Mountain Lion AD logins failing

I also am seeing AD binding failing when ran as a policy. I can bind to AD manually but the way I used to do it was via smart group and any trigger. That appears to not be working. Binding manually again, works fine!

I got it to work by removing the old AD bind and readding in Casper Admin.

Andy, we're also seeing weird AD issues for some users (myself included). When you turn on logging for opendirectoryd what do you see? For the accounts that can't login this was one line in the log that sticks out to us.

ldap - translation routine callback failed to translate 'dsAttrTypeStandard:PrimaryGroupID', falling through to other methods

I might be submitting a bug report to Apple after the weekend.

Thanks
Allen

Allen:

I enabled debug logging using the odutil command, and here is what I am seeing on the failed AD lookups. First, the lookup seems to succeed:

2012-07-30 10:17:39.630098 EDT - 4202.17304.17306.17310.17312, Node: /Active Directory/BUTLER/Global Catalog, Module: ldap - found result - 'CN=tjohnsto,CN=Users,DC=butler,DC=edu'

But then I see an error about a failure to translate the PrimaryGroupID:

2012-07-30 10:17:39.630216 EDT - 4202.17304.17306.17310.17312, Node: /Active Directory/BUTLER/Global Catalog, Module: ldap - translation routine callback failed to translate 'dsAttrTypeStandard:PrimaryGroupID', falling through to other methods

And then the entry for the user is ignored:

2012-07-30 10:17:39.649537 EDT - 4202.17304, Module: SystemCache - Ignoring entry (tjohnsto@/Active Directory/BUTLER/butler.edu) missing critical identifier dsAttrTypeStandard:PrimaryGroupID

We are not sure why some users are interpreted as having a GID of -2 in their AD record, since their primary windows group appears to be the same as everyone else (Domain Users).

As it stands, this is a huge issue that is preventing us from deploying ML in our environment. I suppose that a bug report would be the best next step?

--Andy

It could also be site-specific. I've not had to map that in my testing of 10.8 and our AD environment.

It must be specific to more than just our site, based on the posts on Apple's discussion boards.

Still, this definitely seems like a bug with the AD plugin, considering that the affected users could log in without any difficulty on 10.7.

I've had this happen a few times at one of our offices. The problems is even with doing the fix mentioned above it came back after a few days. We just deleted the user eventually and had them recreate their account on the machine. It seemed to happen when users did a hard shutdown of their machine.

We have the same problem here for our Mountain Lion users. I tried the "Check Map user GID to attribute primaryGroupID" but doesn't help to fix my problem. It is weird that in our environment, when we set the Unix Attributes for NIS domain on the AD account , it prevent everyone of us in our company to log into AD on any client that have Mountain Lion OSX installed. We created a test account on AD and don't set the Unix Attributes off, it let us login without any problem...

I captured the logs and posted on Apple's discussion website. I am reaching out to all of you for help as I search through the internet but have not get any solution. Any help will be much appreciated!

The logs are here:
https://discussions.apple.com/message/20609798#20609798

Anyone know how to find the primaryGroupID ? I tried 513, which is by default for AD, and it still doesn't work! Please help.