Skip navigation
This discussion is archived

Binding to Active Directory Fails - Authentication Errors

49655 Views 63 Replies Latest reply: Feb 10, 2009 9:18 AM by Erik Black RSS
1 2 3 ... 5 Previous Next
themonkman Calculating status...
Currently Being Moderated
Oct 31, 2007 5:39 PM
I've done two clean installs of 10.5 on two separate 1st gen Macbooks, and Active Directory binding to a 2000 or 2003 Server fails with "Invalid Username/Password" when it asks you for the network administrators credentials. I am the network administrator, so I know that the username and password is correct. My system is seeing the correct DNS server and my system time is exactly the same as my domain controllers. Has anyone had this problem? AD binding worked fine with the AD 1.5.6 plugin that came with 10.4. The AD 1.6 plugin in Directory Services seems broken to me.
Macbook 2Ghz Core Duo, Mac OS X (10.5), 2GB RAM, 100GB HDD
  • Andbrowny Level 4 Level 4 (1,610 points)
    Hi themonkman have you tried administrator@ADDOMAIN.DOMAIN?
    I got similar errors but it seemed to like this format better. BTW What is your domain suffix?
    Cheers
    iBookG4 ; MacBook Pro ; Mac Pro ;, Mac OS X (10.4.10), OSX Server ; .local AD ; WINXP via Parallels
  • p_halcomb Calculating status...
    Your domain doesn't end in .local does it?
    MacBook, Mac OS X (10.5)
  • Bo Boivie Level 1 Level 1 (65 points)
    I have the same problem. Our domain does not end in ".local". I do not personally have network admin rights, but when my network administrator tries to bind my machine I get an "invalid user name and password combination" message.

    If I try using my own user name I get a message that I don't have the authority to perform the binding, which is fair of course. What is strange is that if I enter a non-existing user name I get the "invalid user name..." error, i.e. the same message as for the network admin.

    I don't understand this at all. It worked beautifully in Tiger.

    Edit: Haven't tried the user@domain format when binding. Will do but not until next week I'm afraid.

    -Bo

    Message was edited by: Bo Boivie
    MacBook Pro 2,4Ghz, Mac OS X (10.5)
  • p_halcomb Level 1 Level 1 (35 points)
    One more thing to try might be to make sure your net admin deletes you computer account before binding. I've had similar error messages when the computer account was still in the directory.
    MacBook, Mac OS X (10.5)
  • Bo Boivie Level 1 Level 1 (65 points)
    Is the computer recognized only by its name in the AD? If I name my computer differently, will it then be a completely new entity when I bind it again?

    -Bo
    MacBook Pro 2,4Ghz, Mac OS X (10.5)
  • p_halcomb Level 1 Level 1 (35 points)
    Hi Bo,

    If you rename your computer and bind again it should create a new object in Active Directory. You might try that too.
    MacBook, Mac OS X (10.5)
  • William Lloyd Level 6 Level 6 (19,220 points)
    Might want to check with AppleCare on this. There have been a couple other long threads here and I'm not sure they were resolved.
    8-Core Mac Pro, Mac OS X (10.5)
  • OLAUser Calculating status...
    I've been having the same issue. I've tried dozens of different things to fix, but without luck so far. I did try one thing which might help shed some light on the issue. I took a packet sniff of traffic to my domain controllers while attempting to add a server under Directory Utility-Directory Servers. The process fails with error code 14120, eDSPermissionError. There wasn't a single packet sent on the wire to my domain controllers when this error occurred. This suggests a problem with permissions on the system, but I was logged in as root at the time. I've also done a permission repair. So far I haven't gotten any farther.
    Mac Pro, Mac OS X (10.5)
  • JLic Calculating status...
    I’ve recently purchased 7 new machines (iMac & Power MAC) with 10.5. For the last week I’ve been trying to bind 2 of them to a Windows 2003 R2 Domain. I have 18 10.3 G4’s and do not remember having this issue...

    Anyway, the “fix” for me (at least one machine) was to make the Computer Name and Local Hostname fields the exact same in System Preference – Sharing. Don’t worry about the .local suffix in the local hostname field…

    I hope this wasn’t a fluke and plan to try other machines next week.
    Mac OS X (10.5.1)
  • Nicholas Shaff Calculating status...
    I'm having what seems to be the same issue. It's funny, because the machine Im on was set up the day 10.5 came in, bound just fine, and really hasn't had any issues.

    I was creating a fresh image of 10.5 to test deploy before we eventually deploy 10.5 and I run into the AD binding problem. The actual error its giving me is -14090 (eDSAuthFailed) error.

    What is REALLY odd to me about the whole thing is if you click on the Services tab in Directory Utility to use the familiar 10.4-like interface for binding, you can watch it go through the 5 steps, and the error message failure does not even come up until step 5 finishes ("Binding computer to Domain..."). The Authentication step (step 3) seems to go just fine.

    I've also tested it in API logging and debug mode. In API it produces the same result error code when calling dsDoPlugInCustomCall(), but in the debug log I was unable to find the same error. I DID notice the plugin erring on a dsDoAttributeValueSearchWithData() with a -14138 error which doesn't appear in the man pages listing of error messages.

    As of yet no idea what is causing all this for us though on random occasions it will actually bind. But it appears to just be sporadic and doesn't correlate to any configuration changes.
    Xserve Intel dual 3ghz, Managing Macbooks, Macbook Pros and iMacs, Mac OS X (10.5.1)
  • EPtesting Calculating status...
    I can produce both errors mentioned here, the -14090 (eDSAuthFailed) error when trying to add my AD domain under Directory Servers and the 'Invalid user name and password' when trying to bind under Services. I have had the same experience on 2 brand new MBP's, one was upgraded from Tiger to 10.5.0, the other was a clean install.

    I have managed to now get the machines to bind to AD, but the problem is not resolved, I'd like to highlight what I did to get an AD bind as others might like to try this.

    After experiencing all the issues spoken of in the thread, I tried creating the computer account in AD manually. In the Directory Access utility, I then tried to add my AD domain under Directory Servers, using the computer name I had just created, I got a message warning me that the computer account already exists and confirm that I wanted to use the existing account, said OK and the domain was added. However, I was still unable to login to the machine using my AD credentials but I can access SMB shares by manually entering my AD details.

    From reading the (many) forums on this issues, it strikes me that the Directory Access v1.6 in Leopard does not seem to ever create the computer account in AD - I.E. Machines that were already talking to AD prior to a Leopard upgrade do not seem to be affected in the same way. Some users are still having AD issues (such as can't login) but the machines that were in AD before seem to bind OK, that is they maintain the AD status they had under Tiger.

    Also, I was unable to perform the bind as described above while using the root administrator account for AD, though it work fine with my account (also Domain Admin). The only glaring difference I can think of is that my administrator account has a space in the password. Anybody else come across this issue?

    I am in the process of trying this:

    +Toni Weurlander of Finland isn't having any problems with Leopard 10.5.1:+

    +I just installed a new MBP freshly with Leopard, updated it to 10.5.1 and bind it to our AD. Everything just worked like it did on Tiger. Never tried to bind it with 10.5.0. All SMB shares seem to work as expected.+

    The above is from - http://www.macwindows.com/leopard.html#102907i

    Will let you know how it goes.
    MacBook Pro, Mac OS X (10.5.1)
  • EPtesting Level 1 Level 1 (0 points)
    It works!!

    The process:

    1. Performed clean install of Leopard
    2. Downloaded update to 10.5.1 while logged in as the local administrator (DO NOT ATTEMPT TO BIND TO ACTIVE DIRECTORY!)
    3. Restart after updates are finished, login as local administrator
    4. Open Directory Utility, wait for the utility to finish looking for Mac Servers
    5. Click the '+' button
    6. Enter your domain details and computer name
    7. Click OK, enter user domain admin details.

    Note this time I was able to allow the Directory Utility to create the computer account on the domain and it worked fine. I can now login using AD credentials and all SMB shares authenticate fine.

    I realise this is not a solution for people who upgraded from Tiger with heaps of software already installed and don't want to do a clean build, but hopefully people with new machines can go through this process. Obviously the 10.5.1 upgrade fixes the issues - but not if you have previously attempted to authenticate to AD. Those with more low level networking experience may be able to debug this further.

    FYI - I raised this issue with Apple support and the best they could do was have a 'senior technician' say that it was an Active Directory problem and that I need to go talk to Microsoft... (what the?)

    Cheers,
    Benn.
    MacBook Pro, Mac OS X (10.5.1)
  • Nicholas Shaff Level 1 Level 1 (10 points)
    Have you tried unbinding the machine and rebinding it? In my testing of it I was occasionally able to get the machine to bind, but subsequent unbinding/rebinding to verify if the issue was resolved resulted in failure.
    Xserve Intel dual 3ghz, Managing Macbooks, Macbook Pros and iMacs, Mac OS X (10.5.1)
  • Chris Grande Level 2 Level 2 (200 points)
    10.5 / 10.5.1 Clean/Upgrade or otherwise doesn't work with AD. The bind works with no problem, other than any hyphens becoming underscores in the name which is annoying. Either the login will freeze, fail or you get this message:
    http://www.imagehosting.com/show.php/1412561_login.png.html

    Apple needs this fixed. I made this clear to our Sales Rep, as we will not buy any Leopard based macs until this AD issue is fixed as it makes Leopard completely useless in our environment.

    Message was edited by: Chris Grande
    MacBook Pro 2.16GHz, Mac OS X (10.4.9)
1 2 3 ... 5 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.