Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Binding to Active Directory Fails - Authentication Errors

I've done two clean installs of 10.5 on two separate 1st gen Macbooks, and Active Directory binding to a 2000 or 2003 Server fails with "Invalid Username/Password" when it asks you for the network administrators credentials. I am the network administrator, so I know that the username and password is correct. My system is seeing the correct DNS server and my system time is exactly the same as my domain controllers. Has anyone had this problem? AD binding worked fine with the AD 1.5.6 plugin that came with 10.4. The AD 1.6 plugin in Directory Services seems broken to me.

Macbook 2Ghz Core Duo, Mac OS X (10.5), 2GB RAM, 100GB HDD

Posted on Oct 31, 2007 5:39 PM

Reply
63 replies

Nov 1, 2007 12:44 AM in response to themonkman

I have the same problem. Our domain does not end in ".local". I do not personally have network admin rights, but when my network administrator tries to bind my machine I get an "invalid user name and password combination" message.

If I try using my own user name I get a message that I don't have the authority to perform the binding, which is fair of course. What is strange is that if I enter a non-existing user name I get the "invalid user name..." error, i.e. the same message as for the network admin.

I don't understand this at all. It worked beautifully in Tiger.

Edit: Haven't tried the user@domain format when binding. Will do but not until next week I'm afraid.

-Bo

Message was edited by: Bo Boivie

Nov 22, 2007 10:22 AM in response to William Lloyd

I've been having the same issue. I've tried dozens of different things to fix, but without luck so far. I did try one thing which might help shed some light on the issue. I took a packet sniff of traffic to my domain controllers while attempting to add a server under Directory Utility-Directory Servers. The process fails with error code 14120, eDSPermissionError. There wasn't a single packet sent on the wire to my domain controllers when this error occurred. This suggests a problem with permissions on the system, but I was logged in as root at the time. I've also done a permission repair. So far I haven't gotten any farther.

Nov 23, 2007 7:54 AM in response to OLAUser

I’ve recently purchased 7 new machines (iMac & Power MAC) with 10.5. For the last week I’ve been trying to bind 2 of them to a Windows 2003 R2 Domain. I have 18 10.3 G4’s and do not remember having this issue...

Anyway, the “fix” for me (at least one machine) was to make the Computer Name and Local Hostname fields the exact same in System Preference – Sharing. Don’t worry about the .local suffix in the local hostname field…

I hope this wasn’t a fluke and plan to try other machines next week.

Nov 26, 2007 7:48 AM in response to themonkman

I'm having what seems to be the same issue. It's funny, because the machine Im on was set up the day 10.5 came in, bound just fine, and really hasn't had any issues.

I was creating a fresh image of 10.5 to test deploy before we eventually deploy 10.5 and I run into the AD binding problem. The actual error its giving me is -14090 (eDSAuthFailed) error.

What is REALLY odd to me about the whole thing is if you click on the Services tab in Directory Utility to use the familiar 10.4-like interface for binding, you can watch it go through the 5 steps, and the error message failure does not even come up until step 5 finishes ("Binding computer to Domain..."). The Authentication step (step 3) seems to go just fine.

I've also tested it in API logging and debug mode. In API it produces the same result error code when calling dsDoPlugInCustomCall(), but in the debug log I was unable to find the same error. I DID notice the plugin erring on a dsDoAttributeValueSearchWithData() with a -14138 error which doesn't appear in the man pages listing of error messages.

As of yet no idea what is causing all this for us though on random occasions it will actually bind. But it appears to just be sporadic and doesn't correlate to any configuration changes.

Nov 26, 2007 9:20 PM in response to Nicholas Shaff

I can produce both errors mentioned here, the -14090 (eDSAuthFailed) error when trying to add my AD domain under Directory Servers and the 'Invalid user name and password' when trying to bind under Services. I have had the same experience on 2 brand new MBP's, one was upgraded from Tiger to 10.5.0, the other was a clean install.

I have managed to now get the machines to bind to AD, but the problem is not resolved, I'd like to highlight what I did to get an AD bind as others might like to try this.

After experiencing all the issues spoken of in the thread, I tried creating the computer account in AD manually. In the Directory Access utility, I then tried to add my AD domain under Directory Servers, using the computer name I had just created, I got a message warning me that the computer account already exists and confirm that I wanted to use the existing account, said OK and the domain was added. However, I was still unable to login to the machine using my AD credentials but I can access SMB shares by manually entering my AD details.

From reading the (many) forums on this issues, it strikes me that the Directory Access v1.6 in Leopard does not seem to ever create the computer account in AD - I.E. Machines that were already talking to AD prior to a Leopard upgrade do not seem to be affected in the same way. Some users are still having AD issues (such as can't login) but the machines that were in AD before seem to bind OK, that is they maintain the AD status they had under Tiger.

Also, I was unable to perform the bind as described above while using the root administrator account for AD, though it work fine with my account (also Domain Admin). The only glaring difference I can think of is that my administrator account has a space in the password. Anybody else come across this issue?

I am in the process of trying this:

+Toni Weurlander of Finland isn't having any problems with Leopard 10.5.1:+

+I just installed a new MBP freshly with Leopard, updated it to 10.5.1 and bind it to our AD. Everything just worked like it did on Tiger. Never tried to bind it with 10.5.0. All SMB shares seem to work as expected.+

The above is from - http://www.macwindows.com/leopard.html#102907i

Will let you know how it goes.

Nov 26, 2007 10:07 PM in response to EPtesting

It works!!

The process:

1. Performed clean install of Leopard
2. Downloaded update to 10.5.1 while logged in as the local administrator (DO NOT ATTEMPT TO BIND TO ACTIVE DIRECTORY!)
3. Restart after updates are finished, login as local administrator
4. Open Directory Utility, wait for the utility to finish looking for Mac Servers
5. Click the '+' button
6. Enter your domain details and computer name
7. Click OK, enter user domain admin details.

Note this time I was able to allow the Directory Utility to create the computer account on the domain and it worked fine. I can now login using AD credentials and all SMB shares authenticate fine.

I realise this is not a solution for people who upgraded from Tiger with heaps of software already installed and don't want to do a clean build, but hopefully people with new machines can go through this process. Obviously the 10.5.1 upgrade fixes the issues - but not if you have previously attempted to authenticate to AD. Those with more low level networking experience may be able to debug this further.

FYI - I raised this issue with Apple support and the best they could do was have a 'senior technician' say that it was an Active Directory problem and that I need to go talk to Microsoft... (what the?)

Cheers,
Benn.

Nov 27, 2007 6:09 PM in response to Nicholas Shaff

10.5 / 10.5.1 Clean/Upgrade or otherwise doesn't work with AD. The bind works with no problem, other than any hyphens becoming underscores in the name which is annoying. Either the login will freeze, fail or you get this message:
http://www.imagehosting.com/show.php/1412561_login.png.html

Apple needs this fixed. I made this clear to our Sales Rep, as we will not buy any Leopard based macs until this AD issue is fixed as it makes Leopard completely useless in our environment.

Message was edited by: Chris Grande

Nov 28, 2007 10:19 AM in response to Chris Grande

I reinstalled my system from scratch using the 10.5 disks. I then migrated over my applications from backup, but not the users. After binding to the directory, I was able to logon using a network account. I then copied over the user's old folders from the backup.

So in other words, a clean install worked for me. One thing I've tried in the past was to specify the preferred domain controller, and use the IP, not the name.

Binding to Active Directory Fails - Authentication Errors

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.