Mac OS X 10.4.x Tiger and Active Directory: Problems and solutions

Over the past few days we've been covering a series of issues with Active Directory in conjunction with Mac OS X 10.4.4.

There now appear a number of issues with Macs bound to Active Directory services and Mac OS X 10.4.x (Tiger).

Most of the issues center around login and password issues --- either rejection of correct login information or unexpected logouts from the Windows (or Mac) Active Directory service.

MacFixIt reader Jason Westlake describes an issue where pre-existing Macintosh-based Active Directory accounts have issues with login after the Windows Active Directory Server begins to enforce password restrictions -- such as a time-limit on static passwords (requiring the password to be changed in a certain number of days).

Jason writes:

"Our company's password policy says that passwords must change every 90 days and that an account will become locked out after three incorrect login attempts. I have approximately 45 Macs currently on a Windows 2000 Active Directory. At random times for no reason whatsoever, every user's AD account becomes locked out (not all at the same time). We know it happens when Entourage 2004 (with Exchange accounts) suddenly becomes unable to receive email. It gives the user a message saying the username or password is incorrect. All the Mac accounts have been created for a long time, but with no password policy enforced because Macs were not on AD and had no way to change passwords. Now that we're moving to AD, we're turning on the password policy for all the Macs (all PC users have it turned on from day

"They have all exhibited this problem. We created a new test account with password policy, which I logged into an Active Directory-bound Mac and left running for days with no such lock-outs. There's something with our Active Directory and the Macs that's causing this lock-out for all the previously created Mac accounts. It's not feasible to recreate all our Mac accounts in the Active Directory. All Active Directory-bound Macs are running Mac OS X Tiger 10.4.3 and Entourage 11.2.1. I've tried Mac OS X 10.4.4 on a couple machines, but it did not change anything."

Another user notes a strange issue with file transfer over Active Directory networks:

"The user logs into his Tiger machine with an Active Directory username and password, and an AFP server volume hosted on a Panther-based Xserve which is linked to an Active Directory server for usernames and passwords is auto-mounted via a login item and the same Active Directory password info. Any attempt to upload nested folders will fail with an error stating something to the effect of the user does not have sufficient access privileges to complete the operation.

"They can upload any number of files within the first level of the main folder being uploaded, but loading any folder that contains anything else halts the upload with the error message (not sure if this includes folders that are empty). The balked nested folder does get uploaded but nothing is in it. Funny enough, the user can then proceed to upload the contents of the balked folder directly into it on the server, so it's not like they don't actually have permissions to write to it, they just can't write multiple levels at one time. I have heard this same issue discussed on MacWindows regarding SMB volumes on Windows servers, but again this is an AFP share hosted by a Panther-based Xserve.

"If I create a local user on the Tiger machine the problem goes away, even though they are logging into the same server using the same Active Directory authenticated username and password. The only difference is the login process to the local machine is to a local account instead of an Active Directory authenticated account."

Another reader, Bruce Penno, reports issues with printing through Active Directory services.

He writes:

"I get the 'Connection failed with error 'NT_STATUS_NO_MEMORY' error when trying to print to a printer queue requiring authentication hosted on a windows server and the printer has been set up on the Mac by choosing it from the Printer Browser and is listed as an Open Directory Connection.

"It seems that the Printer Browser mechanism does not allow for authentication.

"If the printer is chosen using the Windows Printing option found when you click 'More Printers...' you are given the opportunity to authenticate to the server. You can also set up an lpr printer with authentication."

In some cases, these issues can be resolved by simply unbinding the Mac OS X system from the Active Directory Server using Directory Services (in Applications/Utilities and an administrator account), restarting the problematic Mac, then re-binding it.

As noted in our separate Mac OS X 10.4.4 coverage, fix involves deleting then re-adding the Active Directory domain in Directory Access (located in Applications/Utilities).

MacFixIt reader Allan Marcus writes:

"When I upgraded my Mac OS X Server to 10.4.4 (from 10.4.3) my Active Directory bound users could not authenticate either. I opened Directory Access, clicked on the Authentication tab, removed the Active Directory Domain, hit Apply, then added back the Active Directory Domain, hit Apply, and now it all works."

If you are having similar issues with Active Directory, please let us know.

Resources