Unknown user login attempt PASSED for auditing

Nix4Life
Valued Contributor

Hi Gang;
this is a new one . for the past week I am seeing users that were able to log into a machine last week, now today they cannot. I checked the logs and see "Unknown user login attempt PASSED for auditing " and one usere says acoount has vanished. mind you these users were fine for the past 2 weeks. We're running 10.8.4 with AD and smb mounted shares. anybody ever see this?

7 REPLIES 7

nessts
Valued Contributor II

could have to do with this flag for dsconfigad -passinterval days how often to change computer trust account password in days
if you set it to 0 it might help, or you may need to set it to something else like 7.
check to see if have security setup in your AD domain to move computers to a disabled OU if they have not updated their password too.
are you doing mobile accounts? The good news with mobile accounts is you can disconnect the network and get logged in until the AD issue is resolved.

Nix4Life
Valued Contributor

Thanks nessts;

i tried your suggestions. funny thing is it seems like a rolling issue . now users that were fine are being locked out with same error...seems perhaps an AD syncing issue? anyone else?

Haring
New Contributor

I'm seeing the exact same behavior. Machine works fine and then one bright and shiny day it stops logging in one particular AD user. Other AD accounts can log in just fine on the machine, User account works fine on other machines, just the combination of machine + specific AD account fails. The console only shows these errors:

<timestamp> SecurityAgent[13347]: User info context values set for <username>
<timestamp> SecurityAgent[13347]: Unknown user "<username>" login attempt PASSED for auditing

As far as I know there are no aging policies on our AD accounts. We've got about 50 macs that have been imaged at one point or another and there seems to be no rhyme or reason to when this happens. Some machines have been fine for months, some have this issue crop back up after a couple of weeks. Unbinding and re-binding the machine to AD doesn't make a difference.
dsconfigad -passinterval 0 or 7 doesn't seem to fix the issue either. Running OSX 10.8.3

Any new ideas on this one?

Haring
New Contributor

Perhaps this is unrelated but prior to using CASPER we didn't run into this type of issues. We were running an older version of OS-X so that might simply be correlation rather than causality.

jarradyuhas
Contributor

We used to have this issue when using OpenDirectory prior to using casper. The user folder was still there but the user couldnt login. Ultimately, we had to delete the user account by using ```
sudo dscl . delete /users/user
```
then recreate the user in the system preferences, using the same folder that they had so they dont lose any data. We used to have this happen once a month or so, each time with a different user.

Haring
New Contributor

Sadly,

sudo dscl . list /Users

Didn't return any users other than the default ones.

Nix4Life
Valued Contributor

@Haiing see my solution here:

https://jamfnation.jamfsoftware.com/discussion.html?id=10151#responseChild56706

LS