round and round in circles
until you have experienced this problem for real then you cannot even begin to guess what the cause is.
Currently I'm looking at rebuilding DNS, over easter when nobody is using the systems.
its not a trivial problem, believe me there is no easy fix relating to time-sync, or locked-out accounts.
you can logon as a local administrator and inspect everything on the mac client, everything looks fine, green lights on directory utility entries, time-synced ok.
the only thing that I notice that is wrong is that the mac client may have somehow, strangely, inherited a name that it was never originally given. you cannot change the name unless you unbind from the AD & OD and even then the name change will only be affected after a reboot. there are no malicious people going around in the middle of the night hacking the computers or anything that would give a simple explaination. One day you can log on fine the next day you get the shake off.
Do note that my computers are dual boot macs, that means that the NIC on the network card will obviously be the same if I choose to boot mac or boot windows, but the 'machine name' needs to be different for mac and for windows otherwise the AD entry for that particular computer may be right royally messed up.
Our Domain was created many years ago and the operating system has been upgraded from win 2k server to win 2003 server. I can visit a neighbouring school which has a similar mac set up to ours except their win 2003 server was a fresh build a in recent years. Comparing our DNS setup to that schools reveals some wild differences, and since that school isnt experiencing the problems we are experiencing then I'm inclined to think thats where the issue lies.
Also I have to think about what services the mac client may use, there really isnt many services that store info relating to machine name and ip address.
going back to the weird computer-name-change thing, this was something I stumbled across completely by chance, after all you dont expect it to happen so you diont look in that area.
Anyone that is experiencing these mac refusal to logon problems please do click the info text found underneath where it says "MAC OS X" on the logon box and note down what it says for the computer name, IP address, etc. you can then investigate your DNS, or AD and follow the trail DNS forward lookup to reverse lookup and note if there are any duplicate entries particularly on the reverse lookup.
And please do report back here, I would be interested to know.
OSX not authenticating, but still joined to domain
Before everyone goes off and destroys their networks or whatever, you may want to try this first:
1) Join OSX computer to your AD domain
2) Test to see if joined correctly (see if it logs in)
3) Open terminal (need to be an admin user on the local machine)
4) Type: dsconfigad -passinterval 0
5) Press enter and type your password if it asks
This should set the trust password refresh interval for the computer to never expire.
Alternatively, setup and use DeployStudio freeware, closest I've come to finding something useful for macs.