Identifying the Different Types of Login Issues on Mac Systems

So now that we know about the different types of accounts in OS X, it’s time to learn about what to do if those accounts ever decide to play hide-and-seek.
There may come a time, either during the initial setup, or after some mysterious environment change that an account may fail to let the user in. After all, AD environments are like ice cream – they come in all kinds of flavors… some even have sprinkles on top.
99% of the time, login failures occur because of configuration error.
Here is a list of the most common types of login issues, in order of easiest to identify and diagnose:
The first and most important step is to determine EXACTLY what the user sees when the login fails:
  1. == Unreachable Network Home Folder ==
    If an error prompt is shown, then it is very likely that a network home folder is being used and the Mac system is unable to connect to it:
    Because an error occurred.
    When this happens:
    • Check that the network home path is correct and entered with a fully qualified domain name.
    • An easy-to-miss error is if extra whitespaces have been entered into the path – scroll to the end of the line and make sure there are no extra spaces inserted at the end.
    • Use the following command to check what path has been configured for the user:adquery user -h ad_username
    • A properly formatted network home path will look something like this:
      /SMB/ad_username/server.domain.com/Share/Path/ad_username
    • Check that the user and machine has read and write permissions to access the share.
      (Make sure they have been set according to the Centrify Admin Guide for Mac – pg32)
    • A good test for verifying network home accessibility:- a. Login to the Mac with a local account
      – b. Use the Finder > Go > Connect to Server option to mount the share as a regular network folder.
      – c. Enter the AD account’s credentials when prompted
      – d. Check that the user can both read and write to the share from the Mac.
  2. == Unreachable Local Home Folder ==
    If the login hangs with a spinning icon in the login box, then it is likely that a local home folder is being used, and there is a UID mismatch or that the local path has been configured incorrectly:
    Spinny Spinny
    When this happens:
    • Check that the home path has been setup correctly, the same adquery command for checking home paths from Step 1 should return the following format for local home folders:
      /Users/ad_username
    • If the path is correct, check that the UID of the home folder matches up with the UID of the AD account. First run:adquery user -u ad_usernameThis will return the UID of the AD account as seen by the Mac.
      Then run:ls -ln /Users/This will return a list of home folders under the /Users/ folder along with the UIDs of the users which own those folders. The target home folder UID must match the UID of its corresponding AD account.
    • If they don’t match, then you’ll need to check out my previous posts on Account Migration to see what needs to be done there:- Understanding Account Migration on Centrify for Mac OS X
      – A bit more on knowing when Account Migration is needed, and when it is NOT needed
  3. === Shakey Shakey ===
    This is the most common type of error that people see – it usually indicates an authentication error…
    When this happens:
    • Check that the user’s password is correct and valid.
    • Check that the username is correct.
    • Check that the account is not locked in AD.
    • Go to System Preferences > Users & Groups > Login Options
      • Make sure the Mac is not still bound using the built-in Apple AD plugin
        (“Network Account Server” should just shown the “Join…” button)
      • Make sure “Allow network users to login at login window” is enabled and “All network users” selected.Allow network users to log in at login windowAll network users
    • Check the length of the computer name. If the computer hostname is greater than 15 characters long, then there could be a Pre-win2k name conflict in AD.
      • Unbind the Mac from the domain
      • Rename the Mac to a name with 15 characters or less
      • Rebind the Mac under the new hostname.
    • Open /etc/centrifydc/centrifydc.conf and make sure the user is not being blocked by one of the PAM filtering configurations:pam.allow.users
      pam.allow.groups
      pam.deny.users
      pam.deny.groups
    • Try flushing and rebuilding the AD cache for that user using the following steps:- a. Login to the Mac as Local Admin and open the Terminal
      – b. Run the command:adinfo- c. Make sure that the CentrifyDC mode is: Connected
      – d. Flush the AD cache and then do a Terminal login with the affected AD user:sudo adflush
      login ad_username- e. If the Terminal login works, then user should now also be able login via the regular login screen.
    • (For offline login failures)
      • Check if the account is configured with a network home directory – an off-network Mac will not be able to connect to home folder that’s outside of the Mac… and thus the user with a network home folder will not be able to login when offline.
      • Check that the cache is not being encrypted:
        Open /etc/centrifydc/centrifydc.conf and check that the following parameter is set to false:adclient.cache.encrypt: falseAs noted in the parameter description:”If you enable this feature the cache will be flushed each time adclient starts up.”So if the cache is being flushed at every restart, there is no way for the machine to get the user credentials back from AD if the machine is offline.
    • (For licensed users only)If the Mac is joined in Zone Mode, check that the AD account has been provisioned into the Zone and is authorised for login.To verify whether the user has been provisioned correctly, either check back to the Centrify documentation, or login to the Customer Support Portal KB archive and search for the article:
      • KB-3038: How to add an AD user into a Centrify Zone.
  4. === End of the line ===
    If you’ve reached here then all hope is lost.
    Just kidding – download the Mac Diagnostic Tool and use the [ Save Basic Info… ] button to generate a Basic_Log_Pack.zip.Keep this pack handy and depending on the version of Centrify you have, get in touch with us and we’ll see where we can go from there:
    • If you are using Centrify Express:Make a post to our Community Forums and make sure to describe precisely what the users are seeing and what you have done so far.Centrify Community Forums: http://community.centrify.com
    • If you are using Centrify Standard / Enterprise:Login to the Support Portal to create a new support ticket – same as above; describe precisely what the users are seeing and also submit the Basic_Log_Pack.zip from the Diagnostic Tool so that we can hit the ground running as soon as we receive the ticket.Centrify Support Portal: https://www.centrify.com/support/portal.asp

Hope that helps some of you and happy troubleshooting!