Active Directory Authentication Failing w/new ML Install

SSSnet Tech, would you mind adding the bug report details to Open Radar:

http://openradar.appspot.com/page/1

On fresh install and AD account without mobile account created, I still get "no such user" returned in terminal. However, I just checked my 10.7 accounts and I'm getting the same thing so that's not the issue for me.

Note, using the ID command on a bound Mac with a working account returns a group membership which starts with

gid=1015084726(VANDERBILT\Domain Users)

Obviously all accounts in our domain are domain users. The question is why do some accounts work with 10.8 and some do not.

AppleCare was contacted, I was told Active Directory was not supported.

Not sure if any one has dismissed Justin's post because it didn't work for someone else, but in our environment this has resolved my issue. I did end up setting the MTU to 1280 instead of 1350. I believe it worked at 1350 but was having issues connecting to remote computers. I believe it was just needed a reboot after the configuration change, but I changed it to 1280 then rebooted and all has been well ever sice. For waverider, just something to think of, when you tried making the changes, does your company have wireless? I made the Hardware setting changes to both my wireless & ether adapters. 3 days running and no issues since I set the MTU to manual.

Some additional info, yes I am using mobile account. And as an additional test, I configured the Mobile Sync as well. Everything is enabled that came out of the box from the fresh install.

justinhamlin wrote:

Might have just had a little breakthrough -

I would like to see if someone else can confirm this resolves their issue -

try and going into NETWORK PREFERENCES > (your connection, wifi or ethernet) > ADVANCED > HARDWARE >

Set your Configuration to "MANUALLY"

Speed - "AUTOSELECT"

MTU = "CUSTOM" - set to 1350 (for example)

Basically, there is an issue on the local network that prevents packet sizes over a certain size (at least for me) which was causing all these random issues.

(also, you dont want to know what all i had to go through to figure this out)

Thanks Justin!

Well, please let me toss in my experience for what it's worth...

I'm in charge of making the user-builds for a large marketing agency - so when a new OS drops it's my ball to catch...we have mostly Macs on the employee desks and a windows server network.

I performed a clean install of Mountain Lion 10.8 on a 2.53Ghz i5 MBP with 4gb RAM

I was able to create the local admin account just fine - I was able to bind the machine to the local domain just fine with my own AD account - I was able to create my own mobile AD account on the machine just fine (the first time).

Problems started occurring when I logged out (of the mobile AD account) and needed to log back in - the login screen shook it off as if I had mistyped my password - I had the same results after more careful attempts - I could log back into the local (non-AD) administrator's account.

• Checking under the "FAST USER SWITCHING" menu, I wasn't able to see my account

• Checking in Active Directory, my account was locked out.

• Checking in the Directory Utility, I was able to see the AD details - I was even able to use my credentials to authenticate there

• Initially unlocking my account allowed me back in - only to be locked out again next time I logged out and wanted back in. (sometimes AD will show my account is actually "locked" sometimes it doesn't

• I had read that it could be connected to the Group ID - changing that didn't fix anything for me.

• I had read that once an account was working it would continue working - not in my experience - I've been continuously testing with my AD account - sometimes it works, sometimes it doesn't

• Regardless of what error messages I've gotten, I've come to realize that resetting my AD password does nothing - only unlocking in AD or waiting for it to unlock itself over time (supposed to auto-unlock after 15 minutes, but I've noticed it does it sooner - like within 5 minutes)

• I've tried to delete the mobile user account and re-create it - even going as far as unbinding and rebinding the machine and the issue still persists.

• Currently, I'm in my mobile account and it behaving - I can authenticate to install software and and unlock the screensaver without issue - but I know if I were to log out and attempt to log back in, it would shake it off and I'd have to wait for about 10 minutes before I could get in, but usually that would work.

So I'm now cautiously installing some software and building a user account that I *may* eventually be permanently locked out of...only time will tell...

• Please ask me any questions, offer up suggestions and I'll do what I can to help puzzle this one out...

Thanks,

Vann

I'd like to just throw my voice into this conversation and say we're having the exact same issue as SSStech, and have also determined that it seems to be a failure to correctly map the Active Directory default group to the OSX gid. I've also noticed that the accounts that do not work appear to have corrupted SIDs when viewed through the Apple Directory Editor (although their SIDs are in fact fine in AD), while accounts that do work show their proper SID. I'm completely lost at this point as to how to proceed, although I will likely throw Wireshark on a machine tomorrow and see if I can get a peek at the conversation between our test Macbook Pro and AD, provided its not encrypted or obfuscated.

Try this - it works here.

Using Apple Directory Utility, Advanced Options, Mappings

Check Map user GID to attribute primaryGroupID

It does not make sense to me to map user GID to primaryGroupID but it seems to work for ALL users, not just some as before.

It does appear as if dsAttrTypeNative:objectSid comes up Binary 28 bytes on working users (without using the mappings tab) with a 7 group value. Non-working users come up with a truncated value something like tb0^e{/L'87.

SSSnet Tech:

This worked for me as well! Great job sussing this out. Here's hoping that Apple gets the message and fixes this bug in 10.8.1!

I owe you a virtual beer or 12! 👿

Cheers,

-Andy

This works for us as well SSSnet Tech. Excellent work sir.

Sadly, it did not work for me. Active Directory is working great until I create a mobile account and then it locks up. I tried the GID mapping as SSSnet Tech suggested with multiple restarts and logouts but it continued to lock my account at the login screen. After it was unlocked by IT, I was able to go in and authenticate as much as I wanted but the second I logged out and tried to log back in, it locked after one corrrect attempt. Bummer.

iamtheadman, I think we have two different issues here.

1. Accounts becoming locked in AD and 2. Some AD accounts always work and some never do under 10.8. The fix our group here came up with is related only to number 2.

We have not had any issues with accounts being locked (if they were, the users would not have been able to login to windows machines either).

I initially replied to Andrew about the some can, some can't issue. Sorry if we went off on a tanget.

Quick question, what are the implications of checking Map user GID to Attribure primaryGroupID? I know that these mappings are used when you've extended your AD schema (which we never have), but without setting it in ML we have the same issue where certain users can't login. Will there be any issues if we start rolling out machines and have that mapping checked and later on uncheck it once Apple fixes this?

Thanks

Allen

The SSSnet Tech solution also worked for me, but only after I deleted the existing mobile account (created under Lion) and went through the exercise of unbinding and rebinding to the domain.

thanks

Ian

Just adding my exprience here.

I've been setting up the first of our Mountain Lion Mac Mini machines at work and any AD account I logged in to kept getting locked out (4 bad password attempts). Based on previous posts I disabled mobile account creation and removed the existing mobile accounts to start fresh, then unbound and rebound the mini (not sure if that was necessary, but just for good measure). Restarted the mini and no more lockouts! Thanks for the info guys, it helped a ton.

Just updated to 10.8.1 and it didn't solve the Active Directory mobile account issue. Just tested with our IT team and the AD account still locks after the first login attempt. So we continue to wait.