Active Directory Authentication Failing w/new ML Install

I'm having a huge problem with Active Directory too. Our AD server is set to lock an account after three failed login attempts.

It appears that for some reason when logging in to the network from the login page, you get two tries before being locked out instead of three. Also, when logged in, then logging out and then trying to log back in again, you get one try.

There also appears to be a random, system-wide, issue when authenticating using Active Directory credentials, particularly with modal boxes asking for authentication. Sometimes it will work, other times it will lock the account on the first try EVEN WITH THE CORRECT INFORMAITON.

I've been calling IT all day having them reset my password. They'll never let Mountain Lion in the building if this continues.

Thank Justin.

It's terrible. I logged a bug report with them too but just uder feedback.

It seems to now be randomly locking my account even when I haven't done anything. I've been on the phone with my IT buddy and he'll watch it be unlocked, I'll logout of my account, and it will lock.

Active Directory has been a nightmare since they launched Lion. With every "fix" came another problem. It seems this lack of caring or testing or whatever it is, has persisted into Mountain Lion.

Thanks again.

Adam

Sorry Justin,

I have to say this makes no difference to me!

Thanks for the efforts Justin but no dice here either.

Here's what it's come down to for me. I've been working from the local admin account all morning. I logged out of Administrator and went to login to my Active Directory account. I absolutely made sure I typed everything perfectly, hit enter and it instantly locked my AD account.

Seriously, does Apple test this stuff AT ALL?

Hey Justin, when you created your user account, did you also have it create a mobile account?

Hey Justin.

Well, I figured out what is causing my problem. It's Mobile accounts. I started fresh with a new install and a standard Active Directory account (not Mobile). I authenticated 20+ times. Rebooted at least 10 times. Everything worked great. Then I decided to create the Mobile account. That's when everything broke again. My Active Directory account was getting locked after one accurate attempt to authenticate. When IT unlocked it I could go one step further but then would lock me out the next time I tried to authenticate.

So for me, it's clearly a Mobile account problem. Which is bad because half of the Macs under my care are notebooks.

Please let me know what you find out on your end.

Thanks,

Adam

We are also seeing an issue in ML where some AD users cannot log in. The common factor is that they all have a PrimaryGroupID value of '-2'. Here are the relevant logs:

2012-07-30 10:17:39.630098 EDT - 4202.17304.17306.17310.17312, Node: /Active Directory/BUTLER/Global Catalog, Module: ldap - found result - 'CN=tjohnsto,CN=Users,DC=butler,DC=edu'

2012-07-30 10:17:39.630216 EDT - 4202.17304.17306.17310.17312, Node: /Active Directory/BUTLER/Global Catalog, Module: ldap - translation routine callback failed to translate 'dsAttrTypeStandard:PrimaryGroupID', falling through to other methods

2012-07-30 10:17:39.649537 EDT - 4202.17304, Module: SystemCache - Ignoring entry (tjohnsto@/Active Directory/BUTLER/butler.edu) missing critical identifier dsAttrTypeStandard:PrimaryGroupID

As you can see, the PrimaryGroupID cannot be handled by opendirectory, and the user is denied access.

What we cannot determine is why some users are interpreted as having a GID of -2, despite the fact that their primary group in AD is the same (Domain Users).

Any ideas??

Andrew, are they not able to log in period but their A/D account is showing unlocked or is their A/D account showing locked?

We are having exactly the same issue. All accounts work fine using machines bound to AD using 10.6 or 10.7. Some accounts using 10.8 will work, others not. Fresh install or upgrade, same result.

Filed Bug Track last week.

Quick test = at the terminal window type "id account" on bound 10.8 machine, if AD groups come back, that account will work. If "no such user" is returned, it won't work.

Also Andrew and Justin, did you create mobile accounts for the accounts that are having problems?

Just checked both my test machines--both with mobile accounts, both having the A/D problem--and both returned "no such user" in terminal. Reformatting/reinstalling on one of them and will try A/D account without mobile account and see what terminal returns. Stay tuned.

To answer the various questions:

1. The accounts are not locked
2. This occurs whether the accounts are mobile or not
3. 'ID username' in the terminal returns "No such user"
4. PrimaryGroupID for both the affected and unaffected accounts is the same, '513'

Glad to see that a bug report has been filed!