We use a restricted service account to bind computers to AD and has worked for all prior OSes on Mac and Windows.
With 10.12 this account is not working to bind. The error I receive is "dsconfigad: Invalid credentials supplied for binding to the server".
Turning on debug logging in odutil during the bind process shows entries like the following for each DC it sees.
Module: ActiveDirectory - krb5.dylib - krb5_get_init_creds: processing input
Module: ActiveDirectory - krb5.dylib - krb5_get_init_creds: got an KRB-ERROR from KDC
Module: ActiveDirectory - krb5.dylib - krb5_get_init_creds: KRB-ERROR -1765328370/KDC has no support for encryption type
Module: ActiveDirectory - krb5.dylib - KDC sent 3 patypes
Module: ActiveDirectory - krb5.dylib - KDC sent PA-DATA type: 2 (ENCRYPTED_TIMESTAMP)
Module: ActiveDirectory - krb5.dylib - KDC sent PA-DATA type: 16 (PK_AS_REQ)
Module: ActiveDirectory - krb5.dylib - KDC sent PA-DATA type: 15 (PKINIT(win))
Module: ActiveDirectory - krb5.dylib - pa-mech trying: ENCRYPTED_TIMESTAMP, searching for 2
Module: ActiveDirectory - krb5.dylib - Stepping pa-mech: ENCRYPTED_TIMESTAMP
Module: ActiveDirectory - krb5.dylib - TS-ENC: waiting for KDC to set pw-salt/etype_info(,2)
Module: ActiveDirectory - krb5.dylib - PA type ENCRYPTED_TIMESTAMP returned -1980176628: Need to continue preauth stepping
Module: ActiveDirectory - krb5.dylib - Continue needed for ENCRYPTED_TIMESTAMP
Module: ActiveDirectory - krb5.dylib - pamech need more stepping
and eventually fails with the entries
Module: ActiveDirectory - Invalid credentials
Module: ActiveDirectory - ODNodeCustomCall failed with error "Invalid credentials" (5000)
Anyone else seeing issues binding with a restricted account?
I don't have direct access to the binding account in AD to compare against other accounts.
I can bind to AD with a different elevated account so I assume it's an account issue but not sure of what new restrictions would be coming into play.
