I'm implementing a magic triangle configuration to allow AD users to log onto the macs in our department and used the OD groups to manage permissions on a file server and apply managed perferences as needed. The users mac home folders need to be on the OS X file server and I don't have enough access to the AD side of things to change what AD specifies as the home folder so I have used augmented records to specify those attributes in the OD. That works fine and users can log on as a network users.
Next issue was creating mobile home folders locally for machines that have predominantly one user or laptops that might be used off site and to have those sync back to the fileserver over afp when connected. Initially this didn't work, the mobile account would create, but all the folders still refered back to the network share and there was no syncing. To get round this I created a group in OD that had managed preferences that specified allowing the creation of mobile home folders and the importantly, the syncURL back to the afp share that the created mobile accounts should use. Success, or so I thought. The accounts create and sync correctly (I mananged to get kerberos working with SSO but if not it asked for credentials when syncing) so when on the network, everything is fine. However if the machine is taken off the network (such as a laptop that is also used off site), attempting to log on to a mobile account created like this gives a shaking logon box. Any ideas how I make it store the credentials for the mobile account locally? Any other managed preferences I need to set? This all works fine for normal OD user accounts and I can't see why it should work any different.

Hi Aidan

This is strange. When you get the login window shake this normally refers to either an authentication problem or it can't find the users home folder.

You can check if the mobile account has been created successfully by logging into the Mac with the local admin account and going to the Accounts preference pane. The AD user should be listed there.

The first thing I would do is to log in with the AD user while on the network as this works and see what its using for the live home folder. To do this just click home in the side bar and then 'Command' click the title of the finder window. It will show you the path to the home folder. This should be pointing to the /Users. If not something is wrong with homefolder urls

If you are running 10, have you seen this tech note. http://support.apple.com/kb/TS3019

Cheers

Richard

Yeah, the mobile account exists in the accounts preference. It also has the correct path for the home folder when logged in using the network. I am running 10.6 on both server and client and have noticed that tech note but don't believe it applies since I can log into AD accounts when the create mobile accounts option is set in the AD connector.

I've been doing further testing and it seems that this affects any mobile account created for an AD user. I've tried it with an account augmented and put in a group that applies managed preferences to prompt for creation of the mobile home, an augmented account that used the AD plugin preferences to prompt and I've tried it with an account not in the augments on the OD and in all three cases the account cannot log in off the network. A users that is purely in OD is able to log into a mobile account offline without any problems.

I don't think it should affect anything, but the search order is setup to search the OD first, then AD, which I believe is required for the augments to be used. I also have the AD connector set up to use any server in the domain rather than prefer a specific one.

I believe I've solved the issue. To get single sign on working, I followed a guide advising to change "builtin:authenticate,privileged" to "builtin:krb5authnoverify,privileged" under system.login.console in /etc/authorization. This works great as long as the computer is connected to the network as this change REQUIRES contact with the KDC to authenticate, a fact not pointed out by the people suggesting this as a solution. For those wanting mobile accounts that may be used offline, adding "builtin:krb5login" under system.login.done instead in /etc/authorization seems to have the desired effect of grabbing the tgt after authentication if the KDC is available but otherwise allowing login to proceed.

I figured it couldn't be the AD plugin after I tried using a pure AD account without any augments and still having no luck.

Hi I don't know if anyone is still looking for an answer to this problem but fwiw:

We have a golden triangle setup and often get this problem.
In our case its caused by the fact that the Mac time drifts more than five minutes away from the AD server time and therefore denies login.
We then login as local admin and change the time to resolve this.

Hope it help!