Mac users on Active Directory keep getting locked out!

[Anonymous]

Hey all,

Long time lurker, first time poster

I’ve recently begun moving my Mac community over to AD so that we may enforce our company’s password policy. I have no problems binding or anything like that. What is happening is that at seemingly random times for no reason at all, their AD accounts become locked out, and they are then unable to log into their Mac or Exchange via Entourage, etc.

I can find no pattern to the lockouts. Even if their Mac turns itself off overnight, when they return in the morning, their AD account is locked out. This all happens at random times. Some people report that when it happens during the day, it’s at or close to the exact same time, but there is no reason I can find for this on the network.

Our AD password policy states that three incorrect logins locks the account, and they are set to force password changes every 90 days.

I should add that all login credentials are 100% correct every time, so there are no incorrect password attempts or anything like that. Accounts become locked without even having recently typed in credentials. This happens only to Mac users whose computers have been moved to AD. Other Mac users (those who have not had computers set for AD) do not have this happen. Before the move to AD, a Mac user’s account in AD is set to never have password expire. Once we move to AD, we set the password policy at that time on the account. A new test account was created from scratch with the password policy implemented immediately, and has exhibited no such account lockout.

We are running Tiger 10.4.3, bound to AD, forced home folders on local machines but do have network homes via AFP on an Xserve RAID mount on desktop, Entourage 2004 v11.2.1. We’re on Exchange 2003, but our AD is only on Win2k servers.

I’m at the end of the rope here… I called Microsoft (and have since paid $245 for a thusfar useless support call) to see if maybe I could get some Entourage/AD assistance, and the first guy said “What’s Active Directory?” and the second guy said “What’s Entourage?” Thanks, Microsoft.

Does anyone have any ideas? Many thanks in advance!

Jason

[Anonymous]

Yes, but only if they’re bound to AD. Some users leave their machines logged in overnight with Entourage not running and when they come in, their account is locked out. If they launch Entourage, it’ll pop up an error saying bad username or password. Logging out of the machine and then trying to log in results in the message “see system admin”.

j-

[Anonymous]

Same issue here, exactly.
I suspect Entourage causes keychain issues of some sort.
Will report if I discover anything else.

[Jeff]

Ditto. This only happens on our Tiger machines, although two Tiger machines don’t have the problem (mine being one of them). I’ve rebuilt one machine from scratch, hoping it would make a difference, but it only took a few hours before it started again.

I’ve got both of our Sys Admins (windows people) looking at their end, and I’m checking the Mac side. Unfortunately, it’s completely random and I haven’t been able to replicate it myself.

I also tried creating a new Entourage identity, but that didn’t affect it either. The only time the problem doesn’t occur is when the machine is shut off.

I’ve unbound one machine and deactivated the AD plugin this morning, and so far it hasn’t had a problem.

Anyone else figure this out yet?

[Jeff]

I was able to put DirectoryService into debug and grab what it did right when the account was locked. I don’t know much about what most of it means, but I combed though it and couldn’t find anything that might indicate it would lock things. The system.log didn’t report anything at that time. I broke down and sent an email to our Apple Rep to forward to some engineers.

I did discover one thing though. The problem is somehow related to the computer name being the same as the users account! All of our Macs are bound with the AD username of the person who uses that computer. I accidentally left a completely rebuilt Mac (to replace one that had the problem) on last night sitting at the login window and once an hour, with a few minutes variance, I received account lockout notifications. So somehow, AD thinks it’s a user trying to log in and not a computer trying to register itself.

I know this is long, but it’s the most complete explanation I have. I sent this to Apple.

Here’s our setup:

We are a primarily Windows-centric infrastructure with a single Xserve G5 that is currently only a stand-alone server. Our Domain Controllers are Win2k3 servers with the latest patches and such and both the Macs and the PC’s log in via Active Directory. Our production department is composed of 12 17″ 1.8GHz iMac G5’s, first generation, and three PowerMac G5’s (one is a first generation single processor 1.8GHz and the other two are 2GHz dual processors that are the latest generation). The two G5’s are running Tiger, as are two iMac’s that I upgraded a couple days ago. Everyone else is running 10.3.9 with the latest patches. Our computer names are set to the users AD username. I haven’t touched any of the underlying configuration in SMB or Kerberos or anything else.

Here’s the background on our problems:

Our production department was originally having problems with files not being released properly from our Windows 2k3 file server. When a file was opened, it would show as being opened with Read/Write access and one lock on the file. However, there was another file (not an actual file that existed, from what I can tell) that was listed as being open. It had the same name, but with the prefix of ._. I originally thought these were resource forks, but I discovered that the files didn’t actually exist on the server, so I figured they were some sort of lock file. Unfortunately, when the user closed the file, it removed it from the list of Open Files on the server, but the ._ file stayed with Read/Write access. This had the effect of not letting any other users make changes to the file. Oddly enough, the problem didn’t exist with users running Tiger, only those with Panther. Essentially, I couldn’t find a fix for it quick enough, so they insisted on being upgraded to Tiger to solve the problem.

Everything was great, until we found a new problem. They could only copy one file at a time from their local computer to the share, and even then they got an error that their privileges were insufficient. The file still copied though. When attempting to copy multiple files at once, it would copy the first, then give the same error. This only occurred when a user (on Tiger) was logged in via Active Directory and using SMB to connect to the file server (AFP works fine, except for the obvious issues with Microsoft’s old version). The problem didn’t occur with everyone on Tiger, though. The two PowerMacs that came with Tiger preinstalled don’t have the issue. I found that the Mac’s that were upgraded had the problem, but with a fresh install, the problem disappeared. I proceeded to wipe the two Tiger boxes that I had upgraded (I have only upgraded two machines to Tiger, everyone else is still on Panther). At first, it seemed to work. But a few hours later, they got the problem again and it hasn’t gone away since.

But wait, there’s more! When bound to AD, three of the four Tiger machines cause their domain accounts to lock. I’ve been able to reproduce this with a test machine and account. If I unbind the Mac and disable the AD plug-in (I haven’t tried just unbinding and leaving the plug-in active) then the account won’t get locked out. I left one of the Macs that I had freshly rebuilt on over night, sitting at the login window. Every hour, give or take a few minutes, we would get a notification that that users account was locked out, even though she wasn’t logged in anywhere. It seems that the AD plug-in is attempting to communicate with our domain controller every hour, but instead of the computer account on the server, it’s doing something with the user account with the same name.

I’ve turned on debug logging for the DirectoryService process and am waiting for it lock again.

This is the event that’s logged on the server:

Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 644
Date: 3/8/2006
Time: 10:43:35 AM
User: NT AUTHORITY\SYSTEM
Computer: RUBY
Description:
User Account Locked Out:
Target Account Name: mac002
Target Account ID: DIC\mac002
Caller Machine Name:
Caller User Name: RUBY$
Caller Domain: DIC
Caller Logon ID: (0x0,0x3E7)

Coincidentally, and possibly unrelated, these fill our logs all day every day and come from every Mac that’s bound to Active Directory.

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 3/8/2006
Time: 10:51:09 AM
User: NT AUTHORITY\SYSTEM
Computer: RUBY
Description:
Pre-authentication failed:
User Name: mac002
User ID: DIC\mac002
Service Name: krbtgt/DICENT.COM
Pre-Authentication Type: 0x0
Failure Code: 0x12
Client Address: 192.168.2.18

Two of the upgraded Macs are also creating these events on the server. They’re failures to open folders that they don’t have access to, but they’re not trying to access them. I haven’t been able to reproduce this, but it might be related.

Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 3/8/2006
Time: 11:53:49 AM
User: DIC\ttrost
Computer: SUMO
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: D:\Production\[REDACTED]
Handle ID: –
Operation ID: {0,198109585}
Process ID: 4
Image File Name:
Primary User Name: SUMO$
Primary Domain: DIC
Primary Logon ID: (0x0,0x3E7)
Client User Name: ttrost
Client Domain: DIC
Client Logon ID: (0x0,0xBC97A63)
Accesses: READ_CONTROL
ReadAttributes

Privileges: –
Restricted Sid Count: 0
Access Mask: 0x20080

To sum up, we’ve got two problems plaguing us. The first is that users on Tiger (but not all!) get an error when trying to copy a file from their Mac to the server. The file will successfully copy, but then they’ll received the sufficient privileges error. When copying multiple files, only the first will copy. The second problem is Mac’s running Tiger (again, not all) are locking the user account once an hour, regardless if anyone is logged in. The computers are named the same as the user that uses the machine. Both problems have been reproduced on my test Mac.

I wrote that before I had the results of the debug mode. I’d include that here as well, but even just the relevant section of the log is huge. If you’re interested, I can email it or something.

[anodyne]

I’m not finding the evidence to back me up at the moment, but I’m fairly sure this issue was dealt with in a Tiger update (10.4.3?). I recall it being explicitly listed as a fix … now I can’t seem to locate any mention of it. At any rate, the issue has been resolved for our organization through an update.

[Caiwyn]

This issue is not fixed as of Tiger version 10.4.5. I have experienced the exact same problem on two machines now. In both cases, the computer’s name on the domain is identical to the username, and the user doesn’t even have to be logged into the machine for his account to be locked. The machine only has to be online and joined to the domain.

In the first instance, the problem began when the user was forced to change his password on an iBook with 10.3.9 installed. I upgraded to 10.4.5, I tried unbinding and rebinding to the domain, I tried deleting the user’s keychain and rebuilding it (two different ways, even)… none of these resolved the issue. I had to replace the machine entirely.

In the second instance, the problem began right when the user upgraded to 10.4.5. This time I tried unbinding and binding the machine with a different machine name. This still did not work. I then tried unbinding the machine and turning off the active directory plugin, and telling the user to log into file shares and email manually. After about an hour, the account was locked again. I’ll be reinstalling the machine entirely next week.

A third machine has had an entirely separate problem that appears to be AD-related (file sync problems with one of our network shares), which only began after an upgrade to Tiger. Because of these three instances, upgrades to Tiger are on hold now. The upgrade process will now involve unbinding and reinstalling entire workstations, which means more downtime for users.

If anybody can think of other things to try that might alleviate the lockout issue, please post a response. The issue remains unresolved.

[erd]

We have just recently moved some OS 10.4.7 users to authenticate to AD. Some users will get locked out on 1 computer and is able to login on the computer next to it.
Noticed ( on the computer that the user is locked out on ) that NetInfo Manager has the locked-out user name listed twice under users. One of the user’s reports “authentication_authority” is “:DisabledUser;” the other user (same name) reads “;LocalCachedUser;/Active Directory/….”.
After deleting the disabled user’s name, that user can now log in. The user is not disabled or locked out on the Active Directory side, only on that particular computer.
Not sure why the computer locks out the user.

[alan_R]

HI

Not sure if this helps but a similar problem we were having with the mac not logging in is because the time difference between AD and the mac. shouldn’t be more than a few mins apart.

🙂

[vilms5000]

The time difference *is* important for Kerberos, I believe. In our environment (using ADmitMac), where there’s a time difference of more than 4-5 mins we see problems with file shares and other file permissions. Fixing the time difference fixes that problem. Thankfully, these are few/far between.

I was interested to see a comment about Entourage being culpable for lockouts. In Panther and earlier versions of Tiger, there was certainly an uneasy relationship between the logged-in user’s Keychain and the domain password. Later versions of Tiger (and possibly some engineering from Thursby) made the relationship stable and predictable, but early on we would see similar random lockouts.

Is anyone using a proxy server that requires AD credentials to authenticate? We have one here and that’s a source of locked out user accounts too, particularly for Firefox users (Firefox doesn’t use the Keychain to store passwords).
Pw

[Author]

Posts