If you tried to logon on a MacBook Pro (OS X) with an Active Directory account you may have seen the following error in the system.log :
createmobileaccount[4146]: MCXCCacheMCXRecordAndGraph(): [localNode createRecordWithRecordType:dsRecTypeStandard:Users name:"paradisj"] == 4100 (Unable to set value or values for dsAttrTypeStandard:Password in the record.)
First of all, many thanks to Travis J. Garrison who pointed me in the right direction.
The problem was that I had two accounts in our Active Directory with the same value for the email attribute. The logon with the first account worked fine, but I wasn’t able to logon with the second one (on the same Mac).
The DirectoryServices.Error.log gave me the identity of the first account :
T[0x0000000102281000] - CDSLocalPluginNode::AttributeValueMatchesUserAlias(), alias exists in file /var/db/dslocal/nodes/Default/users/paradisjtest.plist
I had to change the email attribute (AD) of the first account and refresh the cache (MCX_cache) of the first account :
mcxrefresh -n paradisjtest -a
After that I was able to logon with both accounts.
Question : |
Why does Apple used the email and displayName attribute as an alias of an account when those two attributes are not unique in Active Directory ?
(It’s not a bug, it’s a documented feature) |