Mavericks AD lockout

hkim
Contributor II

I'm trying to track down an issue and I'm wondering if anyone else has seen this.

Mavericks, bound to AD, AD has a policy to lock out users after X number of password retries. Services are kerberized such as file sharing, etc. etc. No network homes. The only other thing that talks to AD is Outlook 2011 running v14.3.8

It seems around the same time of day my computer for one reason or another my account gets locked out, and I can't think of a rhyme or reason why it should, as if I was typing my password wrong. Has anyone seen similar issues in their environments?

10 REPLIES 10

colonelpanic
Contributor

While I can not speak to the randomness of it, I have experienced an issue with kerberos and lockout policies where 2 bad passwords are sent instead of one to the DC or KDC. For example, if we had a lockout policy of 6 bad password attempts, apple users would get locked out after 3.

ClassicII
Contributor III

Any one else seeing this issue?

We have noticed that 10.9 is fixed. It only sends 1 bad attempt.

10.8 is bugged and will send 2 incorrect attempts.

mahlstrom
New Contributor

Perhaps related, I have a MacBook Air that is regularly being locked out by the Outlook server due to bad password attempts. This machine also runs Outlook 2011 v14.3.8 and now v14.3.9 (no change). It acts like there is another process that is dumping bad password attempts at the outlook server, even while the Outlook application itself is logged in and getting email from the server (or even after you close the Outlook application). Any clues would be greatly appreciated!

This ran for years prior to the Mavericks upgrade without problems. Since Mavericks, it happens quite regularly (and often on weekends, for some reason).

thanzig
New Contributor II

Maybe there is an old/incorrect password being held somewhere? What happens when you login with your AD credentials on a freshly imaged Mac? Maybe flush the the keychain on the machine you are getting locked out on??? Could be holding a bad password.

Not applicable

Any wireless, namely 802.1x?

bajones
Contributor II

I had this issue on a user's account as well. I was troubleshooting Outlook with no success. The issue turned out to be incorrect credentials stored in an exchange account entry on the user's home computer under System Preferences -> Internet Accounts. The OS just kept attempting to access that account without ever popping up any errors. The user's account would lock out several times a day.

mahlstrom
New Contributor

Brilliant... Even though Outlook was used for everything on this machine, there was still an Exchange entry under System Preferences -> Internet Accounts that was trying to sync Contacts. Thanzig may also have been right, since there were a couple of old passwords in the keychain, and perhaps the Contacts sync was using one of the stored passwords. In any case, I removed the Exchange entry from the Internet Accounts, and I'm very hopeful that this resolves the problem. Thanks!!

seabash
Contributor

In case you're still scratching head, looking for other factors...

I have a similar setup/environment (OS X 10.9.2, Outlook, etc), and can consistently lockout my AD account simply using Composer 8.73. The lockout occurs shortly after you click to build pkg (I don't think DMG triggers issue). Seems to implicate how Composer 8.73 calls pkgutil maybe? Composer 9.22+ does not trigger this AD lockout.

I haven't yet tested regression on 10.8.x.

Not applicable

I am definitely seeing my AD account get locked out when I use Composer 8.73 on 10.9.2. I didn't create a pkg though, I was converting a few existing pkgs to source. Bizarre!

seabash
Contributor

Your AD lockout when converting pkg to src occurs, because (I think) that process also uses pkgutil command.

Per my previous post, we're simply using Composer v9.22+ In our Casper 8.73 environment, since there are no conflicts with the rest of the suite.

It's doubtful the issue will be fixed on old Composer v8.