5

We have a few Macs in our office which are bound to our Active Directory (Server 2k8R2) domain for login authentication and access to file shares. For the most part this has worked without trouble.

I recently changed my AD password (from the Windows box that is my main desktop machine), and my iMac still wants my old password for logins—even after a reboot. It correctly prompts for the new password when I attempt to connect to Windows smb file shares.

The last time I changed my password, the iMac was running Snow Leopard and picked up the password change as expected.

I'm a little bit of an OS X n00b, so I apologize if this should be obvious. My searching has turned up numerous issues people have had with Lion and Active Directory, but not this particular problem.

Possibly related, we do have mobile accounts enabled for AD in the Directory Utility options. I assume this causes credentials to be cached locally, but it's not clear to me how to get them to update.

EDIT: I tried disabling mobile accounts for AD, but alas, no change. I'm still authenticating with my old password.

eaj
  • 423
  • 2
  • 4
  • 17
  • 1
    Multiple DCs? How long have you waited? – xeon Mar 28 '12 at 22:28
  • Two DCs on a single, fairly small domain. AD replication is usually near-instantaneous. In any case, it had been 24 hours since the password change when I initially posted this question; now it's closer to 48 and the problem persists. – eaj Mar 29 '12 at 14:11

4 Answers4

3

How long has the Mac been bound to your AD environment? If its been a while, and by a while I mean the time it takes for your AD computer objects to negotiate the password change of the computer object. I think on OS X the default is 14 days.

Set how often the computer trust account password should be changed

$ dsconfigad -passinterval 0

I remember this causing some problems for us.

Ryan
  • 161
  • 1
  • 4
  • It's been bound for about a year and a half, and was running Leopard at the time. Password changes were picked up as expected until just last week; I assume Lion is the culprit as the system has changed very little otherwise. In any case, the password in question is a user password, not a computer password (which, as I understand it, secures the communication channel with the DC). – eaj Apr 02 '12 at 21:50
  • Correct, however if the password for the object that you are trying to change the password on is out of sync the communication will fail. If I remember correctly it gave an error once a day in a weird log. The solution after this happened was to delete the object out of AD (wait 5 minutes for the sync), then create it again, and join the client. Then try to update the user password again and see if it behaves. – Ryan Apr 02 '12 at 22:08
  • I have made this change, unbound, rebound, and rebooted. Alas, it still accepts my old domain (user) password and not the new one. – eaj Apr 04 '12 at 14:33
  • What finally worked was specifying a preferred domain controller. I'm not sure whether this points to a compatibility issue with Lion and AD or to a potential problem with our domain--but I'll investigate that. I'm awarding the bounty on this answer because you definitely pointed me in the right direction. – eaj Apr 04 '12 at 14:37
  • 1
    Lion has so many AD issues I wouldn't hesitate to think this might be a bug to be submitted to Apple if you can't find a logical solution. Thank goodness for 10.7.2, fixed a bunch of problems. – Jade Robbins Apr 04 '12 at 15:49
  • The other issue might be access to the AD server it self. In our environment we have many AD servers. However we are only able to access a few of them due to firewalls. You must test the ports of interest and find which ones you can communicate to. The dumb AD client for MAC's doesn't timeout if it finds a host although it doesn't communicate back (meaning its in DNS and has the SRV records). Your ports of interest are as follows: 88, 135, 389, 445, 636, 3268, 3269. – Ryan Apr 12 '12 at 19:52
2

I tried both setting the interval to zero and setting a preferred domain controller, neither of which seemed to have any effect. I also (each time) deleted the "login" keychain and any reference to ActiveDirectory under the "System" keychain. And lots of rebooting. Nada.

Unbinding and rebinding was the only way I could get the login password to take, and it took as soon as I sent my credentials to rebind--in the middle of the session as that user (I was doing this on my own box because I could test different methods with impunity).

I would love to have a less intrusive solution (especially one I could manage via a terminal over ssh), but this is what I have for now.

James
  • 21
  • 1
0

As I mentioned in the comment on Ryan's very helpful answer, the problem was finally solved by setting a preferred domain controller. This can be done via the Directory Utility UI (in advanced settings), or via the command line:

dsconfigad -preferred dc.mydomain.com

Possibly a Lion problem, possibly a domain problem. In any case, I'm leaving this answer in the hope it will help someone else.

eaj
  • 423
  • 2
  • 4
  • 17
0

The other solution, that has worked for me is to unbind the computer from the domain, then rebind it. You may end up with a legacy computer record in the AD Users and Computer DB, but this does seem to resolve the disconnect.

Jeffrey Lee
  • 1
  • Note that this is a very old post from 2012. Please try to avoid responding to old posts unless you have something very specific to add to the discussion in order to avoid cluttering up the front page. – Catherine MacInnes Feb 04 '16 at 23:57