Home > Active Directory, Mac administration, Mac OS X > Binding to Active Directory fails with an authentication error

Binding to Active Directory fails with an authentication error

I had a problem today with unbinding and rebinding my MacBook Pro from work’s AD domain (this process was started by my AD account lookups failing, which made me think that my Mac wasn’t talking to AD as well as it thought it was.) When I tried to unbind, I got an error stating “Invalid user name and password combination”. Thinking that my DirectoryService preferences were hosed, I tossed my /Library/Preferences/DirectoryService folder which should have cleared out my AD settings, then restarted. After the restart, I was able to connect back to my OD server without a problem, but then ran into the same “Invalid user name and password combination” error when I tried to bind to AD again.

After googling to see if anyone else had the same problem, I ran across this Apple Support discussion thread, where PetarM suggested the following:
I was having trouble logging in with my AD account to some iMacs added to our AD. In fact, not a single AD account was able to login. Directory Utility claimed it can’t see the domain controller (which it could, since it was online, in the same subnet as other identical computers, it could ping the domain and packets were sent back and forth between it and the domain, without loss). Unbinding it didn’t work, but it offered to force the ubind, which I did. Then I was unable to bind it back (updated to 10.5.6 rebooted, still not binding). The error I kept getting was invalid username and password (after entering the domain username and password that we use for binding). Using the same username and password worked on other computers (either brand new, or existing computers that I unbound, then bound back with no issues — again same subnet, same image). I deleted the computer accounts from the domain, but the problem persisted. Finally, I used fseventer to see what’s being access during the bind process. The system threw the error message not after communicating with the domain, but after checking the plists in /Library/Preferences/DirectoryService and /var/db/dslocal/nodes/Default/config — so I deleted these two folders and was able to bind back with no issues! WARNING: This deletes a lot of directory service settings, so use it at your own risk! Here are the commands I used:
sudo rm -rdfv /Library/Preferences/DirectoryService

sudo rm -rdfv /var/db/dslocal/nodes/Default/config

sudo sudo killall -USR1 DirectoryService

I tried those commands on my own laptop, and behold! It wiped my DirectoryService settings (as noted above), but I could now rebind to AD!

So, for those who need it, here’s another thing to try on 10.5.x when you can’t bind to AD:

1. Log in with your admin account and open Terminal.

2. Run the following commands

sudo rm -rdfv /Library/Preferences/DirectoryService

sudo rm -rdfv /var/db/dslocal/nodes/Default/config

sudo killall -USR1 DirectoryService

3. Try to rebind again.

  1. A Schrock
    January 26, 2010 at 11:58 pm

    Worked like a charm! Thanks very much for (re)posting this solution.

  2. SnowMoon
    March 24, 2010 at 5:04 am

    Very impressive! I like your blog on Mac OS!


  3. John
    July 9, 2010 at 5:16 pm

    Perfect fix! Thanks for posting!

  4. Sudhanshu Bist
    March 17, 2011 at 10:16 pm

    It works. Thanks

  5. May 27, 2011 at 1:54 pm

    We use mobile accounts and it can be a pain !

    • May 28, 2011 at 2:35 am

      Yes, this also works with 10.6.x.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: