Posted on 07-26-2012 11:33 AM
We are having an issue where some of our AD users cannot log into Mountain Lion. The common thread is that their primary group id's (GID) are set to "-2" in AD. Not sure how/why this would have happened for these users, but they can all log into Lion without issue, just not ML.
Just an FYI; you may not encounter this problem, but it is a major show-stopper for us.
--Andy
Solved! Go to Solution.
Posted on 08-06-2012 07:34 AM
Got this figured out, thanks to a helpful poster on Apple's forums:
https://discussions.apple.com/thread/4136563?start=15&tstart=0
Manually mapping the user GID to the primaryGroupID attribute resolves the issue. This is definitely a bug on Apple's end; should be fixed in 10.8.1 (fingers crossed!)
Posted on 07-26-2012 02:19 PM
I also am seeing AD binding failing when ran as a policy. I can bind to AD manually but the way I used to do it was via smart group and any trigger. That appears to not be working. Binding manually again, works fine!
Posted on 07-26-2012 02:23 PM
I got it to work by removing the old AD bind and readding in Casper Admin.
Posted on 07-26-2012 04:08 PM
Andy, we're also seeing weird AD issues for some users (myself included). When you turn on logging for opendirectoryd what do you see? For the accounts that can't login this was one line in the log that sticks out to us.
ldap - translation routine callback failed to translate 'dsAttrTypeStandard:PrimaryGroupID', falling through to other methods
I might be submitting a bug report to Apple after the weekend.
Thanks
Allen
Posted on 07-30-2012 07:30 AM
Allen:
I enabled debug logging using the odutil command, and here is what I am seeing on the failed AD lookups. First, the lookup seems to succeed:
2012-07-30 10:17:39.630098 EDT - 4202.17304.17306.17310.17312, Node: /Active Directory/BUTLER/Global Catalog, Module: ldap - found result - 'CN=tjohnsto,CN=Users,DC=butler,DC=edu'
But then I see an error about a failure to translate the PrimaryGroupID:
2012-07-30 10:17:39.630216 EDT - 4202.17304.17306.17310.17312, Node: /Active Directory/BUTLER/Global Catalog, Module: ldap - translation routine callback failed to translate 'dsAttrTypeStandard:PrimaryGroupID', falling through to other methods
And then the entry for the user is ignored:
2012-07-30 10:17:39.649537 EDT - 4202.17304, Module: SystemCache - Ignoring entry (tjohnsto@/Active Directory/BUTLER/butler.edu) missing critical identifier dsAttrTypeStandard:PrimaryGroupID
We are not sure why some users are interpreted as having a GID of -2 in their AD record, since their primary windows group appears to be the same as everyone else (Domain Users).
As it stands, this is a huge issue that is preventing us from deploying ML in our environment. I suppose that a bug report would be the best next step?
--Andy
Posted on 08-06-2012 07:34 AM
Got this figured out, thanks to a helpful poster on Apple's forums:
https://discussions.apple.com/thread/4136563?start=15&tstart=0
Manually mapping the user GID to the primaryGroupID attribute resolves the issue. This is definitely a bug on Apple's end; should be fixed in 10.8.1 (fingers crossed!)
Posted on 08-06-2012 07:47 AM
It could also be site-specific. I've not had to map that in my testing of 10.8 and our AD environment.
Posted on 08-06-2012 07:52 AM
It must be specific to more than just our site, based on the posts on Apple's discussion boards.
Still, this definitely seems like a bug with the AD plugin, considering that the affected users could log in without any difficulty on 10.7.
Posted on 08-06-2012 09:56 AM
I've had this happen a few times at one of our offices. The problems is even with doing the fix mentioned above it came back after a few days. We just deleted the user eventually and had them recreate their account on the machine. It seemed to happen when users did a hard shutdown of their machine.
Posted on 12-17-2012 11:23 AM
We have the same problem here for our Mountain Lion users. I tried the "Check Map user GID to attribute primaryGroupID" but doesn't help to fix my problem. It is weird that in our environment, when we set the Unix Attributes for NIS domain on the AD account , it prevent everyone of us in our company to log into AD on any client that have Mountain Lion OSX installed. We created a test account on AD and don't set the Unix Attributes off, it let us login without any problem...
I captured the logs and posted on Apple's discussion website. I am reaching out to all of you for help as I search through the internet but have not get any solution. Any help will be much appreciated!
The logs are here:
https://discussions.apple.com/message/20609798#20609798
Posted on 12-18-2012 08:46 AM
Anyone know how to find the primaryGroupID ? I tried 513, which is by default for AD, and it still doesn't work! Please help.