For about a month, we’ve been struggling with a pesky problem which boils down to the above description. As the above description suggests, the password is known to the user and the AD account is functional. The full details on this problem are noted at http://blogs.uw.edu/barkills/2017/09/22/user-on-mac-cant-login-to-ad-but-can-login-from-windows/.
The takeaway is there is a known problem where if your AD user samAccountName matches another AD user displayName or sn, you may have problems logging in from a Mac. Which obviously is a pretty arbitrary condition that it’d be really difficult to prevent. This seems to be because Apple when writing the code for their AD directory plug-in decided that if the ANR search they are using produces more than one result, they arbitrarily pick one, try the password against it, and if it fails, then produce a standard logon failure error message. After we figured this out, I couldn’t find any evidence on the internet that anyone else had run into this issue. Since I posted it on the windows-hied list, I’ve heard from a handful of folks who have run into the same thing, but I don’t think anyone called enough attention to it. So here I am. J Brian