We're in the process of configuring multiple new M1 iMacs for deployment to our computer labs. Previously, we had successfully deployed plenty of Intel Macs and they are all bound to Active Directory via configuration profile and they have no trouble logging in with domain accounts. On the new M1 iMacs however, the AD bind appears to be successful, the settings appear correct on the Mac and the object appears in ADUC but no users are able to authenticate. It simply shakes and rejects the password. Interestingly, the domain controller logs show successful logins and do not report any failures. I have tried removing the configuration profile and binding the M1 iMac manually and I get the same results. We set our computers to create mobile account at login without requiring confirmation and we have packet signing and packet encryption both set to require although I have also tried setting them to allow which did not make any difference. We have the search policy set to all domains. Also, I do see the keychain entry for the computer account credentials. I tried the following command which did successfully locate my account in AD and add it to the list of users in system prefs but would not accept the password:
sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -a <LocalAdminAccount> -U <'LocalAdminPassword'> -n <DomainUserAccount>
dscacheutil -q user -a name <DomainUserAccount>
Anyone else come across anything like this?
I was hoping that may have been it but it does seem like our rosetta installation is working. We've been deploying a policy that runs "softwareupdate --install-rosetta --agree-to-license" once per computer. The output does produce a strange error but then claims installation was successful. it says:
"softwareupdate[16792:139581] Package Authoring Error: 071-78710: Package reference com.apple.pkg.RosettaUpdateAuto is missing installKBytes attribute
Install of Rosetta 2 finished successfully"
I ran the command again and confirmed some older apps work and system report shows intel architecture apps so I'm assuming its working correctly. Still can't log in against AD though. Doesn't make any sense.
I found a workaround for now but it doesnt make much sense. I normally bind all Macs and PCs to one of our child domains which has global catalog enabled and can search all subsequent child domains as well as the root of the forest and whatever else. On these new Macs, I found that if I bind specifically to the top level, it can search all child domains but when binding to the usual child domain, I can only authenticate upwards. I would like to pin this on the M1 Mac but we dont have any new intel machines coming in anymore and I was thinking it might possibly be a DNS issue either on our end or with Big Sur or some mix of the 2. I have a ticket open with Apple Enterprise support but they seem to be stumped as well.