Thanks for your reply - here's the bind script that I am currently using.

I'm currently imaging our test Mac with Yosemite to see whether the issue is Mavericks-specific, so will post some dsconfigad output next week if the issue is still present.

#!/bin/bash

# Created by Mark M, last edited 09/07/2015

set -o nounset

# Stuff for switching off IPV6 later
IFS=$'
'
net=`networksetup -listallnetworkservices | grep -v asterisk`

# 1) fully qualified DNS name of Active Directory Domain. 
domain="company.com"

# 2) username of a privileged network user.
udn="redacted"

# 3) password of a privileged network user.
password="redacted"

# 4) Distinguished name of container for the computer
ou="OU=osx10,ou=staffpcs,ou=workstations,dc=company,dc=com"

# 5) 'enable' or 'disable' automatic multi-domain authentication
alldomains="enable"

### End of configuration

# Set DNS Servers
/usr/sbin/networksetup -setdnsservers "Built-in Ethernet" 144.200.11.132 144.200.11.133
/usr/sbin/networksetup -setdnsservers "Ethernet" 144.200.11.132 144.200.11.133
/usr/sbin/networksetup -setdnsservers "USB Ethernet" 144.200.11.132 144.200.11.133
/usr/sbin/networksetup -setdnsservers "Thunderbolt Ethernet" 144.200.11.132 144.200.11.133 

# Set DNS Search Domains - set for anything with Ethernet in the name?
#networksetup -listallnetworkservices
/usr/sbin/networksetup -setsearchdomains "Ethernet" company.com
/usr/sbin/networksetup -setsearchdomains "Thunderbolt Ethernet" company.com
/usr/sbin/networksetup -setsearchdomains "USB Ethernet" company.com
/usr/sbin/networksetup -setsearchdomains "Built-in Ethernet" company.com

# Switch IPV6 off
for i in $net
do
    /usr/sbin/networksetup -setv6off "$i"
done

#echo $net | while read line
#do
#  /usr/sbin/networksetup -setv6off "$line"
#done

#exit 0

# Set Time Zone
/usr/sbin/systemsetup -settimezone Europe/London

if [ $? -ne 0 ] ; then
  echo "systemsetup failed" 1>&2
  exit 1
fi

# Set Time Server (UoL Time Servers get added later on with JSS policy)
/usr/sbin/systemsetup -setnetworktimeserver time.euro.apple.com
/usr/sbin/systemsetup -setusingnetworktime on

# Get the local computer's name.
computerid=`/usr/sbin/scutil --get LocalHostName`

# Activate the AD plugin, just to be sure
defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"
plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist

# Unbind from AD
dsconfigad -force -remove -username "$udn" -password "$password"

# Bind to AD
dsconfigad -force -add $domain -computer $computerid -username "$udn" -password "$password" -ou "$ou"
dsconfigad -mobile enable -mobileconfirm disable
dsconfigad -packetencrypt allow -packetsign allow -alldomains $alldomains
dsconfigad -useuncpath disable
dsconfigad -passinterval 0
dsconfigad -uid uidNumber -gid gidNumber

#Add the AD node to the search path
if [ "$alldomains" = "enable" ]; then
csp="/Active Directory/All Domains"
else
csp="/Active Directory/$domain"
fi

dscl /Search -append / CSPSearchPath "$csp"
dscl /Search -create / SearchPolicy dsAttrTypeStandard:CSPSearchPath
dscl /Search/Contacts -append / CSPSearchPath "$csp"
dscl /Search/Contacts -create / SearchPolicy dsAttrTypeStandard:CSPSearchPath

# Restart Directory Service
killall DirectoryService
sleep 2

exit 0

Hey Mark one think you can try is to use the Casper binary, to get the AD code then run it when you want... that is what we do... We configure the the AD binding in build and then during the 1st reboot we four the machine in to target mode and copy the code then we remove it from the build

...it's looks like this

Bind to AD from jamf

/usr/sbin/jamf bind -type ad -domain 'XXXX.net' -username "xusernamex" -passhash "XXXXXX" -ou "CN=Computers,DC=XXXX,DC=net" -mountStyle smb -uid "uidNumber" -cache -multipleDomains -localHomes -useUNCPath -shell none

C

You have a heck of a lot going on there. Have you tried testing with an alternate script that simply binds the system without the other components to narrow things down? We also just run one dsconfigad command with all the arguments:

dsconfigad -add $targetDomain -computer $adName -ou $bindOU -username $inputUsername -password $inputPassword -force -uid uidNumber -gid gidNumber -mobile enable -mobileconfirm disable -useuncpath disable

The problem exists in 10.10.4 too. As you suggested, I also tried a minimal script containing just the relevant dsconfigad commands.

Here's the output of dsconfigad --show:

Active Directory Forest          = company.com
Active Directory Domain          = company.com
Computer Account                 = sa-ua-132$

Advanced Options - User Experience
  Create mobile account at login = Enabled
     Require confirmation        = Disabled
  Force home to startup disk     = Enabled
     Mount home as sharepoint    = Disabled
  Use Windows UNC path for home  = Disabled
     Network protocol to be used = smb
  Default user Shell             = /bin/bash

Advanced Options - Mappings
  Mapping UID to attribute       = uidNumber
  Mapping user GID to attribute  = gidNumber
  Mapping group GID to attribute = not set
  Generate Kerberos authority    = Enabled

Advanced Options - Administrative
  Preferred Domain controller    = not set
  Allowed admin groups           = not set
  Authentication from any domain = Enabled
  Packet signing                 = allow
  Packet encryption              = allow
  Password change interval       = 0
  Restrict Dynamic DNS updates   = not set
  Namespace mode                 = domain

We're unable to make use of the JAMF binary or the built-in AD Binding component of the JSS as we need to set packetencrypt and packetsign options.

@mark.mahabir The jamf binary does not seem too contain the needed switches:

mac:~ person$ sudo jamf -help bind Usage (Active Directory built into Mac OS X): jamf bind -type ad -domain <domain> [-computerID <computerID>] -username <username> -password <password> -ou <Computer OU> [-cache] [-requireConfirmation] [-localHomes] [-useUNCPath] [-mountStyle <afp | smb>] [-defaultShell <shell>] [-uid <user id>] [-userGID <user group id>] [-gid <group id>] [-preferredServer <server>] [-adminGroups <list of groups>] [-multipleDomains]

@bentoms Thanks, I did try binding using the jamf bind command with the intention of setting the packetsign and packetencrypt options later with dsconfigad, but got this output instead:

Binding -username to company.com...
An error occurred binding to Active Directory: dsconfigad: Container does not exist. (Attempt 1)
An error occurred binding to Active Directory: dsconfigad: Container does not exist. (Attempt 2)
An error occurred binding to Active Directory: dsconfigad: Container does not exist. (Attempt 3)
An error occurred binding to Active Directory: dsconfigad: Container does not exist. (Attempt 4)
An error occurred binding to Active Directory: dsconfigad: Container does not exist. (Attempt 5)
Error: Giving up on Active Directory binding after 5 attempts.

@mark.mahabir Have you set the attributes that you are mapping to to replicate to the global catalog in your AD? I have found, in my own environment, that if these attributes (uidNumber, gidNumber) are not set to replicate to the global catalog it can cause issues when authenticating as the authentication payload returned to OS X by AD does not contain the attributes requested.

@ZachB Yes, we've verified that. The annoying thing is everything was fine on the first image - imaging on subsequent occasions means network users cannot log in :-(

@mark.mahabir Just to verify, in order of sequence post imaging, you are setting your hostname first, DNS servers next and once all of your hostname/network attributes are set joining to AD is your last step, correct?

@ZachB That's correct, the actual bind commands (dsconfigad) are towards the bottom of the script. The AD search policy runs as the very last thing.

I've also tried binding using just the options in the System Preferences GUI, but I get the same result.

Here's the relevant portion of the system.log:

Jul 31 15:39:00 IT-Admin-133 SecurityAgent[1398]: User info context values set for rcn3 
Jul 31 15:39:04 IT-Admin-133 authorizationhost[1405]: Failed to authenticate user <rcn3> (error: 13).

Has anyone seen anything similar?