I am happy to report that I installed 10.8.2 and I am able to create a mobile account and not have it lock my Active Directory account. I have rebooted several times, with network connection and without, and it continues to work. I've also tested logging out, logging in to the Administrator account and then logging back into the AD account and it still works.
I think Apple may have fixed the problem. Stragenly, there was no mention of Active Directory in the release notes.
Please post other successes/failures here.
Sadly, 10.8.2 does not seem to fix the issue with AD primarygroupid mappings for us. We still cannot log in with users whose primarygroupid value is interpreted (incorrectly) as "-2", unless we manually map GID to primaryGroupID via Directory Utility.
I suppose that we can continue with the policy of manually mapping this attribute, but I really wish that Apple would get this fixed!
Hi, hoping there's still some people around to help me on this issue.
I recently began experiencing issues with my MS Outlook 2011 for mac last week, after I upgraded to Mountain Lion. However I didn' t immediately notice an issue because the problem was specifically with my gmail. Gmail occasionally throws a tantrum and needs the Captcha to be unlocked anyway, as I often access email from a number of devices and gmail is paranoid about this being a potental threat.
I have four email addresses collected by Outlook. These are a gmail, and two private domain emails (all these three are IMAP) and also a POP hotmail.
So last Monday my two private emails stopped working as well, with the error message 'failed to authenticate, username or password incorrect etc etc' which keeps popping up no matter how many times I enter the password. Even when this happened I still didn't immediately blame ML as our domain was begin upgraded at the time and I thought it might be that.
So, after unlocking the google captcha and confirming that the domain wasn't the problem, I've narrowed it down to either Outlook or ML. Then today, the POP hotmail failed in Outlook as well, which totally threw me as POP is almost indestructible.
Also, the really confusing part is that the gmail and two domain emails stopped working at the same time on my iPhone, so that's clearly not an ML issue, and I've had iOS6 since day one and that was working fine until last week. On my iPhone I use the Mail app to collect all the ame email except the POP account.
So I have tried:
Unlocking the Captchas
Deleting and redoing keychain passwords
Confirming that all details are correct
Gmail now works on the iPhone, but not on my Macbook.
Domain emails don't work at all, and neither does the hotmail.
Just to reiterate Outlook worked fine with all these accounts until last week.
If anyone can offer any ideas that would be much appreciated - I've been without email for a week and it's killing me!
This method (from SSSnet Tech) does not work for me. When I try the "
Check Map user GID to attribute primaryGroupID" , the login screen just bouncing twice after I enter my AD username & password and hit Enter. I had another post created for my issue. Bassically samething happens with cannot log into AD with a Mountain Lion machine. I had also captured the log. Please help me find out a solution for this.
I appreciate all your help and time!
Has anyone looked into the Sync function once you create the Mobile account.... just by browsing around I noticed that this is syncing very frequently....just wonder if it attributes to the locking out of accounts in AD. I will be doing some test on a brand new macbook pro with my AD account. I have created the mobile account in the user and groups window rather than it making one automatically when a user logs in. will write up more notes as they come.
We ran into this issue today with a Mac user. I stumbled across this post and just thought I'd share what fixed it for us.
Issue: When logging into a Mac (10.7.5 or 10.8.2) with User1, login would not prompt to create mobile account, or would just act like the password was wrong. With User2, it always worked as expected.
After reading through this entire thread and trying a few extra steps, here's what we found.
When running this command (run on a domain joined mac) we could get all the info on User1 and User2.
Substitute YOURDOMAIN for whatever domain you are joined to and having issues with.
dscl /Active\ Directory/YOURDOMAIN/All\ Domains -read /Users/user1
dscl /Active\ Directory/YOURDOMAIN/All\ Domains -read /Users/user2
Looking at the returned properties we noticed that User1 also had a sub-domain account in the forest appearing in output:
and User2 (works) did not:
What fixed it for us was to do one of the following solutions.
Solution 1: Rename the Sub-domain user. Apparently Unix uses this username forest-wide, so when we joined the domain the default search policy would try "All Domains".
This would result in the Sub.Domain user registering a "badPwdCount" property and eventually locking out the Sub.Domain\User1 account when logging into the mac as Domain\User1.
The account would log in, but to a half-created home folder, and never prompt to create a mobile account.
Once the Sub.Domain account was gone, the user immediately worked. You may need to wait for replication in a large Active Directory environment.
Solution 2: Change the Search Policy in OSX to use one domain (instead of default All Domains).
You have to un-check the "Allow authentication from any domain in the forest", apply, then go to Search Policy and specify the desired domain, and then remove "All domains"
Either of these solutions resolved our "some users always work and other users always don't work" issue.
Until today we hadn't figured out why it was happening to only a small number of users. It was isolated to users with the same User1 account in multiple domains in the forest.
Hopefully this saves someone time :).