Mountain Lion AD logins failing

andyinindy
Contributor II

We are having an issue where some of our AD users cannot log into Mountain Lion. The common thread is that their primary group id's (GID) are set to "-2" in AD. Not sure how/why this would have happened for these users, but they can all log into Lion without issue, just not ML.

Just an FYI; you may not encounter this problem, but it is a major show-stopper for us.

--Andy

1 ACCEPTED SOLUTION

andyinindy
Contributor II

Got this figured out, thanks to a helpful poster on Apple's forums:

https://discussions.apple.com/thread/4136563?start=15&tstart=0

Manually mapping the user GID to the primaryGroupID attribute resolves the issue. This is definitely a bug on Apple's end; should be fixed in 10.8.1 (fingers crossed!)

View solution in original post

10 REPLIES 10

Matt
Valued Contributor

I also am seeing AD binding failing when ran as a policy. I can bind to AD manually but the way I used to do it was via smart group and any trigger. That appears to not be working. Binding manually again, works fine!

Matt
Valued Contributor

I got it to work by removing the old AD bind and readding in Casper Admin.

golbiga
Contributor III
Contributor III

Andy, we're also seeing weird AD issues for some users (myself included). When you turn on logging for opendirectoryd what do you see? For the accounts that can't login this was one line in the log that sticks out to us.

ldap - translation routine callback failed to translate 'dsAttrTypeStandard:PrimaryGroupID', falling through to other methods

I might be submitting a bug report to Apple after the weekend.

Thanks
Allen

andyinindy
Contributor II

Allen:

I enabled debug logging using the odutil command, and here is what I am seeing on the failed AD lookups. First, the lookup seems to succeed:

2012-07-30 10:17:39.630098 EDT - 4202.17304.17306.17310.17312, Node: /Active Directory/BUTLER/Global Catalog, Module: ldap - found result - 'CN=tjohnsto,CN=Users,DC=butler,DC=edu'

But then I see an error about a failure to translate the PrimaryGroupID:

2012-07-30 10:17:39.630216 EDT - 4202.17304.17306.17310.17312, Node: /Active Directory/BUTLER/Global Catalog, Module: ldap - translation routine callback failed to translate 'dsAttrTypeStandard:PrimaryGroupID', falling through to other methods

And then the entry for the user is ignored:

2012-07-30 10:17:39.649537 EDT - 4202.17304, Module: SystemCache - Ignoring entry (tjohnsto@/Active Directory/BUTLER/butler.edu) missing critical identifier dsAttrTypeStandard:PrimaryGroupID

We are not sure why some users are interpreted as having a GID of -2 in their AD record, since their primary windows group appears to be the same as everyone else (Domain Users).

As it stands, this is a huge issue that is preventing us from deploying ML in our environment. I suppose that a bug report would be the best next step?

--Andy

andyinindy
Contributor II

Got this figured out, thanks to a helpful poster on Apple's forums:

https://discussions.apple.com/thread/4136563?start=15&tstart=0

Manually mapping the user GID to the primaryGroupID attribute resolves the issue. This is definitely a bug on Apple's end; should be fixed in 10.8.1 (fingers crossed!)

jarednichols
Honored Contributor

It could also be site-specific. I've not had to map that in my testing of 10.8 and our AD environment.

andyinindy
Contributor II

It must be specific to more than just our site, based on the posts on Apple's discussion boards.

Still, this definitely seems like a bug with the AD plugin, considering that the affected users could log in without any difficulty on 10.7.

jhbush
Valued Contributor II

I've had this happen a few times at one of our offices. The problems is even with doing the fix mentioned above it came back after a few days. We just deleted the user eventually and had them recreate their account on the machine. It seemed to happen when users did a hard shutdown of their machine.

tylerle83
New Contributor

We have the same problem here for our Mountain Lion users. I tried the "Check Map user GID to attribute primaryGroupID" but doesn't help to fix my problem. It is weird that in our environment, when we set the Unix Attributes for NIS domain on the AD account , it prevent everyone of us in our company to log into AD on any client that have Mountain Lion OSX installed. We created a test account on AD and don't set the Unix Attributes off, it let us login without any problem...

I captured the logs and posted on Apple's discussion website. I am reaching out to all of you for help as I search through the internet but have not get any solution. Any help will be much appreciated!

The logs are here:
https://discussions.apple.com/message/20609798#20609798

tylerle83
New Contributor

Anyone know how to find the primaryGroupID ? I tried 513, which is by default for AD, and it still doesn't work! Please help.