Applies to: Centrify Identity Service
What troubleshooting steps can be performed if an AD account cannot log into a Mac?
The first step is always to determine EXACTLY what the user sees when the login fails:
Scenario 1: A message prompt is shown
If an error prompt is shown, then it is likely that a network home folder is being used - and the Mac system is unable to connect to it:
Note: On OS X 10.9 and above, this behaviour changed in that if the Mac is unable to mount the users network home at login, it will provide them with a temporary local home. The user will still be able to login to the system, but they will not see their own Desktop or home folder files.
To troubleshoot network home folders:
- Make sure the user's network home path is configured correctly according to one of the following KBs (Depending on the environment):
- An easy-to-miss error is if extra whitespaces have been entered into the path - scroll to the end of the line and make sure there are no extra spaces inserted at the end.
- Use either the Mac Diagnostic Tool, or open the Terminal and enter the following command to check what path has been configured for the user:
adquery user -h ad_username
- A properly formatted network home path will appear in the following format:
- Check that the user and machine has read and write permissions to access the share.
- A good test for verifying network home accessibility:
- Login to the Mac with a local account
- Use the Finder > Go > Connect to Server option to mount the share as a regular network folder.
- Enter the AD account's credentials when prompted
- Check that the user can both read and write to the share from the Mac.
Scenario 2: The login icon spins for a long time
If the login hangs with a spinning icon in the login box, then it is likely that a local home folder is being used, and there is a UID mismatch or that the local path has been configured incorrectly:
To troubleshoot local home folders:
- Check that the home path has been setup correctly, the same adquery command for checking home paths in Scenario 1 should return the following format for local home folders:
- If the path is correct but a UID conflict is suspected, please see the following KB articles for how to resolve this:
Scenario 3: The login box shakes
If the login box shakes, then this indicates an error in the authentication itself:
- Check that the username and password are correct and valid.
- Check if the issue may be with OS X itself by reproducing with the native Apple AD plugin.
- If the Mac is joined in Zone Mode, check that the AD account has been provisioned into the Zone and is authorised for login.
- Check that the cache is not being encrypted:
- Open /etc/centrifydc/centrifydc.conf and make sure the user is not being blocked by one of the PAM filtering configurations:
- Check the length of the computer name. If the computer hostname is greater than 15 characters long, then there could be a Pre-win2k name conflict in AD.
- Go to System Preferences > Users & Groups > Login Options
- Try flushing and rebuilding the AD cache for that user using the following steps:
- Login to the Mac as Local Admin and open the Terminal
- Run the command:
- Make sure that the CentrifyDC mode is: Connected
- Flush the AD cache and then do a Terminal login with the affected AD user:
- If the Terminal login works, then user should now also be able login via the regular login screen.
Scenario X: Capturing debug logs of a failed login
If none of the above scenarios apply, then please refer to the following KB for gathering debug logs recording the login failure and contact Centrify Support with the debug pack attached.
For additional information not covered in this guide or troubleshooting assistance, please review Centrify Online Help
or visit the Centrify Customer Portal at support.centrify.com