Currently Being ModeratedAug 23, 2012 1:00 PM (in response to justinhamlin)
Just updated to 10.8.1 and it didn't solve the Active Directory mobile account issue. Just tested with our IT team and the AD account still locks after the first login attempt. So we continue to wait.
Currently Being ModeratedAug 24, 2012 12:02 PM (in response to iamtheadman)
Didn't solve it for me either. My machine isn't tied into the AD, instead it resides on the same network, and has only local accounts. Though I (used to) connect to SMB directories using AD login credentials everyday.
I'm also getting locked out after the first attempt.
Currently Being ModeratedAug 24, 2012 12:20 PM (in response to blayn)
I just found a workaround, well, sort of.
-If I use the limited, non-admin account on the Mac(local, non-AD), I'm able to connect to SMB shares. No lockout, same exact credentials, just different local account.
Currently Being ModeratedSep 12, 2012 7:48 AM (in response to justinhamlin)
Same problem here. After one password error account locked
Mountain lion: 10.8.1
Server: AD on Windows server 2008 R2
Currently Being ModeratedSep 17, 2012 8:20 PM (in response to justinhamlin)
You guys can add me to the list. Trying to configure 10.8.1 Mountain Lion Server to connect with our Active Directory server running Windows Server 2008 R2. I can add a user, but cannot login after logoff. Any ideas greatly appreciated
Currently Being ModeratedSep 19, 2012 12:06 PM (in response to justinhamlin)
I am happy to report that I installed 10.8.2 and I am able to create a mobile account and not have it lock my Active Directory account. I have rebooted several times, with network connection and without, and it continues to work. I've also tested logging out, logging in to the Administrator account and then logging back into the AD account and it still works.
I think Apple may have fixed the problem. Stragenly, there was no mention of Active Directory in the release notes.
Please post other successes/failures here.
Currently Being ModeratedSep 19, 2012 12:57 PM (in response to iamtheadman)
Actually, Apple does list it in the release notes. http://support.apple.com/kb/HT5460
Currently Being ModeratedSep 20, 2012 7:16 AM (in response to iamtheadman)
Sadly, 10.8.2 does not seem to fix the issue with AD primarygroupid mappings for us. We still cannot log in with users whose primarygroupid value is interpreted (incorrectly) as "-2", unless we manually map GID to primaryGroupID via Directory Utility.
I suppose that we can continue with the policy of manually mapping this attribute, but I really wish that Apple would get this fixed!
Currently Being ModeratedOct 9, 2012 7:19 AM (in response to justinhamlin)
Hi, hoping there's still some people around to help me on this issue.
I recently began experiencing issues with my MS Outlook 2011 for mac last week, after I upgraded to Mountain Lion. However I didn' t immediately notice an issue because the problem was specifically with my gmail. Gmail occasionally throws a tantrum and needs the Captcha to be unlocked anyway, as I often access email from a number of devices and gmail is paranoid about this being a potental threat.
I have four email addresses collected by Outlook. These are a gmail, and two private domain emails (all these three are IMAP) and also a POP hotmail.
So last Monday my two private emails stopped working as well, with the error message 'failed to authenticate, username or password incorrect etc etc' which keeps popping up no matter how many times I enter the password. Even when this happened I still didn't immediately blame ML as our domain was begin upgraded at the time and I thought it might be that.
So, after unlocking the google captcha and confirming that the domain wasn't the problem, I've narrowed it down to either Outlook or ML. Then today, the POP hotmail failed in Outlook as well, which totally threw me as POP is almost indestructible.
Also, the really confusing part is that the gmail and two domain emails stopped working at the same time on my iPhone, so that's clearly not an ML issue, and I've had iOS6 since day one and that was working fine until last week. On my iPhone I use the Mail app to collect all the ame email except the POP account.
So I have tried:
Unlocking the Captchas
Deleting and redoing keychain passwords
Confirming that all details are correct
Gmail now works on the iPhone, but not on my Macbook.
Domain emails don't work at all, and neither does the hotmail.
Just to reiterate Outlook worked fine with all these accounts until last week.
If anyone can offer any ideas that would be much appreciated - I've been without email for a week and it's killing me!
Currently Being ModeratedNov 8, 2012 5:22 AM (in response to justinhamlin)
I have a similar issue where the wifi keeps dropping with Authentication Failure. The client has everything linked to AD but my Mac just has a local machine account. I do connect to a printer using an ip address.
Very annoying and I hope Apple will fix this soon.
Currently Being ModeratedNov 9, 2012 12:04 AM (in response to dMatthewSb)
Thanks for the tip but this did nothing for me. Still drops the wifi with Authentication Failure. I have to switch the wifi off and on to continue.
Currently Being ModeratedDec 17, 2012 11:08 AM (in response to SSSnet Tech)
This method (from SSSnet Tech) does not work for me. When I try the "
Check Map user GID to attribute primaryGroupID" , the login screen just bouncing twice after I enter my AD username & password and hit Enter. I had another post created for my issue. Bassically samething happens with cannot log into AD with a Mountain Lion machine. I had also captured the log. Please help me find out a solution for this.
I appreciate all your help and time!
Currently Being ModeratedDec 18, 2012 8:28 AM (in response to ttle)
Anyone know how to find the primarygroupID value in AD? I tried 513, which is the default one, but doesn't work. Please help!
Currently Being ModeratedJan 3, 2013 6:58 AM (in response to justinhamlin)
Has anyone looked into the Sync function once you create the Mobile account.... just by browsing around I noticed that this is syncing very frequently....just wonder if it attributes to the locking out of accounts in AD. I will be doing some test on a brand new macbook pro with my AD account. I have created the mobile account in the user and groups window rather than it making one automatically when a user logs in. will write up more notes as they come.
Currently Being ModeratedJan 11, 2013 5:57 PM (in response to justinhamlin)
We ran into this issue today with a Mac user. I stumbled across this post and just thought I'd share what fixed it for us.
Issue: When logging into a Mac (10.7.5 or 10.8.2) with User1, login would not prompt to create mobile account, or would just act like the password was wrong. With User2, it always worked as expected.
After reading through this entire thread and trying a few extra steps, here's what we found.
When running this command (run on a domain joined mac) we could get all the info on User1 and User2.
Substitute YOURDOMAIN for whatever domain you are joined to and having issues with.
dscl /Active\ Directory/YOURDOMAIN/All\ Domains -read /Users/user1
dscl /Active\ Directory/YOURDOMAIN/All\ Domains -read /Users/user2
Looking at the returned properties we noticed that User1 also had a sub-domain account in the forest appearing in output:
and User2 (works) did not:
What fixed it for us was to do one of the following solutions.
Solution 1: Rename the Sub-domain user. Apparently Unix uses this username forest-wide, so when we joined the domain the default search policy would try "All Domains".
This would result in the Sub.Domain user registering a "badPwdCount" property and eventually locking out the Sub.Domain\User1 account when logging into the mac as Domain\User1.
The account would log in, but to a half-created home folder, and never prompt to create a mobile account.
Once the Sub.Domain account was gone, the user immediately worked. You may need to wait for replication in a large Active Directory environment.
Solution 2: Change the Search Policy in OSX to use one domain (instead of default All Domains).
You have to un-check the "Allow authentication from any domain in the forest", apply, then go to Search Policy and specify the desired domain, and then remove "All domains"
Either of these solutions resolved our "some users always work and other users always don't work" issue.
Until today we hadn't figured out why it was happening to only a small number of users. It was isolated to users with the same User1 account in multiple domains in the forest.
Hopefully this saves someone time :).