Macs frequently need to be restarted for Network logins to succeed
09-13-2013 02:16 PM
Thank you for your quick response. When you refer to the "computer account password" do you mean the account that was used to join the machine to the domain or the local administrator password? Neither of those passwords were changed in my environment... Any idea what else could have prompted that message?
09-13-2013 02:23 PM
Actually neither - I mean literally the computer's own account password that it uses to log into AD - it's automatically generated upon joining the domain and invisible to us mere humans. Sometimes it can fall out of sync as shown in your diagnostic logs.
If you go to the computer object in ADUC and right-click, you'll see the "Reset Account" option there:
Click that and then restart the Mac, wait a few moments for the handshaking to complete and then check to see if it can come back online again.
09-13-2013 02:54 PM
Resetting the machine account restored the connection. Now I have to figure out why it happens sporadically to various machines with no particular rhyme or reason...
09-13-2013 04:09 PM
Good to see that you're connected and running again.
It sounds like a good thorough check of your general network health might be in order.
From the Mac side - the AD Check tool in System Preferences > Centrify > AD Check might help highlight any potential issues.
11-15-2013 06:22 AM
This problem has cropped up again, except this time several computers are affected in several different locations across campus. Affected machines show a CentrifyDC mode of "<unavailable>". Resetting the machine account has no effect in this case, and neither does restarting the computer. I ran an AD check on a couple of the affected machines and everything passed. Any idea what could be going on?
11-15-2013 07:00 AM
I received and took a look through your latest diagnostic pack - and the same "Computer account password has been changed" notification is shown there.
Did you try the adkeytab commands from my previous posting here?:
Additionally - the Mac is using an older version of the Centrify agent (version 5.1.0) which contained a known bug which did affect connectivity in certain environments.
I highly recommend you update to the latest version of the Centrify agent (version 5.1.1-920) which has quashed pretty much all the performance bugs and I've seen a much greater reliability rate with this new version:
With this new version though - you will need to bring the Mac back into a Connected state before it will allow an updated install.
If the adkeytab commands from the previous post fails to bring your Mac back online - try uninstalling the previous 5.1.0 version (which will also unjoin the Mac from the domain) then install the newer 5.1.1 and rejoin the domain.
You should see a much greater increase in performance with this new version.
12-02-2013 01:15 PM
Thank you for that. We have deployed the updated client and are waiting to see if the connection is stable. According to our infrastructure follks the machine account password is not enforced centrally, therefore it would be happening at the client level. Do you know what the default timeout is for Centrify AD connections?
12-02-2013 02:54 PM
By default, all computers participating in AD change their passwords every 30 days, or by the parameter set on your
Domain member: Maximum machine account password age GPO under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
If because of a connectivity issue the computer can't talk to AD over Kerberos to perform a password change, it will go offline.
Run the adcheck command against your domain and show us the output.
03-27-2014 01:19 PM
In Windows we can disable the machine password we don't get this issue. Is there a way to disable the machine password on a Mac.