Binding to Active Directory fails with an authentication error

I had a problem today with unbinding and rebinding my MacBook Pro from work’s AD domain (this process was started by my AD account lookups failing, which made me think that my Mac wasn’t talking to AD as well as it thought it was.) When I tried to unbind, I got an error stating “Invalid user name and password combination”. Thinking that my DirectoryService preferences were hosed, I tossed my /Library/Preferences/DirectoryService folder which should have cleared out my AD settings, then restarted. After the restart, I was able to connect back to my OD server without a problem, but then ran into the same “Invalid user name and password combination” error when I tried to bind to AD again.

After googling to see if anyone else had the same problem, I ran across this Apple Support discussion thread, where PetarM suggested the following:
I was having trouble logging in with my AD account to some iMacs added to our AD. In fact, not a single AD account was able to login. Directory Utility claimed it can’t see the domain controller (which it could, since it was online, in the same subnet as other identical computers, it could ping the domain and packets were sent back and forth between it and the domain, without loss). Unbinding it didn’t work, but it offered to force the ubind, which I did. Then I was unable to bind it back (updated to 10.5.6 rebooted, still not binding). The error I kept getting was invalid username and password (after entering the domain username and password that we use for binding). Using the same username and password worked on other computers (either brand new, or existing computers that I unbound, then bound back with no issues — again same subnet, same image). I deleted the computer accounts from the domain, but the problem persisted. Finally, I used fseventer to see what’s being access during the bind process. The system threw the error message not after communicating with the domain, but after checking the plists in /Library/Preferences/DirectoryService and /var/db/dslocal/nodes/Default/config — so I deleted these two folders and was able to bind back with no issues! WARNING: This deletes a lot of directory service settings, so use it at your own risk! Here are the commands I used:
sudo rm -rdfv /Library/Preferences/DirectoryService

sudo rm -rdfv /var/db/dslocal/nodes/Default/config

sudo sudo killall -USR1 DirectoryService

I tried those commands on my own laptop, and behold! It wiped my DirectoryService settings (as noted above), but I could now rebind to AD!

So, for those who need it, here’s another thing to try on 10.5.x when you can’t bind to AD:

1. Log in with your admin account and open Terminal.

2. Run the following commands

sudo rm -rdfv /Library/Preferences/DirectoryService

sudo rm -rdfv /var/db/dslocal/nodes/Default/config

sudo killall -USR1 DirectoryService

3. Try to rebind again.