaming, and more

Many users were surpised to discover that Active Directory no longer worked when they upgraded their Macs from Tiger to Leopard. Mac OS X 10.5 broke Active Directory binding and login, and other aspects of Mac integration with Active Directory. Apple has released update that have improved the situation for some users, though issues remain. This page contains descriptions of the problems, as well as workarounds and fixes.

StuffIt Deluxe 12 for MacActive Directory fixes in Apple Leopard updates

Click for more info about StuffIT DeluxeLeopard 10.5.3 update fixes several AD issues

Released May 28, 2008

Here are the Apple-listed fixes in the that are related to Active Directory and Open Directory. These may address problems we have reported, which are linked to here.

  • Improves .
  • Eliminates a .
  • Clients can now change their password at the login window when bound to a Mac OS X 10.4 Open Directory server. (We have not had this specific problem report, but have reported other instances of being unable to change a password Leopard Mac OS X 10.5.3 update and Active Directory binding and login.)

delay when logging in as an Active Directory user in a .local domain

hereLeopard 10.5.2 addresses AD bug

Released February 11, 2008

For the here and the Click here for a full description of cross-platform fixes in Leopard 10.5.3. Apple said that the update fixes problems with binding to Active Directory Domains, which was widely reported with 10.5.0 and 10.5.1.

Mac OS X 10.5.2 updateLeopard Server’s wiki server can affect AD binding | Mac OS X Server 10.5.2 update, |

Monday, October 29, 2007

Click here for a full description of cross-platform fixes in Leopard 10.5.2. warns that when running Mac OS X Server 10.5 bound to Active Directory, using the Wiki Server can cause problems with users authenticating to Active Directory. Apple's solution is to set authentication for Wiki Server that comes with Leopard Server (wikid) to clear text. The article explains how to use Terminal to set Wiki Server authentication in clear text.

Apple explains why this is needed:

This is required because, by default, the wiki server uses CRAM-MD5 authentication, which is not supported by the Active Directory plugin.

Because sending clear text passwords is not secure, Apple recommends configuring the wiki server to use SSL.

Reader TIPS and Reports

Top of PageUpgrading to Leopard from Tiger breaks binding to Active Directory | Apple tech article 306750 |

Users can no longer bind to Active Directory after Leopard update

Monday, October 29, 2007

Dave McCristall's lost the ability to bind to Active Directory after a Leopard update:

I updated one of our Macs to 10.5 from 10.4 (as a test). Users were authenticating through Active Directory, but on this Mac, we've got nothing. I can't seem to get Leopard to bind to the Active Directory server.

Many more reports of Leopard Active Directory binding problems

Wednesday, October 31, 2007

Many readers are reporting the that we first reported on Monday. Some are seeing dialogs that report an "unknown error." Others report an error message that says "Invalid user name and password combination." One reader said that his Macs freeze when they attempt binding.

Ryan Gilbert described his experience:

I am having issues with Leopard and Active Directory as well. After upgrading a system that uses AD auth I am no longer able to login with AD user accounts. Logging in with a local account and removing/re-adding to AD does not solve the problem.

I have also tried an erase and install of Leopard. In my case the computers 'seem' to bind to AD, but will not let any users log on using AD user credentials.

Bob DeSilets was able to get a Kereberos ticket:

I'm having the same problems authenticating to the AD domain after upgrading. Here are all the details I can think of:

    • I did an Upgrade rather than an Archive and install from a fully patched Tiger installation
    • When I first attempted to log in with my mobile account, I got an error message that said that there was a problem creating the mobile account (even though the local directory already existed)
    • I logged in to a local admin account, unbound the machine from the AD domain in Directory Utility, and re-bound the machine to the domain. No luck accessing the mobile account.
    • I am able to get Kerberos tickets from both the AD domain and our central campus Ticket Granting server
Top of PageRob Groome is getting the "unexpected error" messages on multiple Macs:
I have the same issue with binding AD to Leopard. I have an Intel Mac and when I try to bind to the domain, which worked flawlessly on Tiger, I get an error message.

From the Directory Servers Tab under Directory Utility, it says:

Unable to add the domain. An unexpected error of type -14090 (eDSAuthFailed) occurred.

Or, from the Services tab and clicking on Active Directory, I get the following:

Unable to access domain controller. This computer is unable to access the domain controller for an unknown reason.

I love the unknown reason - it's really helpful in troubleshooting! This also happened on two other systems with fresh installs and one with an upgraded install. Same error on all 3 systems.

David Marcus's Macs freeze when they try to bind, and found a workaround, of sorts:

I can relate to your post "Reader can no long bind to AD after Leopard update." As far as we're concerned the bind on the AD literally froze the MacBook Pros concerned (2 different machines) to the point where we had to make a hard reboot. Removing the domain in the Directory Utility removed the issue immediately. The downside is that the users cannot benefit from full AD integration.

We noticed the origin of the problem as the Macs didn't freeze if connected outside the AD's LAN.

Stephane Rossan gets the user name error message:

I upgraded my Mac Pro to Mac OS X 10.5 this morning, and I can not bind to AD. I unbinded it and try to bind it again, but I cannot anymore. I have an error message: Invalid user name and password combination. You provided a user name and password combination that is invalid. You should check the user name and password and try again.

Obviously, I tried multiple times with no success. This morning, the error message was about a time difference between the client and the server.

Jay Rozgonyi found that he could not unbind after the update:

I'm clearly seeing problems with AD binding here at my University. We have our Macs bound to AD for authentication (laptops use mobile accounts), as well as to an Open Directory server for preferences. I left on Friday with my Tiger bound machine, booted into my mobile account at home, and did an Archive and Install of Leopard. I brought over the Network and User Account info, and I was running quite well over the weekend.

When I plugged in back at the office this morning, however, everything went wrong. Authentication was not being passed to AD correctly, and when our Windows guys recommended that I unbind the computer and then bind it again, I found that I was not allowed to unbind! Even a forced unbind (i.e., one not based on my authentication to AD) did not work. I'm now in the process of doing a fresh install of Leopard, bringing nothing over from the previous build or from Tiger, but I'm very reluctant to even attempt to bind to AD. The machine, by the way, is a two week old MacBook.

Fred Steputis:

I've tested 2 clean installs and 1 upgrade so far. Leopard seems to not allow network login when bound to AD. I spent several hours yesterday trying to figure this out. The binding works fine as in 10.4, all settings are the same except the listing of BSD/local as an authentication path on 10.5. I cannot get rid of the BSD listing under Directory Services.

I don't think we will be upgrading anytime soon.

Kenny Red:

I am have a massive amount of difficulty getting my new Leopard upgrade to bind to Active Directory. Every time I try it goes past validating my credentials and then give error "An unknown error occurred".

if you have these issues with Leopard.

Current news on the inability to bind to Active Directory after upgrading to Leopard.

Some Leopard users can connect to AD, but not without issues | " + contact + " |

Wednesday, October 31, 2007

A few readers did report being able to connect to Active Directory with Leopard.

Alan Auman said that his logins are "horrendously slow:"

While I've been able to bind my Leopard upgrades to AD, the login for an AD user account takes up to 3 minutes to complete. Disengaging screensavers when using an the AD account credentials also suffers from this delay.

Derrick Rashidi was able to bind after multiple attempts:

I'm having the same issue with some differences. I did manage to get the laptop to bind, however I didn't do anything different. It just decided to bind. I can see the pc in AD when I do a seach, but when I logon to the PC locally (because I cannot logon to the domain) and check the Directory Utility, My AD Domain show the "server is not responding" message. At times this will show Green and the server is responding but still unable to logon to the domain.

Ben Zvan was able to bind as well:

I thought I'd let you know that I'm experiencing a similar problem to that listed on your site. Under 10.4, I was able to grab a Kerberos ticket from our AD server and then connect to AD SMB shares on our network using that ticket. Now, I'm prompted for a password when I try to mount the shares. One of our other tech areas is working on it, but they don't have 10.5 yet.

MacWindows home pageSuggestion for Leopard AD issue, and more reports of binding problems | |

Friday, November 2, 2007

Readers continue to report Top of Page networks. One reader got it to work after multiple binding/unbindings. Another reports seeing it with Micrsoft's Services for Unix. One reader saw the same problem with the Leopard betas.

But first, Erik Ableson has a suggestion:

I've had no problems joining an AD domain after the Leopard update. I did have to delete the original AD Directory Services entry after upgrading and rejoin later since it really didn't like not being able to resolve the domain since I did the upgrade from home. General recommendation would be to leave the domain before upgrading and rejoin after the update.

if this worked for you.

Rick Shields had it working until he moved it to a mobile user account. Then he got it to work after multiple binds and unbinds:

Everything at first was perfect. I did a clean install and within minutes had the machine logged into AD 2 days. (I hadn't set it up to be a mobile user yet either.) Today, I decided that it looked good enough and moveed it to a mobile user account. I went to the directory utility and unbind. No issue. Made the change to allow the mobile account when connecting. Rebind. All lookd well, but I couldn't log in.

The window showed that the AD server was responding correctly and everything looked normal. But it didn't work. I could unbind/rebind with no issues, but no user could log in, not even my domain admin account.

Now, after multiple bind/unbinds and restarts it has started working again. I get my AD users to log in. Suggests to me that there is something holding onto something or something on the Mac when you unbind/bind.

Josh Warren blames the new Active Directory plugin:

I am just writing to confirm that I, too, have run into the problem of trying to get a 10.5 OSX (Leopard) iMac and Mac Book Pro to bind to AD. I don't think it matters whether it is a clean install or an upgrade. I want to say it is just an issue with the new AD plug-in Apple has issued with the new OS.

Carl sees the problem with the Macs accessing Services for Unix on the Windows server:

I'm also experiencing this. I however, am using MS Services for Unix and so have Directory Access in Mac OS X treating AD as regular LDAPv3 server. It worked great with Tiger, but after the upgrade to Leopard I can no longer find any AD users. It has something to do with its search path (I think) since the Directory Access program says the server is responding fine.

An anonymous reader saw this problem with the Leopard Beta. He also describes the symptoms:

I submitted a bug report on Leopard beta regarding AD binding and account creation months ago. This was for Leopard 9A559 and before, and it looks like it still exists in 9A581, the Golden Master shipping version. Apple knew knew full well that AD binding is not working.

Go back to Tiger 10.4.10. This is the very reason we are not on Leopard and won't be until Apple fixes this.

Here's the bug: you can indeed bind to AD via the Directory Utility. It reports as "AD Server Responding Normally." Log out or restart, it does not matter. You get the "Red Ball" at the OS X Login Window (meaning you have no connected directory servers, AD or OD, it should be a green ball).

You go to login with your AD user name / password and the Window just shakes, no dice, no login, never creates your AD network account (which is really local).

Top of PageReader says Leopard AD binding fails during step 5

Wednesday, January 9, 2008

Mark Staben is another reader whose problems with Leopard binding to Active Directory. He sees the same error message as another reader did:

I can't believe this isn't fixed yet. With regard to " + contact + " "Unable to access domain controller. This computer is unable to access the domain controller for an unknown reason."

This is exactly what I get when I attempt to bind. It happens at Step 5 during the binding process. It worked perfectly in Tiger.

I have about 100 machines waiting for Leopard and I bought the licenses the day it was released. Unfortunately, those machines will be sticking with Tiger until this is fixed.

More bugs with Leopard on Active Directory and a workaround for slow login (turn off Bonjour) | Leopard Macs can't bind to Active Directory |

Wednesday, November 7, 2007

Readers are reporting more buggy behavior with Mac OS X 10.5.0 Leopard on Active Directory networks. Many readers have previously reported Rob Groome's "unexpected error,". Today, we have readers reporting some other strange behavior surrounding AD binding.

Leslie Wong verified a Top of Page, but offered an odd workaround. She also reports a problem waking from sleep:

I have two Macs in a Windows Server 2003 environment (a ".local" domain) and was able to bind to the AD after a clean install of Leopard. But logins, like Alan Auman's, were "horrendously slow." Also, any operation that required administrator authentication were similarly slow.

I found, in the Apple discussions, that turning off Bonjour immediately stopped the problem. Logins were as fast as they were in Tiger. But turning off Bonjour caused other problems, such as not being able to start Aperture.

I also noticed a problem that when the Leopard machine wakes from Sleep, it was not always able to communicate with the domain. The Directory Utility would indicate that the ADD was not responding normally and a reboot was required for it to be "responding normally" again.

Justin Rummel found a way to log in using a mobile account:

My AD experience with Leopard has been interesting. After a clean install on my MacBook Pro, I was able to bind to AD but forgot to select "mobile account" check box, thus not being able to use the MBP at home. I returned to the office the following day, checked the box and was working fine until I restarted. My username and password (both as entry fields) never authenticated. It wasn't until I used my local admin user (that was established on install) and used "Switch Users" that I was able to login successfully. The difference, the username was preselected for me. I switched the login form to be a list of users so I only have to type in a password. Everything is working as expected.

Eric Lukens said that Leopard does not authenticate accounts that are in sub-domains, which he suspects is a bug:

We've identified that Leopard does not authenticate accounts that are in sub-domains. We have a main domain forest with several sub-domains. The computer can be bound to any of the sub-domains or the main forest, but only accounts in the main forest will successfully log in. We've looked at the Directory Service debug logs, and the Leopard machine seems to find the account in the sub-domain, but doesn't not complete authentication. Also, will only show names from the main forest, not the sub-domains.

So far we've been successful with accounts that are part of the top-level forest. Since the option exists in Directory Utility to "Allow authentication from any domain in the forest," I'd say this is a bug that should/will be fixed.

David Troup's discovered an odd bug:

I've just installed Mac OS 10.5 for the second time on the same machine, I can't get it to log onto the AD, even though it creates the computer account.

I've have found a nice little bug though, if you have the Mac connected to the AD and logged into the Mac as a local admin you can't create user accounts, it creates the home directory but not the user; as soon as you disable the AD then you can create as many accounts as you like.

Corwin Ip can't log in with his Windows account info:

On one machine, I did a Leopard upgrade, and could not login with my Windows account info. I logged in as a local admin and had to force unbind. There were no problems binding it back to AD, but still cannot login with my Windows account even though I had to use it to add the machine to the Windows domain.

The second machine was a clean install, same thing as first, except without the unbinding problem because it was never on the domain to begin with.

MGM, a Leopard beta tester, said that Active Directory was broken in the pre-release versions of Leopard:

In Leopard build 9A559, binding to Active Directory 2003 was not totally working. You could bind to AD, in Directory Utility, but it was then useless. Upon logout and when attempting to login/authenticate to AD for the first time and thus create your local profile, no go, the OS X login window just shakes, no login. The bug was filed, let's hope it is fixed in a shipping Leopard.

Jason Sheridan:

I am having this same issue with upgrading and with a clean install.

Current news on the problems with binding to Leopard to Active Directory.

previous report of very slow AD connections

MacDrive 7 lets you access your Mac OS X partition, and all other Mac disks, from within Windows. Mac disks look and act like standard Windows disks. Windows apps can open and save files directly on Mac disks. Copy files between HFS/HFS+ Mac disks and NTFS or FAT32 disks.

MacWindows home pageThe Leopard 10.5.1 update's effect on Active Directory | |

Apple did not list any fixes for Active Directory bugs for the 10.5.1 release, and readers didn't see any improvement.

Reader says 10.5.1 doesn't help AD problems, nor does turning off Bonjour

Monday, November 19, 2007

Brad Ong reported that the Mac OS X 10.5.1 updated did not fix Got Boot Camp? You need MacDrive 7. , also did not help. In his report, Ong describes the procedure he used:

I did update the MBP to 10.5.1. It doesn't help. Brand new MacBook Pro, 2 weeks old. I've been administering Windows since NT4.

When I didn't bind the MacBook Pro to the directory, I was able to use Keychain to see my Windows server shares. Was able to get the MacBook Pro to use my Windows 2003 print server, and I was able to get Entourage to use Exchange to download my mail.

Started binding to AD and set it up according to the common procedures in the forums: Set up Directory Utility services with Create mobile account at login, Require confirmation. Use UNC path, all checked under "User Experience", set the preferred server to my main domain controller under "Administration". Clicked on Bind and the MacBook Pro was added to the domain.

The MacBook Pro showed up in the Active Directory Users and Computers. Showed up in DNS. I had to create a reverse pointer record.

So, the Active Directory plugin is enabled, "domain.local" shows up in the Directory Servers tab, all my computers show up in Finder "Shared." Printers still work well. Windows shares still work. Directory now shows all the users in my Active Directory listings. When using Accounts in System Preferences, the "Allow remote users to login" is checked and the Active Directory user names show up for "Allow these users to login".

Then I log off, click on login and the "Other." The login name shows up as expected.

Here's the problem: I enter all variations of domain\username, username@domain.local, etc. but all I get is the login screen shaking at me.

I tried the Top of Page, but that didn't help.

I tried restarting the laptop but that only makes the "Other" login name listing disappear. Then when I try to logon with my local admin account it takes forever. Sometimes I have to hold the power button down to shut off the MBP then power back up. This may allow me to login with the local admin account in a reasonable amount of time.

If I unbind the MBP from the domain, everything gets back to being really quick and snappy.

Leopard's Active Directory binding problemsTIP: a suggestion for 10.5.1 -- avoid binding in 10.5.0

Monday, November 19, 2007

Toni Weurlander of Finland avoided problems with Leopard 10.5.1 by NOT connecting in 10.5.0:

I just installed a new MacBook Pro freshly with Leopard, updated it to 10.5.1 and bind it to our AD. Everything just worked like it did on Tiger. Never tried to bind it with 10.5.0. All SMB shares seem to work as expected.

Turning off Bonjour, as another reader recommendedReader verifies Leopard 10.5.1 binding to AD: avoid binding in 10.5.0

Thursday, November 29, 2007

Benn Kovco verified a suggestion from another reader for getting Leopard 10.5.1 to bind to Active Directory:

I've managed to get solid, functional AD connectivity after experiencing all of the issues describe in various forums. I finally got it to work by following disabling of Bonjour as recommended at MacWindows at MacWindows.

This worked for me, taking care NOT to even attempt to bind AD while still on 10.5.0. I posted more at the .

Leopard Active Directory problems continue with 10.5.1 update

Wednesday, December 12, 2007

Stephanie Renken reported that Toni Weurlander's suggestion were not fixed with Apple's 10.5.1 update:

I upgraded my AD bound Tiger laptop to Leopard, and could not log in after the upgrade unless I unplugged my network cable. I unbound the machine to get past this issue, and have never been able to rebind it using my credentials. I get the "Invalid user name and password combination” error. However, another admin user can bind my computer with no error. I'm now running 10.5.1 and still cannot bind this computer using my credentials.

Apple Discussion forumsApple rep recommends lobbying Apple to fix AD-Leopard incompatibilities

Monday, December 17, 2007

Jem Dowse in London was given some advice about getting Apple to fix :

I asked someone I know at Apple today about the various Active Directory issues that persist with Leopard. His advice is to escalate the problems with AppleCare, especially if you have one of their premium accounts. Chances are everything you say will be a known issue, but escalating it will be another prompt for Apple to prioritize some fixes. I actually got an apology of sorts from him. He said that this is completely new code and problems should be fixed in the next dot-release or two, but couldn't comment on time scale.

Me, I'm waiting for the day when I can bind just one machine to our domain even once. Till then we have 350 machines here that are definitely sticking with Tiger!

The Mac OS X 10.5.1 update did not fix these problems.

Leopard's Active Directory problemsReader says clean Leopard install resulted in performance hit for AD access

Tuesday, February 5, 2008

Frank Ong tried a clean install of Leopard. He didn't have the that a lot of reades have reported but did see another problem:

Just thought I'd let you know that a clean install of Leopard up to 10.5.1 before doing any binding did allow me to bind to my Active Directory and get my logon account to work (my user home directory even showed up). But any process accessing my directory (from using file shares to routing a print job to logging on itself) was sooooooo ssslllooowww that I just gave up and took my Mac off of AD.

If you've seen this

Current news on the .

Active Directory binding problems
Give your Mac ActiveX in Internet Explorer, launced directly from the Finder.
Starts at only $40 (Windows not required!) Free trial from CodeWeavers
" + contact + ".

MacWindows home pageMore suggestions for Leopard 10.5.1 (and maybe later) and Active Directory

TIP: Suggestion for Leopard binding to AD points to LDAP, Kerberos issues, in hosts file

Wednesday, December 12, 2007

Hugh Burt did some troubleshooting of New CrossOver 7 Runs Outlook, Office 2007 on a Mac--without Windows that many readers have been reporting. He found that Leopard was selecting different servers for LDAP and Kerberos. He discovered a way to get around it:

With Leopard, the Mac seems to ignore the priority settings for LDAP and Kerberos Services in the DNS, hence it kept selecting the DC that was behind the firewall, rather than a local server. The firewall allows LDAP access, but no RPC, Kerberos, etc. so the process would fall over with the unknown error.

As a work around, we added the name of the firewalled server to the machine's hosts file but with an invalid IP number. This then forced the machine to go off and try another server BUT then the binding would fall over right at the end with an "invalid username" message. A console message also said a password could not be changed.

Using wireshark again, we found out that the machine was selecting different servers for LDAP and Kerberos. It was using LDAP to create the account with one server and then using another server and Kerberos to set the machine's password. This second DC would then fail the process because it was not aware of the account that had been created milliseconds previously on the other server. (AD servers take about 15 minutes to replicate) so hence the slightly ambiguous but correct console message.

As a work around, we added all the local DCs to the host file but all with the IP of a single server. This made the machine use the same server for both LDAP and Kerberos and at last we got the machine to bind. Another workaround would be to manually create the account, wait 15 mins for the DCs to replicate so they are all aware of it, and then bind the Mac.

The sys admin also commented that the binding process "really hammers the DNSs" and that PCs do it much more simply. Also 10.5 does not seem to do reverse lookups which 10.3 and 10.4 did.

Hope this might help some people struggling with AD binding and perhaps someone from Apple may read it as well because the AD plug-in really does need some re-writing.

If you've tried this

Another report on editing hosts file for Leopard/AD issues

Monday, December 17, 2007

Jason Bennett sent us report on his progress with Leopard's problems binding to Active Directory in Leopard:

I saw your post on regarding the 10.5 binding and editing the hosts file. I edited /etc/hosts to force all nine of our domain controllers to a single IP. Then I tried to bind and got the invalid username/password deal. Then I pinged the different domain controllers and they were pointing back to their real IPs.

I restarted the computer and pinged again and everything went to the IP I had in hosts. I thought maybe I was in the clear so I tried binding again and I got the same error. I pinged the servers again and they were back to the real IPs.

So I restarted again and pinged the DCs and they were all going off my hosts file again. Opened a terminal and pinged a server as I was trying to bind and it stayed with the hosts file but the computer didn't bind. Stopping and restarting the ping changed it back to the real IP after the bind failure. I then tried this with all of the domain controllers pinging at once as I tried binding and still no luck.

So that's where I'm at now, trying to figure out why binding to AD breaks free from the shackles of /etc/hosts.

Current news on the " + contact + ".

TIP: Use full domain name for Leopard AD bug; A reader hears from Apple | editing host files to get around the Active Directory problems |

Wednesday, January 2, 2008

Michael Anderson provide another suggestion for working around MacWindows home page:

I've seen this in several iterations and with several different symptoms. But it's been easy to fix. The problem is that the Leopard implementation is picky.

  1. Make sure your time zone is set correctly.
  2. Make sure your Date/Time are auto set by the system. Or that it is VERY close to what the AD server is set to (if it's off by just a little it won't work).
  3. Make sure your using your full domain, as in "" Not just the short name for it.
  4. Make sure the checkbox to allow domain administrators to administer the box is checked.

That's it. I have had a few different error messages. And if I double-check all four of these things, it has works every time: 18 and counting.

If you've tried Anderson's suggestion if it worked for you.

Keith Cox reports that Apple told him that the problem is with large networks:

We have the same issues with computers not being able to join the domain. I have talked to Apple and we have been told the issue is related to large domain of more than 64 DC's.

Top of PageReaders verify " full domain name" tip for Leopard AD bug

Friday, January 4, 2008

Two readers report success with a problems with Mac OS X 10.5 Leopard binding to Active Directory (directly above) on enabling Leopard to bind with Active Directory.

Tom Stovall:

Yes, AD sign-in does work for me if I use a fully-qualified active directory name eg...

Adrian Stancescu focused on Step 4 of Wednesday's tip

With regards to the Michael Anderson's tip, it seems to have worked for me. The only thing I did differently when trying to bind my Mac was Anderson's Step 4, to check the box that allows domain admins to administer the computer.

Everything works now, including accessing the GAL through AdressBook or through the Directory application. I am amazed. I have even managed to log in with my AD account and it worked fine.

Current news on the " + contact + ".

TIP: Date, time, DNS setting for Leopard AD binding

Friday, February 15, 2008

We've previously reported several suggestions for overcoming Leopard problems binding to Active Directory, including tip from Wednesday entry, MacWindows home page, and .

Rob Fawcett offers another suggestion that is similar to deleting the original AD Directory Services:

We resolved our binding issues. Try the following:

Ensure DNS is setup correctly, Date and Time is configured to get time from internal AD server. (Change Kerberos Time Sync in Default Group Policy to 180Min)

if this works for you.

Current news on the editing LDAP and kerberos settings in the hosts file.

another previously reported suggestionTips for Active Directory binding with Leopard: remove user, uncheck mobile user | " + contact + " |

Wednesday, January 23, 2008

Fabien Hory shared a couple of tips for binding Leopard to Active Directory:

Here are a few tips I discovered for Mac OS X 10.5 AD integration.

First of all, if your computer already exists in AD, ask your admin to remove it before trying to reintegrate it and wait until the replication is complete (ask it to your admin).

Another tip that worked for me : after binding the Mac to AD, I wasn't able to login with an AD user. To solve it, I had to uncheck the "create a mobile account" in the AD configuration DialogBox.

If you've tried these suggestions

Current news on the .

Top of PageLeopard AD binding: success with a type of login after security update | " + contact + " |

Friday, January 25, 2008

MacWindows home page that a recent Leopard security update was the cause of . Today, James Perih says that the recent security update helped Leopard's Active Directory binding issues with a certain type of login:

Now I'm *REALLY* confused.

I unbound from the Active Directory, and bound again to the directory: Used my Administrator@domain.local account to login (the whole fully-qualified account sign in) Everything worked peachy.

I logged out.

Logged in as a domain user@domain.local : DID NOT WORK.

BUT, then I logged in just as domain user (without the @domain.local) -- and much to my surprise, IT WORKED. I tried all my users, and it worked.

And I swear, this is what I've done in the past, which did not work. 10.5.1 installed. All updates and security updates installed. Did something in a security update fix this?

I should also specify that:

1) I used the Microsoft Document on how to connect Mac OS X 10.x clients to Small Business Server 2003 SP1, back when our macs were 10.4.x

2) That worked perfect.

3) I always used the option, "Allow Domain Admins to Administer this computer," even back at 10.4.x

4) I did in-place upgrades of the Mac clients to 10.5. Directory lookups worked, Binding and Unbinding worked, but authentication did not work.

5) I followed the instructions I sent you the first time around... unbound, rebinded, etc.

6) Still didn't work.

7) Upgraded to 10.5.1 around Dec15 or so. Did the unbind/bind again -- same pickle.

8) Since then, our Mac clients have received various Software Updates, including the security updates as of late. And, NOW it works fine, as I had previously specified. I cannot pinpoint the updates as the factor that allowed AD Authentication to work, but what I can say, is that a) using fully-qualified account login DID NOT WORK (although during the bind process, I did use a fully-qualified account login for the domain admin), and b) I did the same steps as before Software Updates, and it did not work. But now, suddenly, it does.

If you've seen this

Current news on the Earlier this week, we had a report.

problem with ISA proxiesSuggestion for Leopard on Active Directory login problems | " + contact + " |

Tuesday, February 5, 2008

A reader called Marbil has a suggestion for using Mac OS X Leopard in Active Directory networks:

I am able to bind and login consistently now on 10.5.1. Binding doesn't seem to be the major issue, but logging into the network accounts seems to be the principal issue. Here is my solution:

Before you begin select "Show advanced settings" in the Directory utility. In the Directory utility under Search Policy I clicked the plus sign and added the specific domain I am currently in. By default, the search path is set to All Domains. Selecting the domain I am in resolved the issue for me. After multiple reboots and different test accounts logging in was still possible.

As a test I also unchecked "prefer this domain server" located in the Services tab > Show advanced options > then select the Administrative tab. After a reboot the settings from the search policy tab still held up.

If you’ve tried this suggestion

Current news on the .

Top of Page
Give your Mac ActiveX in Internet Explorer, launced directly from the Finder.
Starts at only $40 (Windows not required!) Free trial from CodeWeavers
" + contact + ".

MacWindows home pageThe Leopard 10.5.2 update's effect on Active Directory | New CrossOver 7 Runs Outlook, Office 2007 on a Mac--without Windows |

With the Mac OS X 10.5.2 update, Click here for more. Some readers reported that the update did fix there problems, while others still had issues.

Leopard 10.5.2 will fix AD bugs

Wednesday, January 23, 2008

Before the update was released, a reader name Jay reported that the unreleased beta of Apple's planned Mac OS X 10.5.2 update addressed :

I can confirm that on any Mac running Leopard Client version 10.5.1, I have had a high failure rate in binding to AD. The common error message is "You have provided an incorrect username and/or password."

AD bind works flawlessly on Tiger. However, I have downloaded the Delta release of Leopard Client 10.5.2 from Apple Developer site and the sucess rate is virtually 100 percent. I have reported this AD feedback to Apple. So clearly, Apple is aware of the AD issues and has updated DirectoryService as part of the 10.5.2 update. I have not had to make any changes to AD, permissions or user authentication.

As to when 10.5.2 GM [golden master] will be publicly released is still unclear.

Top of PageLeopard 10.5.2 update fixes some users' AD problems, others not | Apple promised that it fixed problems binding to domains |

Friday, February 15, 2008

While some readers are reporting that the Mac OS X 10.5.2 update helps Leopard's Active Directory bugs, other readers are still having problems.

For Brian Jackson, the update did the trick:

Just wanted to let you know that the 10.5.2 update did indeed fix the AD binding problems introduced in Leopard. We were never able to successfully bind to AD on our large network (although I never had any problems binding on smaller networks) so we are finally good to go with Leopard.

Jem Dowse still can't bind:

I was anticipating 10.5.2. as the fix that would take me back to the simple Tiger days of binding to Active Directory. Unfortunately the only thing that has changed is the message that's displayed when I try and bind - it freezes at step 4 for "an unknown reason." Investigation reveals that it's still error -14006 that's tripping it up (this used to be displayed in the error message; now I have to dig in the logs for this information!)

So 10.5.2 fixes nothing as far as my Active Directory binding problems are concerned.

Top of PageLogin Items probles: blank screen, then can't login after logging out | Leopard's problems binding to Active Directory |

Friday, February 15, 2008

The 10.5.2 update fixed Andrew Plant's binding problem, but he still has other issues, including joining a wireless network:

I updated my AL PowerBook G4 to 10.5.2 and was able to finally bind to my company's AD. I also was able to actually login with my user account and create a mobile account.

I tried accessing a network drive as well. It mounted; however, it prompted for credentials which points to a problem with single sign on authentication.

There is another issue when trying to access the Login Items for the user under Accounts in System Preferences. When you click on that tab, it hangs for a while and finally a blank screen comes up. Finally, the biggest problem, after you log out, you can't log back in. It seems to try for a while but then it shakes no. I tried changing things in Directory Access with no resolve.

I also still can't get connected to our WPA2 Enterprise wireless network. It tries to authenticate but just assigns itself it's own IP. I'm willing to bet that there is a serious issue with the OS recognizing the user and their permissions because our wireless LAN uses AD authentication. This would explain why I'm seeing issues logging into a network server as well.

whether Leopard 10.5.2 fixed any of these issues for you.

TIP: Workaround for Leopard AD login issue: use last name, first name as the username

Monday, February 25, 2008

Andrew Plant sent an update to his Top of Page, offering a workaround:

For kicks, I tried using my last name, first name as the username when logging in and wouldn't you know it, it worked consistently! Also, in our AD accounts, we have drives that are automatically set to mount and they do. However, I still have to enter credentials when mounting other network drives. The other issues I mentioned before are still present though. I guess Apple still has some work to do.

If you’ve tried this suggestion

Reader can't login to AD as admin with Leopard 10.5.2

Wednesday, February 20, 2008

Dave Macrae found a new Active Directory problem after upgrading Mac OS X Leopard to 10.5.2:

I applied 10.5.2 the other night and am able to bind to my Windows 2003 server domain. I cannot login however with an administrator account. The screen just shakes when I try to log in. I've reset the password on the domain. It's the most frustrating thing. I'm at a loss as what to do now except restage my Mac Book Pro and hope for the best.

If you've seen this or have a suggestion

Current news on the " + contact + ".

TIP: Edit hosts file to add domanin controller IP address | " + contact + " |

Over a period of several months, several readers independently suggested (with some variations) that adding the IP address of the domain controller to the hosts would get AD binding back up.

Advice for AD binding with Leopard 10.5.2: resolve to the IP address of domain Controller

Thursday, February 28, 2008

A reader named Nik describes how he enabled Active Directory binding in Leopard 10.5.2:

After a clean install of 10.5 I upgraded to 10.5.2. I then got the error message "The computer is unable to access the domain controller for unknown reason." I found out that domain must resolve to IP, as described in this MacWindows home page. After applying the suggestion, I was able to bind to Active Directory.

The blog starts like this:

Your domain must resolve to the IP address of a domain controller. This was not a requirement in previous versions, but Apple is apparently making it a requirement.

TIP: Add IP address of the domain controller to hosts file

Friday, March 7, 2008

Although Apple said that the Top of Page, Lisa Madden said she still has problems. She fixed it by editing the hosts file:

I upgraded a cleanly installed 10.5.1 Mac with 10.5.2 and still could not bind to AD. Got stuck on the final step, not able to find the DC. There was no way to specify the domain in Directory Service either.

What finally did fix the problem was adding the IP of the DC and the domain into the /etc/hosts file, rebooting Mac, and trying to bind again. Bind went flawlessly then.

Not sure if this is a problem with how our DCs are configured, or with Leopard, but as long as it's working, that is all I care.

If you've tried this

TIP: Fix disjointed Namespace and AD binding with Leopard Server; add IP of DC to hosts file

Friday, May 16, 2008

Pete Langlois told us how he fixed his Leopard Server/Active Directory binding problem:

We were having a hard time with binding AD to 10.5.2 Server recently. We have a disjointed namespsace in Active Directory, which Apple is aware of having issues. After lots of testing this is how we fixed the issue:

  1. ADD to /etc/hosts file all FQDN and IP of 2NDDOMAIN domain controllers making sure you cp the file first | I got my list by typing the following in a terminal window "dig any"
  2. Under Directory Utility/Show Advanced Settings/Services/Active Directory/Advanced Options/Administrative/ UNCHECK "allow authentication from any domain in the forest"
  3. Under Directory Utility/Show Advanced Settings/Services/Active Directory/Advanced Options/Administrative/ ADD Prefer this domain server (Local DC's IP address)
  4. ADD TOPLEVELDOMAIN to Search Domains under System Preferences/Network (2NDDOMAIN should already be there if not add it as well)
  5. Under Directory Utility/Show Advanced Settings/Search Policy/Authentication ADD Active Directory/2NDDOMAIN and REMOVE Active Directory/All Domains (Correct order should be Local, BSD, 2NDDOMAIN)

TOPLEVELDOMAIN has our schema. 2NDDOMAIN has all of our objects. We have numerous 2NDDOMAIN domains but I figured this might help out other users with large enterprise AD in a disjointed namespace.

If this helps you (or not)

" + contact + "Binding problems almost fixed by adding IP of DC to hosts file, but with odd symptoms

Friday, May 16, 2008

Lisa Madden thinks there's a configuration problem with one of her Active Directory domains with Leopard:

I was able to bind a Mac running 10.5.2 to AD if I put the DC IP and fully qualified domain name in the Hosts file. I should not have to do this. Did not have to do this in Tiger. I got same errors, though, as posted below.

Then I wiped Mac and reloaded Mac OS X. This fixed having to put the DC IP etc. in the Hosts file, so one thing solved. However, while I am able to bind to AD and log in with domain credentials, I can ONLY do this one time. If I just log off and log back in, everything is peachy. If, on other hand, I shut down, reboot, what happens is it lets me log in with domain credentials but immediately brings up the Parental Controls screen and says I have one hour. Huh? I never enabled this. Even if you choose rest of day and authenticate with admin account to get past this screen, your user folder is totally locked. You will never log back in with domain account again.

I have tried this on our regular domain used for Tiger binding, and also in a test OU with no policies going to it, with same result. Next test is a different domain entirely to see if this very odd problem persists.

I think it is our ad config as there is no problem if I bind to different domain.

If you have a suggestion

Current news on the " + contact + ".

Parallels Desktop 3.0 for Mac Run Mac, Windows programs without switching between Windows and Mac OS X! Launch a Windows app by clicking on a Mac file. Hide the Windows desktop. 3D Graphics hardware acceleration. The best of both worlds.

More tips and fixes for 10.5.2 AD problems | " + contact + " |

This section describes suggestions for fixing several different Active Directory issues with Leopard 10.5.2. They may also work for other Leopard builds.

DNS solutions to 10.5.2 AD problems

Monday, February 18, 2008

Although Apple says the Leopard 10.5.2 update is supposed to fix Active Directory binding issues, MacWindows home page. A couple of readers found fixes in DNS. Steven Bandyk offerred this suggestion:

Like in your post at, the 10.5.2 did not fix my AD authentication. I have the exact same problems he described.

I have found the problem however. With the assistance of the macadministrators list and the UIC United Mac Users list I realized that I had a DNS problem. It appears our DNS (non-Microsoft) lacks DNS RR SVR records which would point the AD domain to a Domain Controller. If you lookup your domain it should resolve somewhere. e.g., say your DC is "". You should be able to resolve "".

I'm waiting on the campus AD group to understand what I'm talking about. They don't run DNS. In the mean time, I can bind by adding entries for our domains in /etc/hosts.

If you set DirectoryService into debug mode: > killall -USR1 DirectoryService ... you can find the failed lookup for your domain in the /Library/Logs/ DirectoryService/DirectoryService.debug.log

Noah Willamsson got Leopard 10.5.2 Active Directory binding working by keeping the computers time synced and keeping DNS working:

I got this message while trying to bind to AD: "Unable to access domain controller. This computer is unable to access the domain controller for an unknown reason."

I get this both in the Directory Utility GUI and from the command line (dsconfigad). I got things working with my MacBook Pro upgraded to 10.5.2. The AD servers are running Windows 2003. I was connected to my employer's network with Cisco VPN.

First, when working in a Kerberos environment, it's important to keep time in sync on all involved computers. Secondly, DNS must be working properly as well.

I'm trying to Bind to the domain "" which have the Domain Controller servers and

1. I turned on debugging on the DirectoryService process by killing it with the SIGUSR1 signal and watched /Library/Logs/DirectoryService/DirectoryService.debug.log while trying to bind. The error message popped up shortly after "Step 4/5".

In the debuglog, I found that it complained that " does not resolve - disabled" and then subsequently faild.

2. I tried to force the thing to use a specific DC hostname by checking "Prefer this domain server" and trying to bind with or Both failed.

3. I noticed didn't have an A record in DNS, i.e, it wouldn't map to an IP-address.

I don't know if this is a problem as it was still able to find out about dc1.galax.hds.e and according to stuff in the debuglog (not shown).

What I did to get things working now was to add the following line to /etc/hosts

<ip of>

4. Now I tried to bind again and it worked!

So to summarize what worked for me:

  • Time must be in sync on all involved computers
  • DNS must be working
  • The Active Directory Domain you're trying to bind to should have an address record (A-record) pointing to one of the DC servers.

If you these approaches worked for you

Current news on the readers are still reporting problems.

Jem Dowse, who you quotedTIP: AD binding and login fix for 10.5.2 | " + contact + " |

Monday, March 31, 2008

Peter Kloss offers a fix for MacWindows home page:

After my which you kindly posted for me, we have spent a while trying to get the 'native' AD plug-in working in Leopard against our enterprise AD of 10 child domains and around 50 domain controllers. Therefore we have been following with interest the experiences and suggestions of your readers.

Having thought we might have to do most of the painful stuff with debugging Kerberos as described in your reports, we then discovered Top of Page. We had already accidentally discovered that putting the DOMAIN we were trying to bind to into /etc/hosts, eg: an entry like allowed us to bind and login with a domain admin account. But normal user logons did not work for two out of three attempts to do this.

We followed suggestion (2) in the blog about turning off 'allow authentication from any domain' AND added the target AD domain to the search path - (click on the search path tab in the directory utility and the '+' at the bottom left - it then pops up a list of available domains) - I clicked on 'my' domain in the list, and then put it above 'All Domains' in the search order. Then applied and quit the Directory Utility. We can log in with ordinary user accounts, and quite speedily in most cases without having to Leopard Active Directory binding problems.

If you've tried this fix

a blog that held the answersLosing privileges? Turn off IPv6 | turn off bonjour (as others have suggested) |

Thursday, February 28, 2008

Matt Short reports that turning off IPv6, which has been reported to help with a number of Leopard problems, also helped him with another Active Directory problem:

Have you had any responses of folks being able to bind to the Active Directory network, mounting a volume, but then losing all privileges as soon as a file is being opened? Let me explain:

  • Brand new MacBook Pro, fresh out of the box
  • Using Directory Utility I can bind to windows domain terminal can read computer profile in AD
  • Server 2003 can "see" computer in AD users & computers
  • Connect to a server (listed under "shared" in the panel to the left of a Finder window) with windows network admin privileges
  • View a file server, open and mount a shared folder (mounts as a volume on the mac)
  • Open a file (so far any Excel spreadsheet)
  • Get an error: 'file_name.xls' cannot be accessed....
  • Mounted volume disappears
  • Windows 2003 server no longer has computer "macbook" listed in AD "computers"

I'm running 10.5.2. I was on the phone with Apple Tech Support for about an hour and half Thursday night. They sent the problem to the Apple Engineers. What seemed to help some is turing off IPv6. At least then, I could open some files, although not all. The biggest problem was Excel documents in Excel 2004 11.3.7. Interestingly enough, some of the smaller spreadsheets would open fine in Numbers '08, but have permission problems in Excel. Word documents, text files, etc were all okay after IPv6 was turned off.

If you've seen this problem

Problem and fix for Leopard AD: First user okay, subsequent users can't login

Friday, June 20, 2008

Stuart Sims reports a problem with Mac OS X 10.5.2 and 10.5.3 logging onto Active Directory. The first user has no problem, but users after that get a "login failed" error message. He also found a fix:

I am seeing an issue when authenticating from an OS X 10.5 client using a Windows 2003 AD for authentication and home directory storage. I've tried this on a few networks now with various configurations including Windows 2000. When logging in with an OS X 10.5 client bound to the AD and to an Apple Server Open Directory the first AD user that logs in follow a reboot is authenticated without a problem and the user logs in as expected. Any subsequent AD users that try to log on receive the error 'Logging into the account failed because an error occurred' and the following error is logged:

05/06/2008 14:35:00 authorizationhost[283] ERROR | -[HomeDirMounter mountNetworkHomeWithURL:attributes:dirPath:username:] | PremountHomeDirectoryWithAuthentication( url=smb://testserver.test.internal/testuser$,
homedir=/Network/Servers/testserver.test.internal/testuser$, name=testuser ) returned

I get the same result with 10.5.2 and 10.5.3.

The Kerberos authentication goes through OK when analyzing packets but for some reason the home directory won't mount for subsequent users unless you reboot, also if the first user that logged in tries to login again they are able to do so, but only them.

With a bit of digging I found that the first users home area is being held open/mounted. Logged on as a local administrator I tried to 'umount -A -f' i.e. umount all volumes, the first user connection was listed but would not unmount.

The Fix:

I resolved the issue by editing the following files as described:


[[Note: another readers says the above file should be /etc/hostconfig -Ed.]]



Hash out the following lines:

#/net -hosts -nobrowse,nosuid
#/home auto_home -nobrowse
#/Network/Servers -fstab

Basically, as far as I can see this disables all automount features which is fine for AD Integrated setups which don't use any automount features and that have home directories stored on the Windows Servers.

If you've tried this fix for this problem

" + contact + "Reader verifies hostconfig fix for Leopard AD login problem

Tuesday, July 22, 2008

Tim P verified a for a Leopard problem logging into Active Directory after one user has logged in. The fix involved editing the hostconfig file:

I tried the fix posted by Stuart Sims regarding "Problem and fix for Leopard AD: First user okay, subsequent users can't login" posted on My setup is very similar to what he described: clients are bound to AD, home folders on Win2003 Servers, accessed via SMB, no local homes/mobile accounts created on login. Clients also log in to an OS X Open Directory for Managed Preferences. I had the exact same problem - the first user to log in on bootup was fine, but no other user could log in.

I had used the /etc/hostconfig edit on 10.4 clients to fix a similar problem and had tried it with 10.5, but the key was editing the /etc/auto_master file as well. This solved my problem, thank you very much Stuart! I had been puzzling about this all year.

P.S. On the webpage, the instructions are to edit /etc/automount in order to change the line AUTOMOUNT=-YES- to AUTOMOUNT=-NO-. I believe this is an error: there is no file /etc/automount, but there is a file /etc/hostconfig with the line AUTOMOUNT=-YES- in it.

I'm very thankful for this solution!

" + contact + "
Give your Mac ActiveX in Internet Explorer, launced directly from the Finder.
Starts at only $40 (Windows not required!) Free trial from CodeWeavers

previously reported fixSlow Active Directory logins with Leopard, and workarounds | New CrossOver 7 Runs Outlook, Office 2007 on a Mac--without Windows |

Apple said that the 10.5.3 update address login delays when logging in to a .local domain. This problem may only apply to 10.5.2 and earlier. If you've seen this in 10.5.3 or later

Logins are "horrendously slow"

Wednesday, October 31, 2007

Alan Auman said that his logins are "horrendously slow:"

While I've been able to bind my Leopard upgrades to AD, the login for an AD user account takes up to 3 minutes to complete. Disengaging screensavers when using an the AD account credentials also suffers from this delay.

TIP: Workaround for slow AD login: Disable Bonjour

Wednesday, November 7, 2007

Leslie Wong verified a Top of Page, but offered an odd workaround. She also reports a problem waking from sleep:

I have two Macs in a Windows Server 2003 environment (a ".local" domain) and was able to bind to the AD after a clean install of Leopard. But logins, like Alan Auman's, were "horrendously slow." Also, any operation that required administrator authentication were similarly slow.

I found, in the Apple discussions, that turning off Bonjour immediately stopped the problem. Logins were as fast as they were in Tiger. But turning off Bonjour caused other problems, such as not being able to start Aperture.

I also noticed a problem that when the Leopard machine wakes from Sleep, it was not always able to communicate with the domain. The Directory Utility would indicate that the ADD was not responding normally and a reboot was required for it to be "responding normally" again.

" + contact + "Another workaround for slow AD login with Leopard 10.5.2

Monday, February 18, 2008

Tim Adams says that Active Directory binding works in Leopard 10.5.2 works, but Tiger was better:

Binding to AD seems to work fine now on 10.5.2 however I still have about a 60 second delay at the login and unlock screens when using an AD account. I have followed others' advice and use the FQDN (username@my.domain) for my username and that seems to make things snappier. So far Leopard is no Tiger in the AD integration space.

If you've seen this issue

Current news on the previous report of very slow AD connections.

More readers report slow AD logon in 10.5.2

Wednesday, February 20, 2008

Several readers responded to Monday's report about " + contact + " update. John Malpas in the United Kingdom said:

We are rebuilding (erasing the drives before installing the OS) all the Macs in the business to 10.5.2 using AD (mobile accounts) where the home directories are on an XServe (running 10.4.11). We are seeing the same as most people - it takes ages to log on, if at all. Sometimes you can log in sometimes can't. We're finding it all very frustrating.

Reader named Aj also complained about performance:

I have seen this issue after getting some new iMacs with Leopard 10.5.1 and finding an article about binding them to Active Directory. I followed the article, and it worked, but it was just way too sluggish…

I finally abandoned the idea because it just did not seem worth the benefit. While AD integration might be convenient, I thankfully am not in a situation where it is required.

Apple has listed Active Directory binding problems as a MacWindows home page. Leopard has had AD binding issues since 10.5.0.

Verification: Disable Bonjour to fix Leopard's slow AD login

Monday, February 25, 2008

Mark Walsh verified that slow logons to Active Directory in the Leopard 10.5.2 problems with Leopard.

I had a similar problem, was taking about 2mins to authenticate. Disabling bonjour fixed the problem straight away. Check out problem that the Leopard 10.5.2 update fixed.

If you've tried this

H. Barnes describes having the problem with the 10.5.2 update:

AD integration seems to work very well, except that authentication has like a 1-2 minute delay still (was more like 3-5min before). Tiger is instantaneous, seems silly that Leopard is still having this awful delay after AD supposedly being "fixed."

Jeff Geerling:

I have had this problem as well; all the Macs I've been able to bind to the directory (a few of them with fresh installs of Leopard, and a couple with upgrades from Tiger) take at least two minutes to authenticate a user. This is completely impractical for our situation (a school setting), where students often come to the computer lab to just check their email or print a document.

The PCs in the lab have always logged in in less than 10 seconds, while the Macs always used to take about 20. Now, the Macs take so long that students give up on them and go over to a PC. We'll probably end up reinstalling Tiger on them unless we can find a fix soon.

disabling Bonjour fixes the slow Active Directory loginTheory on Bonjour and slow AD login in Leopard

Thursday, February 28, 2008

We've received more mixed reports about this link in Leopard.

It worked for H. Barnes, who sent us a suggestion and a theory:

I tried disabling bonjour and it works like a charm. There is a small app called iServeBox (v1.04) for the terminal faint of heart that allows disabling Leopard services.

I did some more research on this and it appears it is actually an issue with OS X use of .local and Bonjour. This conflict only appears in domains that do internal authentication ending in .local (for example, example.domain.local). This has been standard move for many single-site businesses since server 2003 and it seems ridiculous that Apple got blind-sighted by this.

Colin Leyden in the United Kingdom confirmed the workaround:

I can confirm that disabling Bonjour does indeed fix the slow Active Directory login problem. As noted by others, login previously took 2 minutes. This was cut to 5-10 seconds after disabling Bonjour. (Windows Sever 2003, Mac OS X 10.5.2 client)

Turning off Bonjour did not help Jeff Geerling:

When I disabled Bonjour using the instructions linked to in your February 25 posting, I could no longer login using any AD names at all; it would give me the 'no' shake, and I can now only login with the local administrator password. I'll have to re-enable Bonjour and suffer through the long login time.

" + contact + "More on Leopard slow AD binding, Bonjour, and .local

Monday, March 3, 2008

A pair of readers commented on our reports of . Jeff Geerling, who has previously reported that turning of Bonjour fixed the problem, also notes the same potential cause in the .local suffix:

It's my hope that someone figures out a solution for everyone. I don't know if this has anything to do with the problem, but our AD server ends in ".local," which is the suffix that is also used by Bonjour.

Daniel Costello also confirmed the workaround:

I can also verify that turning off Bonjour solved the slow login problem. We are faced with figuring this out since some laptops being shipped today are quirky when Tiger is installed (they ship with Leopard). After disabling Bonjour, the 3-minute log ins went to 5 seconds. Also, the 5-minute binding duration dropped to less than 10 seconds.

Current news on the turning off Bonjour as workaround to slow Active Directory login.

Parallels Desktop 3.0 for Mac Run native Windows programs without switching between Windows and Mac OS X! Launch a Windows app by clicking on a Mac file. Hide the Windows desktop. 3D Graphics hardware acceleration. The best of both worlds.

Active Directory in Leopard 10.5.3 | slow Active Directory logon with Leopard 10.5.2 |

MacWindows home page

10.5.3 fixes AD problem, adds a minor glitch

Tuesday, June 3, 2008

Peter Kloss said that the Leopard 10.5.3 update fixed his Leopard Active Directory problem. It also added a small glitch, which Kloss was able to fix:

I wrote to you a little while back about getting 10.5.2 to bind to our multi-child domain AD forest, that we had to modify the hosts file with an entry for our domain ( for example) and to uncheck the 'allow authentication by any domain controller in the forest' option. Well it looks like 10.5.3 fixed both those problems on the one test system I've tried so far (took my 10.5.2 out of AD, commented out domain entry in hosts, rebooted, added back in to AD).

However, the add back in to AD was not entirely trouble free. I had put the computer account into another OU than 'Computers.' This caused a problem at the end of the bind process: a box came up and claimed that the OU, entered in the correct case and syntax, did not exist. This was even though it used the path to find an existing computer account and asked to overwrite it earlier in the process! I put the computer account back in to 'computers' and all worked! This could be a one-off, I haven't had a chance to repeat the test.

how the 10.5.3 update affected your cross-platform Leopard-specific Active Directory issues.

Top of PageTIP: Leopard Server 10.5.3 Open Directory problem and fix | Apple listed several Active Directory fixes with the 10.5.3 update. Readers are still reporting various problems. |

Monday, June 9, 2008

Khaled Yassin reported a new problem when he updated Leopard Server to 10.5.3. He also found a fix:

The following happened the day I upgraded the Open Directory Server from 10.5.2 to 10.5.3. When any Windows user tried to connect to a Mac OS X file server it didn't authenticate. At first I thought they'd forgotten their password. But when I asked users to change password (that met the password policy). It gave the same result: authentication refused. To solve it, I put in a simple password, such as "abc" or "123," and then asked user to recreate the old password. The surprise that it now works.

If you’ve seen this issue or tried this approach

Reader can't see files with 10.5.3 and ADmitMac

Monday, June 16, 2008

Kent Barnes is having problems seeing files with Leopard 10.5.3 and Thursby's ADmitMac:

I finally got my shared directories from our Windows 2003 server to mount/auto mount in 10.5.3 (using ADmitMac for the auto mounting and joining to the domain).

Yesterday, everything was great. I saw all the files in the Publishing shared directory (probably 125 to 175 individual files and sub directories).

Today, I booted the Mac, signed on to the domain. The Publishing directory mounted, but I can only see one sub directory and three files. I've tried rebooting several times--same thing each time.

I've worked my posterior off finally getting some Macs in this organization (being a Mac user since the mid-80's). But the number of things that are breaking integration/network wise with 10.5.3 is just about to push me into pulling them all off the network and going back to a 100 percent Windows setup.

If you've seen this issue

" + contact + "Readers says 10.5.3 did not fix his AD problem

Monday, June 16, 2008

Although there are reports of the, Kurt Tappe reports that the update had no effect:

Leopard 10.5.3 did not solve our AD issues. We've been having trouble since 10.5.0 with binding Leopard to our AD. So far, 10.5.3 has made no difference whatsoever. Here are our findings:

1) Unlike Tiger, Leopard will not bind if the AD record pre-exists. Tiger actually required that it exist or it would result in an authentication error while trying to bind. Leopard is the exact opposite--if the record exists, binding results in an "insufficient privileges" error.

This is a problem, because it's difficult in a large AD implementation to be sure a record is completely deleted before trying to bind. Our AD consists of 36 controllers around the globe, and because a "delete" command is given low priority by Microsoft, replication can take many hours. "Delete" should not even be necessary--there are AD commands to reset the password and change any necessary attributes of an existing AD record that Leopard could use instead of having to create the record from scratch each time.

2) Once Leopard is bound, AD authentication does not seem to "stick". If left overnight, AD authentications fail--the workstation cannot be unbound nor can it be logged into using AD credentials. This in spite of it claiming it's bound and it giving a green "Network accounts available" indicator on the login screen.

All of this has been communicated to Apple Enterprise support. We await resolution.

If you've seen these problems

Another reader says 10.5.3 doesn't fix Leopard AD binding problems

Friday, June 20, 2008

Devin Comiskey echos a Mac OS X 10.5.3 update fixing some of Leopard's Active Directory problems that the Leopard 10.5.3 updated did not fix Active Directory binding issues:

I'll echo the complaints about 10.5 and AD. There is NO improvement with 10.5.3. This is proving very troublesome for some of our remote users when I'm not around. Luckily each machine has a local admin account I can remotely log in to and re-bind. But often I have to unbind and rebind a few times plus a restart or two before the problems are fixed. I wish I had just installed 10.4.11 on these machines instead.

If you've seen this problem

Reader reports Leopard 10.5-to-10.5.3 update caused AD login problem | previous report |

Friday, June 20, 2008

Although Peter Kloss previously reported that the update to " + contact + ", he found a new problem with an upgrade straight from 10.5.0:

I've had two of my sites report that a system that is freshly built and updated to 10.5.3 by the Combo updater straight from 10.5.0 (rather than via 10.5.2) has problems with logging in AD users. This is where the portable account option is selected and it is meant to mount the AD specified home share as a network share on logon. One gets the message "you cannot be logged on at this time." If you uncheck the option to mount a share at login then the login proceeds as normal.

On one site I got the login to work by changing the server name part of the AD-specified share to mount. They had recently changed the name and the one referred to in AD was now a secondary name, aliased but not the primary DNS or NetBIOS name of the file server. There is something strange (or unfathomable by normal logic) about the way the AD-specified home share is converted into the name that is used to mount at logon time. On my account AD specifies the NetBIOS short name, but the mount actually displays the fqdn. Changing the AD-specified share server name to use the fqdn causes it to not mount!

If you've seen this

Top of PageLeopard 10.5.3 SMB mounting fails with Open Directory

Tuesday, June 24, 2008

Jeremy Bautista can't connect to SMB file shares when logged into an Open Directory domain:

In Leopard 10.5.3, a clean install with no Directory servers configured, SMB connections can be made without problem. After binding the Mac to an AD domain, I can still connect to SMB shares. It's when I connect to my OD domain where I run into trouble. I fail in mounting SMB shares and sometimes get the error code -6602.

If you've seen this problem

Current news on the " + contact + ".

Give your Mac ActiveX in Internet Explorer, launced directly from the Finder.
Starts at only $40 (Windows not required!) Free trial from CodeWeavers
" + contact + ".

MacWindows home pageReader's Leopard on AD reports "incorrect password" at login | New CrossOver 7 Runs Outlook, Office 2007 on a Mac--without Windows |

Thursday, December 4, 2008

Matt Klusza is having problems logging into Active Directory from Leopard. He keeps getting an error message saying that the username and password are incorrect. He said he checked our Click here for more page and could not find any information. Klusza's report:

I am struggling to fix a small error here related to Leopard 10.5 Directory Utility.

We have a department room with 10 Mac Pros on Ethernet. Each Mac Pro is bound to Active Directory by Directory Utility. No local accounts because students have their Active Directory username/passwords. No LDAP configuration.

A student told me that he couldn't log in. I tried with my username and it won't let me log in, either. I then logged in as a local admin since I am an Apple Technician and clicked on System Preference's Date/Time Pref pane and set up correct time zone and locked it. Next, I opened Directory Utility application and clicked "Services" icon and clicked on "Active Directory". I unbinded this computer ID and re-binded with correct "Network Administrator Required" username and password provided by our ITS Department. The box appeared saying that I entered an incorrect username/password.

I had to ask my ITS Department Network Administrator to remove this specific computer ID off from the server for me to re-bind this. After the removal of this specific computer ID, I attempted to re-bind and it wont let me to due of incorrect username/password. I am completely puzzled.

I also am trying to find a specific folder to clean up Directory Utility's caches. I know we can delete caches from Tiger 10.4's /Library/Managed Preferences folder. But I can't do the same thing with Leopard since Leopard killed "Netinfo". Is there a way for me to clean up the cache on Leopard or any advices would be appreciated.

If you have a suggestion

Current news on the Top of Page.

Leopard/Active Directory Tips and ReportsReader loses AD login after OS X 10.5.6 update | " + contact + " |

Thursday, January 22, 2009

Nick Elniff started having problems with all of his Macs and Active Directory after installing the Leopard 10.5.6

We have about 22 machines running Leopard in an Active Directory environment. They have all been working great for the Fall semester. But ever since the 10.5.6 update we have had problems.

  1. No network login worked. Every machine had to be unbound from AD and then bound back - adding the proper AD user group with administrator privileges.
  2. Tablet drivers are no longer loading for some users
  3. Some users are not able to view their local home folders and can't even make a new folder on the desktop.
  4. Sometimes it takes a couple logon tries to even get a network login to work

I am Enterprise and Domain admin and have these privilege issues and the tablet drivers do not load. There was one iMac that was skipped and it works flawlessly for everyone. I really do not want to go and re-image every machine if I don't absolutely have to. No settings have changed that previously worked flawlessly.

If you've seen this problem

More readers lose AD login after OS X 10.5.6 update

Monday, January 26, 2009

Several readers responded to last week's report about Top of Page update.

Vladimir Paniouchkine also has the problem, and described how he tried to get around it:

I have seen this issue. We have had a problem the similar problem with about 50 Macs in our labs, It started with the update to leopard. Our problem is the following. We deployed the images 10.5.6 to 50 computers using system image utility, and bound the to the AD. They bind just fine and work for a few days maybe even a week. Then they as group stop accepting AD users, the green ball still shows up as everything being connected when I log in with a local admin. To get to work again we need to unbind and re bind them. Tried the following.

  1. Creating the computers in AD before we bind them.
  2. Resetting the local KDCs, which I have read somewhere that it should have helped. Along with removing the AD Preference file after deployment.
  3. Binding them just normally with out creating the accounts before hand.
  4. Created a brand new image to see if that was the fault didn't help.
  5. Used dsconfig to bind them.

Nothing has helped.

Walter Huber:

Have this same/similar problem, installed Leopard 10.5.6 on an external disk, a clone of my Tiger boot drive, after which my network login was no longer accepted on the boot drive but is accepted on the external. It does seem to be an issue with 10.5.6 and Active Directory. Since the inception of Leopard there's been one problem after another with AD. I'll have to get the network admin in tomorrow to reset AD, as it seems there's no way for and end-user to solve this snafu.

Santos Ortega reports a variation:

I am having similar authentication issues except that only when I am not connected to the proper network. When the MacBook Pro (10.5.6) is either connected to the wireless or Ethernet authentication works. When it is off campus for some reason it does not realize that a home directory was created and that user exists. In the directory utility application I have Force local home directory on startup disk enabled. Usually this allows my users of Laptops to go home and use the laptops with out problems. Unfortunately not with the current update, for some reason it seems like it does not realize that the local profile was created. Is there something that I might need to try or that I am doing wrong?

If you've seen this or have a suggestion

Leopard losing AD login may be related to forced unbind; problem unbinding

Wednesday, February 11, 2009

Mike Burdett sees the Mac OS X losing the ability to log into Active Directory after installing the Leopard 10.5.6. His Macs are also having problems unbinding. He suspects that forced unbinds may be related to the issue of losing connections to AD. He also asks if it could be related to a corrupted UID. Burdett has these problem with multiple builds of Mac OS X 10.5, not just 10.5.6:

We are having almost every OS 10.5 Mac (so far 10) loses its connection with Active Directory, DC 2003, server. Even Macs with new OS 10.5.6 that are deployed and added to Active Directory are having this problem.

The problem may start after computer has a problem shutting down and is forced. On restart domain account are not authenticated. These AD accounts can login with cached credentials.

I can discover information from the domain but I cannot unbind the computer from the domain without forcing an unbind. If we remove the domain account(s) and try to bind the computer to the domain the computer can't authenticate to the domain to bind to the domain. The only to repair this problem is to re-image the computer or to reinstall the system. However with in weeks or months the problems will return.

Could the problem be the computers UID used to authenticate to active directory is getting corrupted or is changed? Any way to fix this without reinstalling the OS?

If you've seen this problem or can commet on the cause

Current news on the .

problem of Leopard losing Active Directory loginUnbinding/rebinding a workaround to Leopard Active Directory login problems

Wednesday, February 11, 2009

Two readers independently reported that unbinding and quickly rebinding temporarily fixed problems with Active Directory. One reader used the technique for the previously reported problem of " + contact + ". Another found that it helped with a problem logging into Active Directory: the first login doesn't, but binding/rebinding enables login.

Matt Fecteau found the unbinding/binding temporarily worked for the problem of MacWindows home page, but that the technique no longer works, and the problem is getting more widespread:

I have experienced this same problem and for a while I was able to unbind and rebind all of the machines as a quick fix. However, lately that problem has not fixed the issue. Sometimes when I unbind a machine it will work but when I attempt to rebind it, it tells me my credentials are incorrect or that I do not have sufficient privileges. I am a domain admin and it used to work just fine.

We are seeing more and more issues across the University where students and teachers alike cannot log in to certain Macs but they can on others. I have not found a fix or any work around as of yet.

If you've seen this

Paul Wynder found that unbinding/rebinding is a workaround to problems logging in with OS X 10.5.6. But the first login still doesn't work:

I've been trying to get a new PowerMac with Leopard 10.5.6 to log in with an AD account. The machine has never been bound to AD before.

Binding took about 30 minutes to work. I was a bit miffed about that, but at least it worked. Stayed on step 1 for most of that. I'm running this Mac on a massive corporate global network, so maybe understandable if the binding process has to go for a long walk around the network. Was much quicker on all out Tiger Macs though.

Not so much fun when I couldn't then get a login with any AD account though!

I tried lots of stuff, including disabling Bonjour. Couldn't get an AD login to work. Once the Mac had been bound, even logging in as root took several minutes each time, though worked eventually (phew!). Only unbinding from AD enabled me to log in quickly (with a local account) again. Oh joy! Another Mac with the same spec has exactly the same problems.

Then I stumbled on a breakthrough. If I logged in after merely logging out, rather than doing the full Restart, hey presto! I could then log in either with a local or AD account, and quickly. I kicked myself as thus far, every time I tried yet another "solution" I'd restarted the Mac (well, that is what they tell us good practice usually!).

Overjoyed as I was about this breakthrough, the problem remains that the first login after a Restart or power-on simply won't work. It shakes within about 10 seconds. Using any local account does let me in, but only after about 15 minutes. Giving them to the users in this state is not an option, so I have to disable AD for now. That's a total pain, to put it mildly! Most grateful (and desperate) for any further light anyone can throw on this.

If you've seen these issues

Mac OS X 10.5.6 losing Active Directory loginTIP: Two kerberos-related workarounds for Macs losing AD binding

Thursday, February 19, 2009

Two readers sent in workarounds to the problems of Mac OS X 10.5 " + contact + ", having problems logging in. Both have to do with kerberos, but are different approaches. (We'd like to if you've tried these.) The first reader uses the Kerberos Utility to do a slight reconfiguration. The second reader uses Terminal to delete a corrupt kerberos file.

Eugene Brodsky in Ontario, Canada, uses the Kerberos Utility. The from last week didn't work, but this does... Leopard Macs losing Active Directory binding

" + contact + "Readers verify, modify Kerberos fixes for Macs losing AD binding

Tuesday, February 24, 2009

A number of readers responded to our February 19 unbinding/ binding suggestion. Several readers verified one or the other of the two February 19 tips, some with variations. One reader added some steps to one of the tips. Another reader received an explanation from Apple, as well as a suggestion that was different than the February 19 suggestions. Two additional readers also offered different fixes than those already presented. To summarize, the two fixes previously report are... Read entire story here

Current news on the TIP: Two kerberos-related workarounds for Macs losing Active Directory binding.

Read entire story hereReader question: move Mac AD profile to mobile? | |

Monday, March 9, 2009

Chris Cavanaugh asks how to migrate Macs on Active Directory to mobile profiles:

We are in the process of migrating machines into our new Active Directory Environment. The PC migration has gone fairly well, however, management would like us to start binding our Macintosh's to AD so users would use their campus ID and password and adhere to our password change policy. We are successful in binding Macintosh to the domain however, we have not figured out how to move profile settings from a local profile to a network/mobile profile. In the Windows environment, we have been using a 3rd party tool that has worked very well.

If you've seen this issue or have a suggestion

TIP: workaround for Macs dropping off AD every 15 days | Top of Page |

Thursday, April 9, 2009

Kurt Fattic passed along a workaround he found for Macs that drop off of Active Directory every 15 days. It's a Terminal command that will get the Mac back on. Fattic reports:

I can't take credit for this, but it was on a listserve. This may help some folks out:

...The issue that we found was that every 15 days the Macs would drop off the AD, this is because it would request a new QUID from our AD server. We have had lots of success with the following:

Dsconfigad -passinterval 0

This is a Terminal command to have the Mac never request a new QUID. Don't know how your systems are setup but this has worked very well in our environment. The only issue here is that when reimage or unbind and rebind you need to remember to type in this command or in 15 days it will again fall right off the wagon.

Another issue we have with our Macs on the AD is the computer account information. When you unbind and rebind to the domain is should ask to rejoin the existing account. If it does not that means that it has created a new account with the same name. Most of the time these duplicate accounts cause problems down the road and is best to start fresh.

-- Steve Rodman

If you've tried this

TIP: Using Deep Freeze and Macs dropping off AD every 15 days | Top of Page |

Tuesday, June 23, 2009

Chris Hansen responded to a previous report about " + contact + ". Hansen believes it is due to the use of , software that takes a snapshot of the state of a Mac and returns the Mac to that state every time it boots. He also offered a solution:

In our case, the only Macs that dropped off the AD after 15 days were those in our school labs. On those, we use Deep Freeze for Mac, and the machines would request and receive a new machine password after 15 days. After rebooting, all changes are lost to the Mac (great for keeping a lab pristine) but not to the AD. So the Macs would use the previous password, and the Network Accounts would stay unavailable, seen in the login window as a Red Light.

If this is your situation, in Terminal:

Dsconfigad -passinterval n

Where n = number of days before the machine password expires. O will set it to never, 365 will set it to a year, etc. The default from Apple is 15 days, and it is not a problem for us with unfrozen machines.

I first saw reference to this at Top of Page.

If you've seen this issue with or without Deep Freeze, or tried this approach,

Faronics' Deep FreezeCurrent news on the this blog.

Parallels Desktop 4.0 for Mac Run Windows and Mac apps without rebooting! Now faster, improved Mac OS integration, speech recognition, more notbook battery life, and more.

"In the majority of overall averages of our tests, Parallels Desktop is the clear winner" --MacTech Magazine

" + contact + "Reader seeks script to check Mac AD connection | |

Monday, June 15, 2009

Alex Oumantsev is looking for a script that can check for a Mac connection to Active Directory, similar in function to one for Windows:

I am trying to come up with a script that would check to see if the Mac is connected to AD (i.e. users can authenticate off AD), and if the Mac is not connected, to connect it to AD using the hostname (with some formatting).

So far I found the dsconfigad command, that allows:

dsconfigad -show

However this seems to only show the local setup of the machine, not the real AD connectivity status. My test machine is an example. It was cloned from another machine that is connected to AD, and now it still thinks it is connected to AD, but it will not allow me to log in and authenticate off AD, rather it will only login from a local account.

Is there an equivalent of a Windows command netdom.exe verify "hostname" /d:"domain" which actually checks the connection validity?

If you know the answer

Current news on the .

Top of PageReader success with article on AD setup for Mac OS X Server | " + contact + " |

Monday, June 15, 2009

Charlie Galliher had success setting up Mac OS X Server using the article MacWindows home page:

It was pretty intuitive - I bound it to AD and then set up the server as an OD master, and I can populate my permissions with my AD account users & groups. I also wiped out the config and then rebuilt it - just to see how much trouble we'd be in if an update cracked the binding - seems pretty manageable.

Thanks for the FAQS - they are appreciated!

Current news on the .

Top of PageLeopard 10.5.7 startup problem with AD and Open Directory | How to Use Active Directory and Macintosh Clients without Schema Changes |

Tuesday, June 23, 2009

Andrew Ariotti reports having a problem we reported two years ago about MacWindows home page. Ariotti is using Mac OS X 10.5.7, and found that our two-year-old solution worked.

Like Brad and Justin I am having this issue as well. I'm running the latest 10.5.7 version of Leopard. I've been tinkering with the AD and OpenDirectory authentication integration in OSX for the past few days and things have been working great until this morning. I came in and was greeted with my Mac Pro not wanting to boot. I did some investigation and found a Crash Report that was looping and never stopping no matter how long I waited. The crash report was for the Directory Services process and it was trying to run but then would crash. With the help of a co-worker we were able to find your site and use Brad's solution above and it worked like a charm. It'd be nice to know what causes this to happen.

If you've seen tried this approach

Current news on the Top of Page.

Macs that won't start up when clients are configured to connect to both Microsoft Active Directory and Apple Open DirectoryProblem with Active Directory and NFS

Tuesday, June 23, 2009

Surendra Perera of Sydney, Australia, reports that binding to Active Directory prevents NFS file sharing from working. She said that Thursby Software ADmitMac fixes the problem:

One of the problems I am facing with the Macs is that while using mobile accounts and bound to the Active Directory (Windows Server 2003 R2), via Apple's AD Plug-in, I am unable to browse/write to NFS mounts (Netapp Filer) with permissions 750 or 770 through Finder. In the terminal I am able to with no issue. I have tested this on 10.5.5, 10.5.6 and 10.5.7.

I have found that disabling mobile accounts allows me to access these directories with Finder without issue. We have quite a few Laptop users so Mobile accounts are very useful. I have tested Centrify and AdmitMac. AdmitMac seems to integrate nicely with our environment and fix the issue. I believe the issue to be that the AD plugin is not caching secondary/nested AD groups in a form that the Finder can see correctly. I know that Apple are rewriting the Finder for Snow Leopard, and will hopefully fix these issues, but for now I am looking for a solution that does not involve spending money if Snow Leopard is around the corner.

It is a fairly serious issue for us, and if its something that I am doing wrong then I am open to any suggestions.

Client configuration:

  • Active Directory bind - Apple Active directory Plugin - Map LDAP attributes in AD plugin (uidNumber,gidNumber,gidNumber)
  • Mobile accounts forced
  • NFS mounts via fstab (soft mounts)

When I type in 'id' at the Terminal I seem to get the correct mappings for uid and all group memberships. AD is run off Windows 2003 server with Unix identity management tools installed.

If you've seen this issue

Current news on the MacWindows home page.

Dual-boot Mac and time drift, logon timing issues with Active Directory

Wednesday, October 21, 2009

Scott McKay's university runs Windows XP in Boot Camp 2.1 and has some problems with time drift in Active Directory and log on problems. He writes:

On our campus, we have a problem with Mac logins on Boot Camp dual-boot Macs running Windows XP in one partition and OS X 10.5.8 (Leopard) in another and authenticating to an Active Directory server from either. On the Mac side, from time to time, users cannot log in the first time, but can generally log in after three tries. Until recently, we could not predict on which computer the problem would manifest itself. The Active Directory server and the clients, Mac-side and Windows-side, are set to the same time-server to prevent any time drift.

Our current assumption is that when one uses Windows XP, the timekeeping method for that computer changes somehow. When one then logs into the Mac side, significant time drift has happened (despite our precautions), which prevents authentication to the Active Directory server. Logins are usually okay after three tries on such a computer. Our observations, while not rigorous, seem to support this assumption: Using a local login on a computer that has just run Windows, we can open OS X's Date & Time System Preference and (if we're watching for it) see the time jump from about when it was logged into Windows to the current time. Then other Mac logins on that computer work just fine.

What we can't figure out is what to do about it. Obviously, a failed login is a serious disincentive to using the computer, so we need to come up with a way to fix it. I have not found a way to force updating the clock when the login window loads, which would be the obvious fix.

If you've seen this problem

Current news on the MacWindows home page.

Parallels Desktop 4.0 for Mac Run all the applications you need without switching between Windows and Mac OS X! New features include: More 3D Graphics Support, 50% faster, improved Mac OS integration, speech recognition, more battery life on notebooks, and more. Enjoy the best of both worlds.

"In the majority of overall averages of our tests, Parallels Desktop is the clear winner"
--MacTech Magazine


Other MacWindows Departments

| | " + contact + " | MacWindows home page | Tips and Problem Reports |
Product Solutions |

| News Archives |

Serving the cross-platform community since November 15, 1997.

This site created and maintained by
Copyright 2007-2009 John Rizzo. All rights reserved.