You Are Unable to Log in to the User Account at Time

This one is just a quickie, but I thought I’d post it because I know that I’ve gotten this message before and that there is very little useful information turned up in a relevant Google search.

At my work we use an OS X server to host the home directories of all of our users who log in to our lab computers. We currently only support OS X clients, so we’re only doing this over AFP. Last semester we used a Tiger server and clients, but this summer we are upgrading everything to Leopard.

After setting up a test client computer in Directory Utility (used to be Directory Access in Tiger) to connect to our server I figured we were good to log in with one of migrated user accounts. We don’t do binding or Active Directory or really anything complicated so usually the process is pretty straightforward.

After setting up the client and restarting, I attempted to log on using one of our network users, and was met with this big fat error message:

You are unable to log in to the user account [username] at this  time

Not only did not logging in not work, but the entire description of the error read “Logging in to the account failed because an error occurred”. Gee, thanks Apple. Very useful.

This error wasn’t entirely foreign to me. I remembered seeing it occasionally in Tiger, but couldn’t remember if we had ever established a cause, let alone a solution. Just for kicks I tried logging on with the same account on one of our older Tiger clients (that was known to work with the old Tiger server). The message is slightly more verbose, but generally still the same:

You are unable to log in to the user account [username] at this  time (Tiger Message)

I knew that AFP was working because we had some share points up and running. So, AFP and at least some level of authentication were working. After inspecting the server firewall and open directory logs, as well as the client logs, it seemed clear that the user was authenticating properly. It was something that was happening after the actual successful authentication that was causing the error message.

After some research and thought, it occurred to me that it was very likely that there was some sort of configuration gone awry with the actual home directories. Then I realized that I had completely neglected to actually configure the old home directories on our server to be shared at all!

So basically the user was logging in and authenticating successfully. Then when the client asked for the home directory the server was like, what home directory? And the client was like aww shit. I’m gonna log you out right now ’cause I need your home to work. And the server was like, all right, fine. Something like that.

After some simple home directory sharing configurations, everything was running without another episode. Sigh.

You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments

1. Brian

What kind of modifications did you make to your home directory configurations? I’m getting the exact same errors when I have home directories set up on an external RAID array.

Thanks for any help!

2. Alissa

@ Brian

I am pretty much using the same exact setup that Corey Carson describes in his Leopard Server Quickstart Guide:

http://www.afp548.com/article.php?story=2008030421090192

My user account share points are on two separate hard drives from my server system. Both of these drives are set to mirror each other using RAID. Also, I’m only using Open Directory, because there are no Windows clients in my labs.

For me when I was getting this error message the first thing I did was check to logs to make sure that the firewall wasn’t blocking anything and to see if the client was communicating with the server at all.

It quickly became apparent from the server and client logs, that the client was actually authenticating without a problem. The error was happening at some point between the actually authentication and login. This is what originally led me to question whether the home directories were set up appropriately.

3. Brewster

I am having the same problem…

4. Steffen

Here is what solved the problem for me.

After starting the Server Admin application I went to SERVER > Settings > Access > Services. Here the AFP service had only been enabled for the server admin. After setting this to Allow all users and groups the login worked.

5. Shawn D. K.

I fixed this by doing this:

confirming above

back in the Server Admin application I went to SERVER > File Sharing

Select Share Points.

Choose your Users share point.

Make sure Enable Automount is selected

Select Edit next to “Enable Automount”

Choose your Share Point Protocol.

Make sure you selected “User home folders”

Click “OK” button

should then show your domain.

now enter the domain’s admin user name in the name box and the password for the account in the Password box.

Select “OK”

now click the “Save” button on the bottom right corner of the Server Admin Window.

Test account(s) should work now.

I found you may need to point accounts to NFS path to home folder if switching from AFP and vice versa.

Shawn

6. Antish

Can any one explain how this problem can be solved for a stand alone installation of leopard. I start to get the error message after changing the home directory location. I tried to turn of filevault from start up disk but cant…any help anyone… PS

7. ecinex

“Here the AFP service had only been enabled for the server admin. After setting this to Allow all users and groups the login worked.5. Shawn D. K.” How much is it true?

8. Martin

I have set up new users on my Apple Server, using Open Directory. If I use the server as a machine, I can log in with the new user details, but i cannot do it from another machine on the network. On the users machine, I have set Login Option to allow network users to login, and even specified the user, instead of allowing all network users. Any help would be greatly appreciated.

9. Alissa Miller

It sounds like you are not creating your users in the right directory. If your users are able to log in to the server, then you are probably setting them up as local users on the server. On the server, you should be setting your users up in a shared directory, like LDAPv3. It shows up as LDAPv3/127.0.0.1 in WorkGroup Manager.

Once the users are created in the correct directory, you also must tell the clients to look at the server’s directory when users log in. You do this using Directory Utility on the client computers. You must add your server to the search path.

Try reviewing the Apple Open Directory user manual. Also, wasmacdotcom has some really great guides for doing this kind of thing.

10. Martin

All my clients point there OK. I have one client that is working fine, new users can log onto from machine no problem, it’s just the other machines on the network so it must be a local thing. I have checked the login items, allowing network users, and even specifying the new users. That let’s you input the name and password, and obviously works, but then stumbles. If you put the wrong password then it shakes, so that part is working. Now I’m lost, as i looked at both machines and all settings seem to be the same! Any further ideas of something I may not have set? Lost!

11. Sven

Tanx a lot Shawn!! Your instructions are very clear! Thanks to you i’ve fixed this problem. Now all network accounts can log in from all machines! 🙂

12. Michael Chin

Hi This was my exact problem. The comments all provided hints on how to solve the problem described. Especially the one about putting Network Users where Local Users go. Cheers Michael

13. Matt Strange

Thanks for the simple solution!



appointive
appointive
appointive
appointive