Skip navigation

Active Directory Authentication Failing w/new ML Install

33044 Views 50 Replies Latest reply: Jan 15, 2014 6:03 PM by methodologist RSS
  • Andrew Cunningham Calculating status...

    To answer the various questions:

     

    1. The accounts are not locked
    2. This occurs whether the accounts are mobile or not
    3. 'ID username' in the terminal returns "No such user"
    4. PrimaryGroupID for both the affected and unaffected accounts is the same, '513'

     

    Glad to see that a bug report has been filed!

  • Andrew Cunningham Level 2 Level 2 (155 points)

    SSSnet Tech, would you mind adding the bug report details to Open Radar:

     

    http://openradar.appspot.com/page/1

  • iamtheadman Calculating status...

    On fresh install and AD account without mobile account created, I still get "no such user" returned in terminal. However, I just checked my 10.7 accounts and I'm getting the same thing so that's not the issue for me.

  • SSSnet Tech Calculating status...

    Summary: My departments have been using AD authentication for years with only some minor hiccups. Testing indicates some AD accounts can login to bound 10.8 Macs, while some cannot. This is reproducible across different machines. Accounts that work with 10.8 always work, accounts that do not work on any 10.8 machine.

     

    All AD accounts have no problem logging in on machines with 10.7, 10.6, 10.5. The account we use to put our machines in the domain cannot be used to login to the 10.8 machine after it is bound!

     

    A user who cannot perform the initial login, if logged in under a working account; can successfully open SMB shares to file shares that use AD authentication by inputting their account and password, so it appears kerberos is working. 


    Steps to Reproduce: Bind 10.8 Mac to Domain, test login. In terminal, id "account" will return values for accounts that work, accounts that return "user not found", do not work.


    Expected Results: Ability to authenticate using AD username and password.


    Actual Results: AD accounts listed in the Apple Directory Editor with the attribute PrimaryGroupID=1015084726 can login, accounts listed in the Apple Directory Editor with that attribute missing entirely cannot login.


    When using any AD tool from a Windows machine, the primaryGroupID is 513, we can find no attribute with a value of 1015084726 (see note below).    In the Apple Directory Editor value 513 is associated with SMBGroupRID.

     

    Regression: Works as expected with 10.7, 10.6, 10.5 and earlier.


    Notes: Users with working 10.7 machines who upgrade to 10.8 cannot login to their machines if their account is one that is affected.

     

    Note, using the ID command on a bound Mac with a working account returns a group membership which starts with

     

    gid=1015084726(VANDERBILT\Domain Users)

    Obviously all accounts in our domain are domain users.  The question is why do some accounts work with 10.8 and some do not.

     

    AppleCare was contacted, I was told Active Directory was not supported. 

  • dMatthewSb Calculating status...

    Not sure if any one has dismissed Justin's post because it didn't work for someone else, but in our environment this has resolved my issue.  I did end up setting the MTU to 1280 instead of 1350.  I believe it worked at 1350 but was having issues connecting to remote computers.  I believe it was just needed a reboot after the configuration change, but I changed it to 1280 then rebooted and all has been well ever sice.  For waverider, just something to think of, when you tried making the changes, does your company have wireless?  I made the Hardware setting changes to both my wireless & ether adapters.  3 days running and no issues since I set the MTU to manual.

     

    Some additional info, yes I am using mobile account.  And as an additional test, I configured the Mobile Sync as well.  Everything is enabled that came out of the box from the fresh install.

     

    justinhamlin wrote:

     

    Might have just had a little breakthrough -

     

    I would like to see if someone else can confirm this resolves their issue -

     

    try and going into NETWORK PREFERENCES > (your connection, wifi or ethernet) > ADVANCED > HARDWARE >

     

    Set your Configuration to "MANUALLY"

    Speed - "AUTOSELECT"

    MTU = "CUSTOM" - set to 1350 (for example)

     

    Basically, there is an issue on the local network that prevents packet sizes over a certain size (at least for me) which was causing all these random issues.

     

    (also, you dont want to know what all i had to go through to figure this out)

    Thanks Justin!

  • TracyLocke IT Calculating status...

    Well, please let me toss in my experience for what it's worth...

     

    I'm in charge of making the user-builds for a large marketing agency - so when a new OS drops it's my ball to catch...we have mostly Macs on the employee desks and a windows server network.

     

    I performed a clean install of Mountain Lion 10.8 on a 2.53Ghz i5 MBP with 4gb RAM

     

    I was able to create the local admin account just fine - I was able to bind the machine to the local domain just fine with my own AD account - I was able to create my own mobile AD account on the machine just fine (the first time). 

     

    Problems started occurring when I logged out (of the mobile AD account) and needed to log back in - the login screen shook it off as if I had mistyped my password - I had the same results after more careful attempts - I could log back into the local (non-AD) administrator's account.

     

    • Checking under the "FAST USER SWITCHING" menu, I wasn't able to see my account

    • Checking in Active Directory, my account was locked out.

    • Checking in the Directory Utility, I was able to see the AD details - I was even able to use my credentials to authenticate there

     

    • Initially unlocking my account allowed me back in - only to be locked out again next time I logged out and wanted back in. (sometimes AD will show my account is actually "locked" sometimes it doesn't

     

    • I had read that it could be connected to the Group ID - changing that didn't fix anything for me.

     

    • I had read that once an account was working it would continue working - not in my experience - I've been continuously testing with my AD account - sometimes it works, sometimes it doesn't

     

    • Regardless of what error messages I've gotten, I've come to realize that resetting my AD password does nothing - only unlocking in AD or waiting for it to unlock itself over time (supposed to auto-unlock after 15 minutes, but I've noticed it does it sooner - like within 5 minutes)

     

    • I've tried to delete the mobile user account and re-create it - even going as far as unbinding and rebinding the machine and the issue still persists.

     

    • Currently, I'm in my mobile account and it behaving - I can authenticate to install software and and unlock the screensaver without issue - but I know if I were to log out and attempt to log back in, it would shake it off and I'd have to wait for about 10 minutes before I could get in, but usually that would work.

     

    So I'm now cautiously installing some software and building a user account that I *may* eventually be permanently locked out of...only time will tell...

     

    • Please ask me any questions, offer up suggestions and I'll do what I can to help puzzle this one out...

     

    Thanks,

     

    Vann

  • sdickenson Calculating status...

    I'd like to just throw my voice into this conversation and say we're having the exact same issue as SSStech, and have also determined that it seems to be a failure to correctly map the Active Directory default group to the OSX gid. I've also noticed that the accounts that do not work appear to have corrupted SIDs when viewed through the Apple Directory Editor (although their SIDs are in fact fine in AD), while accounts that do work show their proper SID. I'm completely lost at this point as to how to proceed, although I will likely throw Wireshark on a machine tomorrow and see if I can get a peek at the conversation between our test Macbook Pro and AD, provided its not encrypted or obfuscated.

  • SSSnet Tech Level 1 Level 1 (0 points)

    Try this - it works here. 

     

    Using Apple Directory Utility, Advanced Options, Mappings

     

    Check Map user GID to attribute primaryGroupID

     

    It does not make sense to me to map user GID to primaryGroupID but it seems to work for ALL users, not just some as before.

     

     

    It does appear as if dsAttrTypeNative:objectSid comes up Binary 28 bytes on working users (without using the mappings tab) with a 7 group value.  Non-working users come up with a truncated value something like tb0^e{/L'87.

  • Andrew Cunningham Level 2 Level 2 (155 points)

    SSSnet Tech:

     

    This worked for me as well! Great job sussing this out. Here's hoping that Apple gets the message and fixes this bug in 10.8.1!

     

    I owe you a virtual beer or 12!

     

    Cheers,

     

    -Andy

  • sdickenson Level 1 Level 1 (0 points)

    This works for us as well SSSnet Tech. Excellent work sir.

  • iamtheadman Level 1 Level 1 (5 points)

    Sadly, it did not work for me. Active Directory is working great until I create a mobile account and then it locks up. I tried the GID mapping as SSSnet Tech suggested with multiple restarts and logouts but it continued to lock my account at the login screen. After it was unlocked by IT, I was able to go in and authenticate as much as I wanted but the second I logged out and tried to log back in, it locked after one corrrect attempt. Bummer.

  • SSSnet Tech Level 1 Level 1 (0 points)

    iamtheadman, I think we have two different issues here. 

     

    1.  Accounts becoming locked in AD and 2. Some AD accounts always work and some never do under 10.8.  The fix our group here came up with is related only to number 2. 

     

    We have not had any issues with accounts being locked (if they were, the users would not have been able to login to windows machines either).

     

    I initially replied to Andrew about the some can, some can't issue.  Sorry if we went off on a tanget.

  • Allen Golbig Calculating status...

    Quick question, what are the implications of checking Map user GID to Attribure primaryGroupID?  I know that these mappings are used when you've extended your AD schema (which we never have), but without setting it in ML we have the same issue where certain users can't login.  Will there be any issues if we start rolling out machines and have that mapping checked and later on uncheck it once Apple fixes this?

     

    Thanks

    Allen

  • kmartpants Calculating status...

    The SSSnet Tech solution also worked for me, but only after I deleted the existing mobile account (created under Lion) and went through the exercise of unbinding and rebinding to the domain.

     

    thanks

    Ian

  • temporalshadows Calculating status...

    Just adding my exprience here.

    I've been setting up the first of our Mountain Lion Mac Mini machines at work and any AD account I logged in to kept getting locked out (4 bad password attempts). Based on previous posts I disabled mobile account creation and removed the existing mobile accounts to start fresh, then unbound and rebound the mini (not sure if that was necessary, but just for good measure). Restarted the mini and no more lockouts! Thanks for the info guys, it helped a ton.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (7)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.