Applies to: Centrify DirectControl 5.1.0 for Mac OS X only.
Problem:
After entering AD domain admin credentials into the second screen of the AD Join Assistant, pressing "Continue" results in one of the following error messages:
Validation of username, password, and domain failed with this error:
get user credentials: Preauthentication failed
Validation of username, password, and domain failed with this error:
error during execution: wrong # args: should be [-gc] [-write] [-machine] <[server@domain> [<user> [<password>]]
The domain admin credentials have been double-checked to be correct and the account has not expired.
Using the command-line adjoin method to join the Mac with the same credentials passes through successfully.
Cause:
The above error prompts may show if the domain admin password contains any of the following characters:
- a dash character (-)
- a dollar sign ($)
- a space character ( )
- an ampersand (&)
The preauthentication interprets these characters incorrectly and throws up a false-positive when verifying the validity of the entered credentials.
Workaround:
There are three workarounds to this issue;
- Option 1:
Avoid the use of the above characters within the domain admin password.
- Option 2:
Use the command-line adjoin method to join the computers to the domain:
First enable licensed features:
sudo adlicense -l
Then join the domain in the selected mode (either Auto Zone or Zone Mode).
To join the domain in Auto Zone mode:
sudo /usr/sbin/adjoin --user Administrator --container "domain.com/Path/To/OU" --name ComputerName --workstation domain.com
To join the domain in Zone Mode:
sudo /usr/sbin/adjoin --user Administrator --container "domain.com/Path/To/OU" --name ComputerName --zone ZoneName domain.com
- Option 3:
Download the 5.0.3 version of the GUI front-end (attached below) and use that to join to the domain. The agent will still be using the 5.1.0 binaries to join and communicate with Active Directory.
Resolution:
This will be fixed in the 5.1.1 release of the AD Join Assistant.
Note:
This issue strictly related to the GUI itself and is not a network configuration or an AD account problem.