Open Radar

 
OS: 10.12 (16A201w)

We have a service account in Active Directory that has limited rights (though I'm not exactly sure what limitations are set) to bind computers to Active Directory.  We have been, and currently use, that unmodified account successfully to bind OSen OS X 10.3-10.11.  With 10.12 (16A201w) that account is not able to bind to AD citing authentication issues.  I have a different elevated rights account that is used for administrating many other facets of the domain that does allow 10.12 to bind.  It appears something has changed with 10.12 in detecting the viability of the account used to bind.

Steps to reproduce:

1. Setup a service account that is limited to just binding to AD.  Similar to the "Answer" suggestion at https://social.technet.microsoft.com/Forums/windowsserver/en-US/f149c456-b0c8-4a05-ac89-3097273bc74e/ad-user-that-is-restricted-to-only-binding-computers?forum=winserverDS
2. Using `dsconfigad -force -add <domain> -computer <computername> -username <serviceAccount> -password <serviceAccountPassword>` attempt to bind to the AD domain


Expected results:
Computer will bind to AD.

Actual Results:
The command to bind to AD results in "dsconfigad: Invalid credentials supplied for binding to the server"

OS X Version/Build
10.12 (16A201w)

Additional Notes:

Attached is a the opendirectory.log with the log level set to debug via `odutil set log debug` while attempting (and failing) to bind to AD.

A similar error is returned when attempting to bind via the GUI app /System/Library/CoreServices/Applications/Directory Utility.app