If your account gets locked in the DC and the "Source Workstation" says "\\workstation" most likely you have mounted the CIFS resource in a way that OSX tries to use NetBIOS name resolver but the real name of the machine cannot be resolved.
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account:The above will be the result for at least one replicable test case I am sharing today. If you automount the CIFS like in:
Source Workstation: \\workstation Error Code: 0xC000006A
$ sudo cat /etc/fstab cifs.example.com:/path/to/foo /mnt/foo url url==cifs://myusername:firstname.lastname@example.org/path/to/foo 0 0 $ sudo automount -vcThen you will get lock after some attempts to list the content of /mnt/foo which will always results in an error:
$ ls /mnt/foo ls: foo: Authentication errorHow to make sure then that the MAC is correctly registered as the "Source Workstation" in the Securty event log? The sysadmin needs this to understand exactly from which machine the failed attempt was made.
Most likely you will be able to resolve this issue looking into DHCP and DNS. Is your DHCP updating DNS? If not most likely the DC will be unable to show in its event log (out of the box) the correct information. It will list the "Source Workstation" as "\\workstation"
Enabling Netlogon logging in the DC should be of big help while troubleshooting this kind of issue:
- Enable netlogon logging: nltest /dbflag:0x2080ffff
- Restart netlogon service
- Inspect logs from %windir%\debug\netlogon
- Disable netlogon logging: nltest /dbflag:0×0