We upgraded our 10.8 OD to 10.10 back in February and have had a host of issues since. Most of them we've managed to surmount in the last few months but we're left with two that have got us stumped. I'm not going to be shocked if either of these are simply known issues but I figured it worth seeing if anyone here has any input.
The biggest issue we're having is that the max failed login attempts has been broken since the update. We've had to double the number in the policy just to get it to sort of work. For example, we need 10 so we have to set it to 20. In other words, each failed login attempt seems to count for 2 login attempts.
But problems got worse when it came time for users to reset their passwords. If they change them and don't immediately restart their workstations (and every workstation they have a user account on), at some point in the coming hours, the workstation will hit the OD with dozens of auth attempts with an incorrect password, even if they are logged out of the machine. And of course this hits the max failed attempts and effectively locks the user out.
If they restart every workstation that they have a user account on (mobile user or just a regular network user that has previously logged into that machine) this doesn't occur. Naturally this leads us to assume some sort of caching of the password is happening, but where, what? Are there any workarounds for this?
Our other issue may or may not be related. It's simply that since upgrading to 10.10, no users receive password expiration notifications at login. Neither the reminders that would come in the days leading up to the expiration, nor the notification that the password has actually expired. It simply rejects the password after it expires.
We have workaround for this one so it's "minor" compared to the other one but just as annoying.
A few notes:
We have clients using both 10.9 and 10.10 and it's all occurring on all of them, regardless of mobile users, FileVault 2, or Mac model. Until recently we even had a 10.8 client that was having the same issues.
Early on we assumed our pile of issues had to do with the mess that usually results from upgrading an OD. So, we've since wiped and manually recreated the whole directory, JUST in case there were some issues in the conversion from 10.8.
Any input or insight or referrals would be great appreciated!
I have found upgrading servers, especially OD is problematic. Not all settings translate over. I find the same with upgrading OSes as well. I always prefer clean installs. To that point...
I would suggest as a test, build a new OD server running 10.10.x. Bind a test client to it, and see if it has the same issues. If not, then there is your answer, it has some old data in it mucking up the works. You could try unbinding and re-binding a machine see if that fixes it. Best shot I woudl think woudl be to build a new server, test it is working, Turn off the old server, then change the IP and name of the new one to match the existing.