User profile for user: rslygh
rslygh Author
User level: Level 1
8 points

Active Directory account lockout from OS X Server

I'm looking for assistance in tracking down why our 10.9 Mac server is constantly trying to use my Active Directory account. I changed my password a week ago and have been getting locked out constantly, and it appears the lockouts are coming from invalid password attempts from this OS X server. However, I don't know why the server would be using my AD credentials since I login to the Mac with an admin account and not my own. The only thing I can think of that may have used my AD credentials is connecting to a network file share at some point in the past, but I wouldn't have saved the credentials and it shouldn't be auto-mapping the share. The Mac itself is bound to Active Directory too.


I checked the Login Items and there is nothing there. I also reset the keychain to defaults and that didn't help. Does anyone else have any ideas for me to try to narrow down what the OS X server may be trying to use my credentials for?

Posted on Jan 5, 2015 11:09 AM

Reply
2 replies
User profile for user: rslygh
rslygh Author
User level: Level 1
8 points

Jan 7, 2015 8:35 AM in response to rslygh

So I'm going to guess I'm the only one that's ever had this issue...


Further digging with Wireshark shows that the OS X server is indeed issuing bind requests using my old AD account credentials multiple times per minute. I tried unbinding and rebinding, but that didn't help. The requests also start right away after a reboot, so whatever is using my credentials is doing so prior to any user logins on the server. Now I'm trying to track down what is actually issuing these requests on the server


In a span of a few seconds the machine issues three bind requests. The first is


bindRequest (1) "myusername@mydomain.com" simple


Followed by


bindRequest (1) "<ROOT>" sasl


then


bindRequest (2) "<ROOT>" sasl


Anyone have an idea for me as to how to track down where my user account comes into play? It wasn't used to bind the machine to AD, I didn't see it anywhere in the keychain, and I only have a few apps running on the server, none of which use AD authentication or would request binding.

Reply
User profile for user: rslygh
rslygh Author
User level: Level 1
8 points

Feb 3, 2015 5:26 AM in response to rslygh

After talking with Apple Support and being told that my best bet was to reinstall my OS, I started the process to do so. However, I gave finding the problem one last attempt prior to starting the reinstall, and was successful.


I found my new favorite command, nettop. Using that I was able to see which services were making which connections, and that made it easy to find which service was connecting to my domain controller. It did turn out that it was one of the two applications that I had installed on the OS X server. Once the login information was fixed, no more lockouts.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Active Directory account lockout from OS X Server

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up