Having a terrible time with Catalina and our AD intergrated macs so I have opted to ask the internet for help. I have included sample raw log data (screen dumped the whole lot/attached images) and other information below. I am out of my depth with this, spent loads of time trying to get it to work but I feel I am just doing the same stuff over again. I am guessing its an issue with Catalina's SIP which is different to Mojave's. Hoping some clever clogs will figuare it out or at least point in a direction. NOMAD is availble of course but we do not want mobile accounts etc, those are the rules that must be adhered to. Thankyou in advance for you time.
The requirements for Macs on our domain
1. Users must authenticate using their domain credentials
2. Home drive and Shared area must mount on the desktop
3. Papercut agent to be used to allow users to print
4. Accounts must be locked down to prevent certain apps being used and most preferences from being modified
5. Enrol stations onto our on prem mdm (apple profile manager running on ipad mini)
6. No mobile accounts, the user profile must be read over network. Nothing to be saved on the local drive.
7. Use our existing macs which are 21.5" late 2013 imacs, 2.9 GHz i5's, model A1418
Our Setup with Mojave with the 2021-005 update (in a nutshell)
1. Computer object is pre-created in AD
2. Mac is named the same as pre-created computer object
3. Mac is bound to our domain using specific system account
4. Mac is enrolled in profile manager and once in correct device groups and all tasks are complete, it is restarted
5. User then logs on with their domain credentials, and after about 20 seconds the desktop is on screen and the home drive/shared area map script runs (mounts 2 volumes on desktop).
6. If we remove the library folder from the users homedrive, it gets recreated when they log on again. Takes a bit longer to sign in initially but that is to be expected. They can set light/dark mode etc and settings are retained in the library folder.
What happens after Catalina upgrade 10.16.7 without the 2021-004 (also tried with fresh install)
1. Once upgrade has completed the user logs in with domain credentials
2. Login window clears from screen and they are left with spinning pinwheel. Nothing else happens on the client end.
3. Looking at the library folder that has been generated, there are less folders created (10 as opposed to Mojave’s 30+).
4. Checking /library/logs/DiagnosticsReports/ from a Windows 10 station I can see reoccurring CRASH files relating to accountsd happening between 6-7 times a minute (please see a copy of one of them below). As of typing this up, the client computer is still at the pinwheel stage after 22 minutes and the logs are still reporting the same thing.
Process: accountsd [1987]
Path: /System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
Identifier: accountsd
Version: 113 (113)
Code Type: X86-64 (Native)
Parent Process: ??? [1]
Responsible: accountsd [1987]
User ID: 795780844
Date/Time: 2021-08-11 11:41:19.844 +0100
OS Version: Mac OS X 10.15.7 (19H2)
Report Version: 12
Anonymous UUID: 583D20DD-74CB-BC5A-3E74-F233D85D3950
Time Awake Since Boot: 1200 seconds
System Integrity Protection: enabled
Crashed Thread: 0 Dispatch queue: NSManagedObjectContext 0x7fef6d41c5b0
Exception Type: EXC_CRASH (SIGABRT)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Exception Note: EXC_CORPSE_NOTIFY
Application Specific Information:
Event history:
(
"Error Domain=NSCocoaErrorDomain Code=512 "The file couldn\U2019t be saved." UserInfo={reason=Failed to create file; code = 2}"
)
*** Terminating app due to uncaught exception 'NSInternalInconsistencyException', reason: 'Unexpected number of persistent stores (0), expected 1'
abort() called
terminating with uncaught exception of type NSException
During my testing and digging around, I found that one of the major differences between Mojave and Catalina is the fact that while both use APFS, Catalina splits in to 2 volumes, one user writable (DATA) and a secured one (SYSTEM). I turned off SIP in recovery terminal and tried logging in as our test user (works just fine with Mojave) and I WAS able sign in with the following results. Prior to logging in I removed the previous library folder from users home folder. 1. After less than a minute from entering credentials the desktop appears and volumes mount. Looking at library folder there is at least 28 folders, which does increase when opening applications. 2. Checking /library/logs/DiagnosticsReports/ from a Windows 10 station I can see that the reoccuring accountsd CRASH log files are no longer appearing, but instead it is “ContactsAccountsService” which again happens 6-7 times every minute. I have dumped one of the logs below.
Process: ContactsAccountsService [3507]
Path: /System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
Identifier: ContactsAccountsService
Version: 11.0 (2421.27)
Code Type: X86-64 (Native)
Parent Process: ??? [1]
Responsible: ContactsAccountsService [3507]
User ID: 795780844
Date/Time: 2021-08-11 12:12:31.743 +0100
OS Version: Mac OS X 10.15.7 (19H2)
Report Version: 12
Anonymous UUID: 583D20DD-74CB-BC5A-3E74-F233D85D3950
Time Awake Since Boot: 650 seconds
System Integrity Protection: disabled
Crashed Thread: 2 Dispatch queue: com.apple.contacts.database-preparation
Exception Type: EXC_CRASH (SIGABRT)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Exception Note: EXC_CORPSE_NOTIFY
Application Specific Information:
dyld3 mode
*** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: '*** -[__NSPlaceholderDictionary initWithObjects:forKeys:count:]: attempt to insert nil object from objects[0]' terminating with uncaught exception of type NSException
abort() called
Without SIP, the account appears to be working normally however when user logs off and back in, the pinwheel appears and nothing is logged in /library/logs/DiagnosticsReports. Shutdown and restart do not respond so I have to button mac. When it comes back up the user is able to log back in again but the allowed preferences that they can modify are reverted back to defaults (so they are not being saved in library folder). Nothing is being logged also. Same problem when they want to log back in (just pinwheels). If everything worked normally without SIP, I would not be able to keep SIP off for the production image for security reasons.