Troubleshooting the “Network accounts are unavailable” error in Mac OS X Lion

In this article you will learn some strategies for troubleshooting the “Network accounts are unavailable” error in Mac OS X Lion computers that are bound to Active Directory Domain Services.

Timothy Warner By Timothy Warner - Wed, November 9, 2011 - 5 comments

Timothy Warner is a Windows systems administrator, software developer, author, and technical trainer based in Nashville, TN.

4sysops readers have spoken: there are serious integration problems between Apple Mac OS X 10.7 Lion and Active Directory Domain Services (AD DS). Specifically, we are seeing (a) sluggish binding between the Macs and AD; (b) super-slow domain logons; and (c) completely blocked domain logons.

The biggest indicator of this problem is the red dot icon and “Network accounts are unavailable” message in the Mac OS X Lion logon screen; this is shown in Figure 1.

Network accounts are unavailable error in Mac OS X Lion

The dreaded “Network accounts are unavailable” error in Mac OS X Lion

For what one IT professional’s opinion is worth, here is my two-fold take on why this problem exists:

  1. Due to GPL license restrictions (among other reasons, I’m sure), Apple scrapped Samba and re-wrote their Server Message Block (SMB) and network directory services protocol stack. Check out this Apple Insider reference for more details.
  2. Apple released “half-baked” SMB/directory services components in Lion that will eventually be fixed in a software update.

A couple of weeks ago I attended a lecture given by Mark Russinovich, one of the world’s leading authorities on Windows internals. He made the offhanded but simultaneously serious statement that “Apple doesn’t know how to make Windows software.” In my opinion, Mark hit the nail squarely on the head.

Hey, all this jibber-jabbering doesn’t solve the problem, does it? Let’s get to some troubleshooting strategies.

Update all software

As I mentioned previously, I strongly believe that this issue represents a code problem on Apple’s side. Therefore, please keep a rigorous eye on Apple software updates over the coming days and weeks.

Some users have seen the “Network accounts are unavailable” error disappear after updating their Windows Server 2008 domain controllers, so keep these machines up-to-date as well.

Repair permissions

This tip is a possible quick fix that I include in this article for completeness’ sake. Boot your Lion computer into Lion Recovery by restarting the Mac and holding down Command + R.

Once you arrive in Lion Recovery mode, open Disk Utility, run a permissions repair, and reboot the system in normal mode.

Rebind Macs to Active Directory

You can try unbinding the Lion computer from Active Directory and then redoing the bind. The path to the Directory Utility in Lion has changed (again):

  1. Open Users & Groups from System Preferences.
  2. Select the appropriate user and click Login Options.
  3. By Network Account Server, click Edit.
  4. From the drop-down pane, select the Active Directory Domain entry and remove the binding. Next, click Open Directory Utility.

In the Directory Utility pane, please consider the following points:

  • Computer ID: This is the system’s DNS host name. We will need to synchronize this name with the computer name listed in the computer’s Sharing preference pane.
  • Create mobile account at login: Users have had success with enabling this option, even if the Mac system is not a laptop.

Binding Mac OS X Lion to AD

Binding Mac OS X Lion to AD

In the Advanced Options, navigate to the Administrative pane and consider testing the following option:

Prefer this domain server: You might want to “point” the Lion workstation to a nearby domain controller, preferably a domain controller that doubles as a DNS server.

Adjust authentication search policy

In Directory Utility, navigate to the Search Policy tab and move the /ActiveDirectory/DomainName entry to the top of the search list.

Reordering the search policy

Reordering the search policy

Synchronize Mac host name

From System Preferences, open the Sharing pane and set the Computer Name field to the DNS host name of the Mac system. We want to ensure that this name matches the system name in the Directory Utility exactly.

Setting the Mac Hostname

Setting the Mac Hostname

Verify DNS and system time

You already understand that the Kerberos authentication protocol is highly time sensitive. On your Lion workstation, I recommend that you open the Date & Time system preference pane, navigate to the Date & Time tab, select Set date and time automatically, and fill in the DNS host name of your Windows Server 2008 Network Time Protocol (NTP) time server.

Synchronizing the Mac's clock with AD

Synchronizing the Mac’s clock with AD

Use domain name with user name

This particular troubleshooting tip is a bit of a long shot, but desperate times call for desperate measures, right?

Try logging on to the Lion workstation by using the “old school” domain\username syntax instead of supplying either just the username or the username@domain syntax.

Reinstall Mac OS X Lion

Obviously, OS reinstallation is a worst-case scenario. However, some users have found that performing a clean reinstallation of Mac OS X Lion cleared up the problem.

Conclusion

I hope that you were able to find success with your Mac OS X Lion/Active Directory integration issues by applying one or more of these troubleshooting techniques. Please leave feedback in the comments portion of this post so that the 4Sysops community can benefit from your experience.

-1+1 (0 rating, 2 votes)
Loading ... Loading ...
Your question wasn't answered? Ask in the new 4sysops forum!

5 Comments- Leave a Reply

  1. Babun says:

    I wonder why anyone bothers trying to integrate anything else than windows to an AD environment, it just spells trouble..

    I used to troubleshoot these issues with earlier versions of os X and seems it hasn’t gotten any better. I’m unaware of the collaboration between apple and microsoft in this, but it seems pretty obvious apple’s compatibility issues will always be minorly important to microsoft as they implement new features.

  2. Michael says:

    I built a new domain recently. When I first set up Lion I had no issues logging into the domain, but not 24 hours later the computer wouldn’t log into the domain. Initially I used a 3rd party app to bypass the issue, but then it started happening to the 10.6 computers as well. 10.5 continued to be solid. I discovered having a .local domain name was causing the conflict, as well as general slow performance. I had a choice between renaming the domain and disabling Bonjour on every Mac. I chose renaming the domain, just seemed like less of a headache. 10.6 and 10.7 now log in quickly and the general network latency has also disappeared.

  3. Martijn says:

    I Fixed this problem by checking all users “altsecurityidentities” in The diradmin. For Somers reason there where 2 with : KERBEROS :untitled_1@xxx.yyy.zzz

    Two with The Same name are causing an integrity error.
    I had to create a new connection as in the post above to my server.local and completely removed 127.0.0.1 LDAP after that authenticating to server.local with diradmin worked, the open directory log told me the usernames with the same altsecurityidentities.

    This is configured but I do not use Kerberos.

  4. Gary Hoffman says:

    Removing the spurious search path seemed to fix things for me, after I had done all the other things above it, then removed it from the AD.

    Thanks for the suggestions.

  5. benoit segonnes says:

    we have recently the case with a macbook air.
    the solution was very simple.
    I’ve checked the local hostname and modify it to match with my AD hostname. the problem was coming from the ‘.local’ at the end.
    to change it, you must add the line ‘search ‘ in your resolv.conf file.
    you still have the notification you can’t log with network user without network connection but the authentication is successly performed

    best regards and sorry for my poor english, I’m just a little french student ^^’

===Leave a Comment===

Login

Lost your password?