OS X and Active Directory Authentication



  • Our Macs are joined to our AD domain. You get to use your normal Windows credentials to login, you get easy access to domain resources, and it's not yet-another-username-and-password to remember.

    Until yesterday. After months of AD authentication working just fine, now we can't log in using our Windows accounts. The login screen just constantly says "Network accounts are not available" and the error never goes away. Some Googling reveals that the best way to "fix" this issue is to not use AD authentication and/or roll back to previous versions of OS X which we can't do because our Mac shipped with the newest version, and evidently we're the only company in the universe where it ever worked anyway. The worst part is it happened simultaneously to our three Macs.

    So now we're using local accounts. Which works except that I never got my working copy with a day or two's work on it committed to subversion (XCode's SVN support is yet another megaton of steaming WTF) and since it's owned by my AD account it seems even a local administrator on the Mac can't access it. The worst part is I don't even remember what I was working on to re-implement it.

    There's always something. You'll have a few days of smooth sailing followed by something crazy and new. It happens every time, and I have about four months of experience with the system that proves it. And it's always something new. Hey, I'm not going to let you login anymore! Once you find a workaround, I'll play nice for a couple days, and then I'm going to lie through my teeth and claim that the SVN repository isn't available even though every non-Mac in the office has no problem with it! After six hours of bashing your face into a brick wall, I'll let it inexplicably start working again, give you a week, and then we're going to have a massive memory leak that eats up 20 GB RAM and doesn't seem to get freed up even when you reboot! Oh, and then I'll fail to compile because a third-party class named ABCMyClass got renamed to ABCMyBetterClass when you updated the library two weeks ago but I'm just now figuring it out, and no I'm not going to tell you why everything worked fine with an invalid class name for two weeks. Then I'll duplicate every single file in your project twice when committing to SVN and cause a crapstorm for all the developers on that repository! Once that's done, I'll refuse to compile for a full eight-hour day because AppDelegate.h doesn't exist even though it really does, but when you come back tomorrow morning everything will be fine! Oh, and it looks like you've gone seventeen hours without an XCode crash, so let's make it crash on startup for the rest of the day and let's also make it so rebooting the Mac won't fix it. Halfway through tomorrow I'll let up and it'll start working again, but this time typing comments isn't allowed and anytime you type that double-slash I'm going to freeze and make you use Force-Quit because it takes Jedi Force powers to properly use a Mac.



  • @mott555 said:

    Our Macs are joined to our AD domain. You get to use your normal Windows credentials to login, you get easy access to domain resources, and it's not yet-another-username-and-password to remember.

    Until yesterday. After months of AD authentication working just fine, now we can't log in using our Windows accounts. The login screen just constantly says "Network accounts are not available" and the error never goes away. Some Googling reveals that the best way to "fix" this issue is to not use AD authentication and/or roll back to previous versions of OS X which we can't do because our Mac shipped with the newest version, and evidently we're the only company in the universe where it ever worked anyway. The worst part is it happened simultaneously to our three Macs.

    So now we're using local accounts. Which works except that I never got my working copy with a day or two's work on it committed to subversion (XCode's SVN support is yet another megaton of steaming WTF) and since it's owned by my AD account it seems even a local administrator on the Mac can't access it. The worst part is I don't even remember what I was working on to re-implement it.

    There's always something. You'll have a few days of smooth sailing followed by something crazy and new. It happens every time, and I have about four months of experience with the system that proves it. And it's always something new. Hey, I'm not going to let you login anymore! Once you find a workaround, I'll play nice for a couple days, and then I'm going to lie through my teeth and claim that the SVN repository isn't available even though every non-Mac in the office has no problem with it! After six hours of bashing your face into a brick wall, I'll let it inexplicably start working again, give you a week, and then we're going to have a massive memory leak that eats up 20 GB RAM and doesn't seem to get freed up even when you reboot! Oh, and then I'll fail to compile because a third-party class named ABCMyClass got renamed to ABCMyBetterClass when you updated the library two weeks ago but I'm just now figuring it out, and no I'm not going to tell you why everything worked fine with an invalid class name for two weeks. Then I'll duplicate every single file in your project twice when committing to SVN and cause a crapstorm for all the developers on that repository! Once that's done, I'll refuse to compile for a full eight-hour day because AppDelegate.h doesn't exist even though it really does, but when you come back tomorrow morning everything will be fine! Oh, and it looks like you've gone seventeen hours without an XCode crash, so let's make it crash on startup for the rest of the day and let's also make it so rebooting the Mac won't fix it. Halfway through tomorrow I'll let up and it'll start working again, but this time typing comments isn't allowed and anytime you type that double-slash I'm going to freeze and make you use Force-Quit because it takes Jedi Force powers to properly use a Mac.

    This is why Macs should only be used by old people and brainwashed hipsters. The second you try to do anything more than surf the web or listen to some music a Mac just it gets in your way.



  • @mott555 said:

    Until yesterday. After months of AD authentication working just fine, now we can't log in using our Windows accounts. The login screen just constantly says "Network accounts are not available" and the error never goes away. Some Googling reveals that the best way to "fix" this issue is to not use AD authentication and/or roll back to previous versions of OS X which we can't do because our Mac shipped with the newest version, and evidently we're the only company in the universe where it ever worked anyway. The worst part is it happened simultaneously to our three Macs.
    Download Wireshark.  Run a capture on your Mac.  Look through the communication dialog.  Find out what the error code is that AD is returning.  (Or if your system is trying to authenticate against a defunct system.  Or DNS isn't working right.  Or you're getting a TCP reset [RST].)  Get your system admin to fix it.  Problem solved.

    It frustrates me that, so often, if the dialog box had just >< that much more information, you'd know exactly where the problem occurred and figure out how to fix it.  I've had people work on problems for days with error messages that are thoroughly vague, like "Couldn't connect to server!", then finally they come to me, I do a capture for them and 10 minutes later the problem is fixed.  Take this as an official plea to all the software developers out there . . . give the end user some kind of clue about the exact nature of the problem.  If you want to put it under a Details button, fine.  But if the admin knows he/she can't connect to the server because "Connection was reset by server", now you've got a lead -- a reset on initial connect likely means the server isn't running the service properly and isn't binding to the correct port.  Whereas "Can't connect to server" by itself doesn't mean shit.



  • @mott555 said:

    h, and then I'll fail to compile because a third-party class named ABCMyClass got renamed to ABCMyBetterClass when you updated the library two weeks ago but I'm just now figuring it out, and no I'm not going to tell you why everything worked fine with an invalid class name for two weeks.

    Precompiled headers, or some other form of caching, perhaps?



  • Sadly, this is reminding me of my experiences using Eclipse with the m2e plugin on Windows.

    Project works fine, then suddenly one day Update Project Configuration starts throwing NullPointerExceptions and even updating to the latest version of Eclipse and m2e, reinstalling all Eclipse plugins, or even re-fetching the source from SVN fixes it.



  • @mott555 said:

    There's always something. You'll have a few days of smooth sailing followed by something crazy and new. It happens every time, and I have about four months of experience with the system that proves it. And it's always something new. Hey, I'm not going to let you login anymore! Once you find a workaround, I'll play nice for a couple days, and then I'm going to lie through my teeth and claim that the SVN repository isn't available even though every non-Mac in the office has no problem with it! After six hours of bashing your face into a brick wall, I'll let it inexplicably start working again, give you a week, and then we're going to have a massive memory leak that eats up 20 GB RAM and doesn't seem to get freed up even when you reboot! Oh, and then I'll fail to compile because a third-party class named ABCMyClass got renamed to ABCMyBetterClass when you updated the library two weeks ago but I'm just now figuring it out, and no I'm not going to tell you why everything worked fine with an invalid class name for two weeks. Then I'll duplicate every single file in your project twice when committing to SVN and cause a crapstorm for all the developers on that repository! Once that's done, I'll refuse to compile for a full eight-hour day because AppDelegate.h doesn't exist even though it really does, but when you come back tomorrow morning everything will be fine! Oh, and it looks like you've gone seventeen hours without an XCode crash, so let's make it crash on startup for the rest of the day and let's also make it so rebooting the Mac won't fix it. Halfway through tomorrow I'll let up and it'll start working again, but this time typing comments isn't allowed and anytime you type that double-slash I'm going to freeze and make you use Force-Quit because it takes Jedi Force powers to properly use a Mac.

    You are ready, my apprentice. You may leave the monastery.



  •  I warned you about Macs bro!!! I told you dog!



  • Again:

    It's like you assume Apple is a competent software company and not a clever scam to separate worthless hipster douchebags from their parents' money.



  • Again:

    It's like you assume Microsoft can create a useful OS and is not a steaming POS designed to kill productivity.



  • @gu3st said:

    Again:

    It's like you assume Microsoft can create a useful OS and is not a steaming POS designed to kill productivity.

    Dammit, boys, he got us again! How can we spread FUD about OSX with vigilantes like gu3st fighting for truth and justice!?

    Shut 'er down, boys, we're headed back to Redmond.

    Back to Redmond to sleep and to dream..

    ..to dream of the horrors we will unleash on the world.


  • ♿ (Parody)

    @gu3st said:

    It's like you assume Microsoft can create a useful OS and is not a steaming POS designed to kill productivity.

    Yeah, but why bring up XBox?



  • @morbiuswilters said:

    @gu3st said:
    Again:

    It's like you assume Microsoft can create a useful OS and is not a steaming POS designed to kill productivity.

    Dammit, boys, he got us again! How can we spread FUD about OSX with vigilantes like gu3st fighting for truth and justice!?

    Shut 'er down, boys, we're headed back to Redmond.

    Back to Redmond to sleep and to dream..

    ..to dream of the horrors we will unleash on the world.

     

    ... but I run Linux, OSX, BSD, IOS, and Windows. Where do I fit in in this crazy new world? For whom shall I fight?  Who will I fight against?!  My world is crumbling.  Crumbling!



  • @Gazzonyx said:

    ... but I run Linux, OSX, BSD, IOS, and Windows. Where do I fit in in this crazy new world?

    Every world needs a crazy hoarder or two.



  • @morbiuswilters said:

    @Gazzonyx said:
    ... but I run Linux, OSX, BSD, IOS, and Windows. Where do I fit in in this crazy new world?

    Every world needs a crazy hoarder or two.

     

    What does this have to do with SpectateSwamp (or Swampie for the informed)?  I miss him.


  • Discourse touched me in a no-no place

    @Gazzonyx said:

    What does this have to do with SpectateSwamp (or Swampie for the
    informed)?  I miss him.
    Has he buggered off again? I have the mails telling me he's posted sent to Coventry (along with one other person on here.)



    His last hiatus was for quite a while but he did come back. Seems this is the only forum that hasn't permanantly banned him for spouting crap.



  • That thread is only 2 posts away from 50 pages long. FYI.



  • @PJH said:

    I have the mails telling me he's posted sent to Coventry..

    Coventry? Do you make them eat soggy, oily fish 'n chips as well? Jesus, isn't that against the Geneva Conventions?

    @PJH said:

    Seems this is the only forum that hasn't permanantly banned him for spouting crap.

    God bless us.



  • @blakeyrat said:

    That thread is only 2 posts away from 50 pages long. FYI.
     

    The first time I read that thread I nearly fell out of my chair laughing and nearly had a spit-take.  I think someone said something about the "5 stages of accepting Swampie" as compared to the 5 stages of grief.  I hadn't laughed that hard in a long time.

    P.S. - who is going to put that thread over the 50 page mark?  There should be a celebration or something.


  • Discourse touched me in a no-no place

    @morbiuswilters said:

    @PJH said:
    I have the mails telling me he's posted sent to
    Coventry..
    Coventry? Do you make them eat soggy, oily fish 'n chips as
    well? Jesus, isn't that against the Geneva Conventions?

    No. That's available throughout the UK. And, helpfully, so far, not mandated by eithe europe or the HRC. I'm assuming your google search found the idiom - I'll helpfully provide a direct link if it didn't....



  • @PJH said:

    @morbiuswilters said:
    @PJH said:
    I have the mails telling me he's posted sent to
    Coventry..
    Coventry? Do you make them eat soggy, oily fish 'n chips as
    well? Jesus, isn't that against the Geneva Conventions?

    No. That's available throughout the UK. And, helpfully, so far, not mandated by eithe europe or the HRC. I'm assuming your google search found the idiom - I'll helpfully provide a direct link if it didn't....

    Yeah, it was just my lame attempt at a joke. I was going to make a reference to firebombing but, you know, "Too Soon"..



  • @nonpartisan said:

    It frustrates me that, so often, if the dialog box had just >< that much more information, you'd know exactly where the problem occurred and figure out how to fix it.
    If you try and logon to a Mac, and it can't log you on, it just shakes the login dialog box.

    Because this, of course, an incredibly useful way of communicating exactly what has gone wrong with the login and we can then take useful steps to try and rectify the problem.



  • @Gazzonyx said:

    P.S. - who is going to put that thread over the 50 page mark?  There should be a celebration or something.
    That person should be punched in the face.

     

     

     

     

     

    Seriously.



  • @nonpartisan said:

    It frustrates me that, so often, if the dialog box had just >< that much more information, you'd know exactly where the problem occurred and figure out how to fix it.
     

    All my clients get source code. Sometimes I give error messages like "Program error 27553". Grep the source code and you know EXACTLY what went wrong (but not why).

     



  • @El_Heffe said:

    @Gazzonyx said:

    P.S. - who is going to put that thread over the 50 page mark?  There should be a celebration or something.
    That person should be punched in the face.

    Whoops....

    @AndyCanfield said:

    All my clients get source code. Sometimes I
    give error messages like "Program error 27553". Grep the source code
    and you know EXACTLY what went wrong (but not why).

    That's only marginally more useful. 

    Actually presenting a meaningful error message back to the user - with details they can report to the service desk - is much more informative and speeds up problem diagnosis/incident resolution. Recognisable error messages permits end users to spot trends; they may determine common behaviour that leads to this particular known issue and can confidently repeat the issue during technical observations or at least begin actively taking steps to sidestep the issue.

    Although the source is provided, I don't expect someone on the service desk to have to:

    • trawl through source to match this error against a block of code
    • try to deduce what particular situations cause this error
    • attempt to relate it to user actions.
    Far better would be for you to have performed this upfront, i.e.: provide a lookup table decyphering the error code and recommended actions to rectify the fault. If you are the coder, you have detailed knowledge about these errors and they should form part of system documentation with the lookup tables as a "cut out and keep" operational documentation. However, this all sidesteps the issue that these should really be in the application itself.

    Cryptic error messages are worse than no error messages. Although they indicate a failure, presented information can actually hamper diagnosis.



  • @DOA said:

     I warned you about Macs bro!!! I told you dog!

     

    The big man hass the mack

     



  • @morbiuswilters said:

    Every world needs a crazy hoarder or two.
    Have you considered becoming a hoarder collector? Just sayin'



  • It seems that TRWTF here is your SVN client.

     

    Oh, and also whatever abstraction layer Macs have over their BSD OS that won't permit that a local administrator access local resources. I always tought that WTF was Windows only.



  • @morbiuswilters said:

    Again:

    It's like you assume Apple is a competent software company and not a clever scam to separate worthless hipster douchebags from their parents' money.



    How can that be true? You really think a company could stay in business based on clever marketing and a gulable sub-populace even if they lack a competetive product?

    What's next? Will you be accusing SAP and Oracle of lacking a good piece of software instead marketing overpriced consultants as a product? Will you be accusing Adobe of cornering the market with their shitty software by forcing standardization via the government?

    You sir, are a silly billy!  



  • @this_code_sucks said:

    How can that be true? You really think a company could stay in business based on clever marketing and a gulable sub-populace even if they lack a competetive product?
    Well, considering after every time I've used an Apple product, I've come away thinking "What kind of masochistic idiot would want to use this crap?", I would say it's far to assume that I at the very least think this. OS X rarely behaves in a sane and logical manner, the iPhone is a fragile piece of crap, the iPad is a giant iPhone, iOS is limited and also rarely makes sense (random example: the weather app icon always implies that it's 73oC and sunny, yet the Calendar icon always shows today's date), and so on.



  • @Douglasac said:

    @this_code_sucks said:
    How can that be true? You really think a company could stay in business based on clever marketing and a gulable sub-populace even if they lack a competetive product?
    Well, considering after every time I've used an Apple product, I've come away thinking "What kind of masochistic idiot would want to use this crap?", I would say it's far to assume that I at the very least think this. OS X rarely behaves in a sane and logical manner, the iPhone is a fragile piece of crap, the iPad is a giant iPhone, iOS is limited and also rarely makes sense (random example: the weather app icon always implies that it's 73oC and sunny, yet the Calendar icon always shows today's date), and so on.

    I think he was being sarcastic.

    I do applaud Apple for pushing high-resolution displays. Supposedly they have a "Retina" Macbook Pro coming out soon. I am so very tempted to buy one and install Linux on it, but what I'm really hoping is that it will compel PC manufacturers to up their game. My current monitor is 121 PPI and I consider that a joke.

    I'm also tempted to buy an iPhone. Not because I think they're all that good, but because I'm sick-and-fucking tired of Android. Can iOS be any worse? Well, probably, but still..



  • @morbiuswilters said:

    I think he was being sarcastic.
    In hindsight, yes, probably. I don't do mornings.
    @morbiuswilters said:
    I do applaud Apple for pushing high-resolution displays.
    Yes, this is a good thing, however I don't see the point of insanely high resolution small displays (ie. 2048x1536 on the iPad - why?). 480x800 fine on my phone, the only thing that the iPhone display has that I would so dearly love on my phone is the display being closer to the glass. I'd like a full HD screen at the very least on my next laptop, however laptops that have 13-14" screens and have a full HD screen that can work with a dock apparently don't exist or aren't commercially available in Australia... the best I can find is 1600x900 which isn't bad (it's usable), it just could be better.
    @morbiuswilters said:
    I'm also tempted to buy an iPhone. Not because I think they're all that good, but because I'm sick-and-fucking tired of Android. Can iOS be any worse? Well, probably, but still..
    For me, it's the little things I've found with iOS, like no smart dialling (ie. if I wanted to call you I'd bring up dialer on my phone and hit 6672 and you'd come up instead of going through the contacts list), the aforementioned weather icon being stupid, the keyboard always has capital letters on it as opposed to having lower case letters on it when shift or capslock is off, and no back button. I'm looking at a Windows Phone come contract renewal time because I too am getting sick of Android (it was good up until HTC did the yes the Desire is getting Gingerbread\no it isn't getting Gingerbread dance, and I had to install it myself and even then it's half-assed and has stupid quirks): every time I've used it I've been reasonably impressed with it. That, and the keyboard on it is so good that it can take my random mashings and turn it into what I actually want to say first time.



  • @PJH said:

    @morbiuswilters said:
    Coventry? Do you make them eat soggy, oily fish 'n chips as well? Jesus, isn't that against the Geneva Conventions?
    No. That's available throughout the UK. And, helpfully, so far, not mandated by eithe europe or the HRC.
    I very much doubt that the European Union would mandate fish and chips, because that would make it Europe-wide. There would be riots in the streets of countries that have higher culinary standards than the UK, which is all other EU-countries.

    What could possibly happen, and would actually be a good thing, if it gets a "culturally significant" label or something similar, just like champagne and feta cheese, and is only allowed to be produced within the UK. Preferably in the Outer Hebrides.



  • @Douglasac said:

    @this_code_sucks said:
    How can that be true? You really think a company could stay in business based on clever marketing and a gulable sub-populace even if they lack a competetive product?
    Well, considering after every time I've used an Apple product, I've come away thinking "What kind of masochistic idiot would want to use this crap?", I would say it's far to assume that I at the very least think this. OS X rarely behaves in a sane and logical manner, the iPhone is a fragile piece of crap, the iPad is a giant iPhone, iOS is limited and also rarely makes sense (random example: the weather app icon always implies that it's 73oC and sunny, yet the Calendar icon always shows today's date), and so on.
    But what do I say to those Mac enthusiasts that I have to work with who got a Windows laptop like everybody else, but who then proceeded to complain to their boss until he orders them a Mac and now the Windows laptop just lies in a corner and they keep lamenting to us others about how much Windows sucks and how they would never touch that other laptop with a ten foot pole. Windows is so unintuitive and their Mac is so much better. I'd really like to shove them their Mac up where it's dark.



  • @Mcoder said:

    Oh, and also whatever abstraction layer Macs have over their BSD OS that won't permit that a local administrator access local resources. I always tought that WTF was Windows only.
     

    Terminal and sudo should give access? Unless encrypted?



  • @Douglasac said:

    (ie. 2048x1536 on the iPad - why?
     

    Text. ebook reading.



  • @TheRider said:

    But what do I say to those Mac enthusiasts that I have to work with who got a Windows laptop like everybody else, but who then proceeded to complain to their boss until he orders them a Mac and now the Windows laptop just lies in a corner and they keep lamenting to us others about how much Windows sucks and how they would never touch that other laptop with a ten foot pole. Windows is so unintuitive and their Mac is so much better. I'd really like to shove them their Mac up where it's dark.



    Tell them the truth. Tell them that they are a brainwashed hipster douchebag who should not be allowed within 10 feet of any thing containing an integrated circuit. Tell them that Macs are for people too stupid to use a real computer; Macs are not computers, they are fucking fashion statements. If they ask you, "So are you calling me stupid?" Retort, "I don't have to call you stupid; you already admited to being a Mac user."



  • Update: AD authentication works again this morning. We changed absolutely nothing on either the Macs or the domain controller.



  • IIRC, OSX shipped with Samba up until the last release.  You should be able to check your domain membership using the net(8) command.  net testjoin etc.  Just for future reference.



  • @mott555 said:

    Update: AD authentication works again this morning. We changed absolutely nothing on either the Macs or the domain controller.

    Something caused it.  Next time it happens, I'd still encourage doing a Wireshark capture of the traffic.

    How many DCs do you have?  Is DNS set up correctly?  Was one of them having a problem and the Macs had an affinity toward the ailing DC?  Duplicate IP address -- did someone set up a new server and accidentally assign it the same IP as one of the DCs?  Presumably you're also running Windows machines -- did any of them show any hinkiness in trying to log in?  Check their event logs . . . perhaps there's an error about a DC not responding?

    If it showed up once, it will show up again.  Doesn't sound like this was a Mac problem.


  • Discourse touched me in a no-no place

    @nonpartisan said:

    @mott555 said:

    Update: AD authentication works again this morning. We changed absolutely nothing on either the Macs or the domain controller.

    Something caused it.  Next time it happens, I'd still encourage doing a Wireshark capture of the traffic.

    I'd get a packet capture of it now - when it's working - so there's something to compare the failure to....



  • @nonpartisan said:

    @mott555 said:

    Update: AD authentication works again this morning. We changed absolutely nothing on either the Macs or the domain controller.

    Something caused it.  Next time it happens, I'd still encourage doing a Wireshark capture of the traffic.

    How many DCs do you have?  Is DNS set up correctly?  Was one of them having a problem and the Macs had an affinity toward the ailing DC?  Duplicate IP address -- did someone set up a new server and accidentally assign it the same IP as one of the DCs?  Presumably you're also running Windows machines -- did any of them show any hinkiness in trying to log in?  Check their event logs . . . perhaps there's an error about a DC not responding?

    If it showed up once, it will show up again.  Doesn't sound like this was a Mac problem.

     

    We're a small company with about 20 Windows workstations and 3 Macs. Everything that wasn't made by Apple--the Windows workstations, the servers, SQL Server logins, and custom applications that use AD for account validation--had no difficulties whatsoever logging in. How could it not be a Mac problem when the only systems displaying the problem were Macs?

    I don't know enough about Wireshark or AD to do what you suggest, and it certainly goes against the OS X mantra of being easy-to-use. From what I saw while googling, very few people running the current version of OS X (10.7) can do AD logins while older versions have no problem at all.

     



  • @mott555 said:

    How could it not be a Mac problem when the only systems displaying the problem were Macs?

    You can't blame the Macs.

    It's society's fault.

    The System is biased against Macs.

    We should have lower standards for Macs so that they can improve themselves.



  • @mott555 said:

    We're a small company with about 20 Windows workstations and 3 Macs. Everything that wasn't made by Apple--the Windows workstations, the servers, SQL Server logins, and custom applications that use AD for account validation--had no difficulties whatsoever logging in. How could it not be a Mac problem when the only systems displaying the problem were Macs?
    I've never configured AD login on a Mac, but a quick look indicated that you specify the DC by IP address?  Is that correct?  If that server were having problems and the Mac didn't know another controller to use, I would consider that a failure outside of the Mac; the server was indicating an error that prevented the Mac from being able to log in.  I consider that a controller problem, not a Mac problem.

    @mott555 said:

    I don't know enough about Wireshark or AD to do what you suggest, and it certainly goes against the OS X mantra of being easy-to-use.
    Nothing is easy to use.  Not Windows, not Linux, not OS X, not BeOS, not iOS, not Android, not <insert your favorite interface here>.  Until you can just speak into your computer "Create a 6 month budget based on income and expenditures for the same 6 month period last year" and have it say "Hi Scott, I have your budget right here.  You had $x in income and can spend $y on widgets and $z on TheDailyWTF donations and . . .", it's not easy to use.

     



  • @nonpartisan said:

    @mott555 said:

    We're a small company with about 20 Windows workstations and 3 Macs. Everything that wasn't made by Apple--the Windows workstations, the servers, SQL Server logins, and custom applications that use AD for account validation--had no difficulties whatsoever logging in. How could it not be a Mac problem when the only systems displaying the problem were Macs?
    I've never configured AD login on a Mac, but a quick look indicated that you specify the DC by IP address?  Is that correct?  If that server were having problems and the Mac didn't know another controller to use, I would consider that a failure outside of the Mac; the server was indicating an error that prevented the Mac from being able to log in.  I consider that a controller problem, not a Mac problem.

    Since Windows 2000 the list of controllers is found in SRV records in the DNS, and most organizations use DHCP to tell clients what DNS servers to use. If the Mac requires a specific IP instead of being able to lookup the information from DNS then the problem is that the Mac is an inferior AD client.



  • @nonpartisan said:

    @mott555 said:

    We're a small company with about 20 Windows workstations and 3 Macs. Everything that wasn't made by Apple--the Windows workstations, the servers, SQL Server logins, and custom applications that use AD for account validation--had no difficulties whatsoever logging in. How could it not be a Mac problem when the only systems displaying the problem were Macs?
    I've never configured AD login on a Mac, but a quick look indicated that you specify the DC by IP address?  Is that correct?  If that server were having problems and the Mac didn't know another controller to use, I would consider that a failure outside of the Mac; the server was indicating an error that prevented the Mac from being able to log in.  I consider that a controller problem, not a Mac problem.
     

    Our DC wears many hats. If it was having problems, then we'd have a lot more symptoms than being unable to login on a Mac.

    To answer your question, yes you have to specify the DC by IP address. It just fails silently if you use a hostname instead.



  • @mott555 said:

    Our DC wears many hats. If it was having problems, then we'd have a lot more symptoms than being unable to login on a Mac.

    To answer your question, yes you have to specify the DC by IP address. It just fails silently if you use a hostname instead.

    Looks like I forgot to ask . . . I presume you have only the one DC?  If you've got multiple DCs, I could see the Windows clients successfully falling back to another server while the Mac just dies with the one IP.  If you've only got the one DC, then . . . not sure right off.  Are DC(s) and clients all on the same subnet?

     



  • @nonpartisan said:

    Looks like I forgot to ask . . . I presume you have only the one DC?  If you've got multiple DCs, I could see the Windows clients successfully falling back to another server while the Mac just dies with the one IP.  If you've only got the one DC, then . . . not sure right off.  Are DC(s) and clients all on the same subnet?
     

    We have a primary DC and also a backup DC which I was told doesn't really work...not sure what that means. I'm a developer, not a sysadmin. Yes everything is on the same subnet.

     



  • @Speakerphone Dude said:

    Since Windows 2000 the list of controllers is found in SRV records in the DNS, and most organizations use DHCP to tell clients what DNS servers to use. If the Mac requires a specific IP instead of being able to lookup the information from DNS then the problem is that the Mac is an inferior AD client.
    Yes, we're agreed on that, and I would agree that the client is inferior.  However, my theory is that the proximate cause of mott555's problem was that the DC was returning an error code.  The Mac's client perhaps should be rewritten to handle it more gracefully, but if the DC is returning an error . . . then ultimately the problem exists on the DC side and it's the DC side that needs to be fixed.

    Did the DC get patched recently?  Did the Macs get patched recently?  Did the DC or the Macs get rebooted over the weekend?  Maybe a time sync issue that was fixed with a reboot?  This is why I like Wireshark captures in these cases.



  • @nonpartisan said:

    @Speakerphone Dude said:

    Since Windows 2000 the list of controllers is found in SRV records in the DNS, and most organizations use DHCP to tell clients what DNS servers to use. If the Mac requires a specific IP instead of being able to lookup the information from DNS then the problem is that the Mac is an inferior AD client.
    Yes, we're agreed on that, and I would agree that the client is inferior.  However, my theory is that the proximate cause of mott555's problem was that the DC was returning an error code.  The Mac's client perhaps should be rewritten to handle it more gracefully, but if the DC is returning an error . . . then ultimately the problem exists on the DC side and it's the DC side that needs to be fixed.

    Did the DC get patched recently?  Did the Macs get patched recently?  Did the DC or the Macs get rebooted over the weekend?  Maybe a time sync issue that was fixed with a reboot?  This is why I like Wireshark captures in these cases.

    I believe you just used Occam's Razor to slit your own wrists.



  • @morbiuswilters said:

    I believe you just used Occam's Razor to slit your own wrists.
    Occam's Razor says that the DC is returning an error code.  Fix the error and the problems go away.  The fact that we don't know the error code complicates things.  But fixing whatever the DC is bitching about causes the problem to go away, regardless of how inferior the Mac client is.  How'd I slit my wrist?


Log in to reply