AFP548 - Topic: 10.5.5 woes with AD

This topic has 6 replies, 6 voices, and was last updated 16 years, 5 months ago by macadmin123.

Viewing 7 posts - 1 through 7 (of 7 total)

Author

Posts
September 18, 2008 at 10:58 pm #374171

TWoods450
Participant

So this is strange because it is not consistent. I had three users that updated to 10.5.5 last night, today when they came into the office they could not log in with their network accounts, I couldn’t log in with mine either.

The first I changed the NTP setting from apples time server to our internal time server, He was able to log in.

The second I tried the same thing as before but with no luck, he can log in to work with his local cached profile but cannot log in if connected to our network.

The third is the same as teh second one.

I have removed them fromt he domain and tried to rebind them back into it with no luck. If I try to bind it from the first tab of directory utility which is ‘directory servers’ I get the following error “An unexpected error of type -14090 (eDSAuthFailed) occurred.” if I go into ‘Services’ and double click AD and try to bind that way I get this. “You provided a user name and password combination that is invalid. You should check the user name and password and try again”.

Any ideas?

September 19, 2008 at 4:18 am #374177

aavarca
Participant

Try disabling IPV6 from the network interface. IPV6 seems to conflict with AD plugin. Let me know if that helps.

September 23, 2008 at 6:19 am #374217

not THE woz
Participant

[QUOTE][u]Quote by: TWoods450[/u][p]So this is strange because it is not consistent. I had three users that updated to 10.5.5 last night, today when they came into the office they could not log in with their network accounts, I couldn’t log in with mine either.
[/p][/QUOTE]

In the last 2 days I’ve had exactly the same problem with a couple of my users plus myself. In trying to fix, I removed my mac from AD then tried to re-add, but it won’t let me due to an authentication error. No problems prior to 10.5.5. The users can log in when not connected to the network, then reconnect and after that, there’s no problems with connecting to file servers in the domain or using AD-authenticated web forms.

October 16, 2008 at 5:10 pm #374460

macadmin123
Participant

Yeah, reading the forums there seems to be a pervasive problem with Mac integration with AD that Apple just isn’t addressing adequately!

I’m having almost the exact same problem although I’ve never bound with the server I’m setting up. I’m getting the same error (eDSAuthFailed) in the same place (Directory Utility) as you and I can’t figure it out. To make things more confusing, this isn’t the first or only 10.5.5 server on our network. The others all connected with no difficulty and seem to be working fine.

OK, I can see if there were some configuration gotchas that are mucking things up. But for Apple to be so silent for so long on such an important issue is quite troubling.

Sorry, no answers here. Just another mini-rant!

October 16, 2008 at 6:54 pm #374463

amsterdam
Participant

Ditto for us too. We have about 50 machines, OD/AD integration… It’s the AD account that seems to be dropping out. The problem seems to manifest itself in these ways:
We either see a yellow light at the login screen indicating that only a some network accounts are available
Spinning beach ball when the user is logged in
Blue screen and system freeze at logout

Sometimes rebooting the machine fixes it, sometime not and you have to rebind the machine to AD:

[code]
rm -Rf /Library/Preferences/DirectoryServices/*
rm -f /Library/Preferences/edu.mit.kerberos.plist
rm -f /private/etc/krb5.keytab
[/code]

Then rebind with either command line script or the GUI.

When I last saw the problem, the logs reported the following errors:

[code]
Oct 13 14:31:55 129-79-129-108 com.apple.KerberosAutoConfig[96]: dsOpenDirNode failed with error of type -14002 (File: /SourceCache/SingleSignOnTools/SingleSignOnTools-129/Sources/HighLevelDirServices.c. Line: 758)
Oct 13 14:31:55 129-79-129-108 com.apple.KerberosAutoConfig[96]: Kerberos configuration not updated, cannot contact all nodes on search path
Oct 13 14:31:55 129-79-129-108 /sbin/kerberosautoconfig[96]: Kerberos configuration not updated, cannot contact all nodes on search path
Oct 13 14:31:57 129-79-129-108 com.apple.KerberosAutoConfig[97]: dsOpenDirNode failed with error of type -14002 (File: /SourceCache/SingleSignOnTools/SingleSignOnTools-129/Sources/HighLevelDirServices.c. Line: 758)
Oct 13 14:31:57 129-79-129-108 com.apple.KerberosAutoConfig[97]: Kerberos configuration not updated, cannot contact all nodes on search path
Oct 13 14:31:57 129-79-129-108 /sbin/kerberosautoconfig[97]: Kerberos configuration not updated, cannot contact all nodes on search path
Oct 13 14:31:57 129-79-129-108 kextd[10]: writing kernel link data to /var/run/mach.sym
Oct 13 14:32:10 129-79-129-108 com.apple.DirectoryServices[11]: Enter machine password:
Oct 13 14:32:10 129-79-129-108 com.apple.launchd[1] (org.samba.nmbd): Throttling respawn: Will start in 10 seconds
Oct 13 14:32:10 129-79-129-108 com.apple.DirectoryServices[11]: [2008/10/13 14:32:10, 0, pid=106] /SourceCache/samba/samba-187.1/samba/source/libads/kerberos.c:ads_kinit_password(228)
Oct 13 14:32:10 129-79-129-108 com.apple.DirectoryServices[11]: kerberos_kinit_password [email protected] failed: Preauthentication failed
Oct 13 14:32:10 129-79-129-108 com.apple.DirectoryServices[11]: Enter machine password:
Oct 13 14:32:10 129-79-129-108 com.apple.DirectoryServices[11]: [2008/10/13 14:32:10, 0, pid=106] /SourceCache/samba/samba-187.1/samba/source/libads/kerberos.c:ads_kinit_password(228)
Oct 13 14:32:10 129-79-129-108 com.apple.DirectoryServices[11]: kerberos_kinit_password [email protected] failed: Preauthentication failed
Oct 13 14:32:10 129-79-129-108 DirectoryService[11]: Failed to changed computer password in Active Directory domain ads.iu.edu
Oct 13 14:32:10 129-79-129-108 com.apple.DirectoryServices[11]: [2008/10/13 14:32:10, 0, pid=110] /SourceCache/samba/samba-187.1/samba/source/libads/kerberos.c:ads_kinit_password(228)
Oct 13 14:32:10 129-79-129-108 com.apple.DirectoryServices[11]: kerberos_kinit_password [email protected] failed: Preauthentication failed
Oct 13 14:32:10 129-79-129-108 com.apple.DirectoryServices[11]: [2008/10/13 14:32:10, 0, pid=110] /SourceCache/samba/samba-187.1/samba/source/libads/kerberos.c:ads_kinit_password(228)
Oct 13 14:32:10 129-79-129-108 com.apple.DirectoryServices[11]: kerberos_kinit_password [email protected] failed: Preauthentication failed
Oct 13 14:32:10 129-79-129-108 com.apple.DirectoryServices[11]: Enter machine password:
Oct 13 14:32:11 129-79-129-108 com.apple.DirectoryServices[11]: [2008/10/13 14:32:11, 0, pid=114] /SourceCache/samba/samba-187.1/samba/source/libads/kerberos.c:ads_kinit_password(228)
Oct 13 14:32:11 129-79-129-108 com.apple.DirectoryServices[11]: kerberos_kinit_password [email protected] failed: Preauthentication failed
Oct 13 14:32:11 129-79-129-108 com.apple.DirectoryServices[11]: [2008/10/13 14:32:11, 0, pid=114] /SourceCache/samba/samba-187.1/samba/source/libads/kerberos.c:ads_kinit_password(228)
Oct 13 14:32:11 129-79-129-108 com.apple.DirectoryServices[11]: kerberos_kinit_password [email protected] failed: Preauthentication failed
Oct 13 14:32:41 129-79-129-108 sshd[123]: USER_PROCESS: 123 ttys000
[/code]

October 23, 2008 at 9:12 pm #374536

cbrew325
Participant

Anyone find a way to resolve this problem? We’ve had this happen to several computers. So far no luck getting them to rebind.

I did try these things prior to rebinding. Note: a previous post listed DirectoryServices instead of DirectoryService.

rm -Rf /Library/Preferences/DirectoryService/*
rm -f /Library/Preferences/edu.mit.kerberos.plist
rm -f /private/etc/krb5.keytab

October 24, 2008 at 1:11 pm #374544

macadmin123
Participant

I wouldn’t use the word “resolved” but I got around it when I was forced to rebuild the server for another reason. After the rebuild it connected just fine and hasn’t had a problem.

Before rebuild: 10.5.5
After rebuild: 10.5.5

All the same hardware.

Not sure what – if anything – changed!
Author

Posts