Bind Lion to Active Directory with a shell script

[prometheon123]

Hello,

Does anyone have a script to bind Lion to Active Directory? I ask because the script that I use, one that I got from Mike Bombich’s website many years ago, and has worked since Tiger, doesn’t seem to work with Lion.

A snippet from my script:
# Standard parameters
domain=”sespactivedirectory.northwestern.edu”
id=”myaccount”
password=”mypassword”

# Advanced options
ou=”CN=Computers,DC=sespad,DC=northwestern,DC=edu”
preferredserver=”sespdc1.sespactivedirectory.northwestern.edu”
multidomain=”enable”
mobileconfirm=”enable”
caching=”enable”
localhome=”disable”
mountstyle=”afp”

Specifically, I get dsconfigad: Node name wasn’t found. (2000) when I define AD in my script. This was never an issue with Tiger-Snow Leopard.

Any help or insight is greatly appreciated!

Sincerely,

Ryan

[aaulich]

Hi Ryan,

AD binding in Lion is broken (at least in the 10.7.0 version), so it might be that your script starts working again as soon as Apple has fixed AD binding.

Cheers,

André

[ptrondsen]

I got mine from Snow Leopard to work.
It’s based on the Bombich script, I had to modify a few things.
In order to get it to work in Snow Leopard and Lion, I had to add a few sleeps at the end.
Good Luck

Script:
#! /bin/sh
clear
# User input
# Check to see if root
amiroot=`whoami`
if [ $amiroot != root ]; then
echo “”
echo “ERROR! You must sudo to root to use this script”
echo “”
exit 1
fi

unit=Begining of AD NAME
ou=”OU=”

### Getting Computer Name
g=0
while [ “$g” -eq 0 ]
do

printf “\nEnter Username: ”
read name
echo $name
if [ $? -eq 0 ]; then
g=`expr $g + 1`
else
echo “Invalid input, please renter asset number”
fi
done

####End Computer Name

printf “\nEnter AD account that has rights to bind computers to AD: ”
read udn
printf “Enter password: ”
stty -echo
read password
stty echo
# Standard parameters
domain=”yourdomain.com” # fully qualified DNS name of Active Directory Domain
orgname=`scutil –get ComputerName`
computerid=${unit}${name}
printf “%16s\t%16s\n” “$orgname” “$computerid”> /tmp/”$unit.txt”
#exit
scutil –set HostName $computerid
scutil –set ComputerName $computerid
scutil –set LocalHostName $computerid
#computerid=`echo “$up” | tr ‘a-z’ ‘A-Z’`;exit

# Advanced options
alldomains=”enable” # ‘enable’ or ‘disable’ automatic multi-domain authentication
localhome=”enable” # ‘enable’ or ‘disable’ force home directory to local drive
protocol=”smb” # ‘afp’ or ‘smb’ change how home is mounted from server
mobile=”enable” # ‘enable’ or ‘disable’ mobile account support for offline logon
mobileconfirm=”disable” # ‘enable’ or ‘disable’ warn the user that a mobile acct will be created
useuncpath=”disable” # ‘enable’ or ‘disable’ use AD SMBHome attribute to determine the home dir
user_shell=”/bin/bash” # e.g., /bin/bash or “none”
preferred=”-nopreferred” # Use the specified server for all Directory lookups and authentication
# (e.g. “-nopreferred” or “-preferred ad.server.edu”)
admingroups=”Your ADMIN GROUPS”,
printf “\nComputer is being added to Active Directory with a name of “$computerid” please wait.\n ”
### End of configuration
# Activate the AD plugin
defaults write /Library/Preferences/DirectoryService/DirectoryService “Active Directory” “Active”
plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist
# Bind to AD
dsconfigad -f -a $computerid -domain $domain -u $udn -p “$password” -ou “$ou”
sleep 15

# Configure advanced AD plugin options
if [ “$admingroups” = “” ]; then
dsconfigad -nogroups
else
dsconfigad -groups “$admingroups”
fi

dsconfigad -alldomains $alldomains -localhome $localhome -protocol $protocol \
-mobile $mobile -mobileconfirm $mobileconfirm -useuncpath $useuncpath \
-shell $user_shell $preferred

sleep 10
dsconfigldap -v -a yourodserver
sleep 15
dscl /Search -create / SearchPolicy CSPSearchPath
dscl /Search/Contacts -create / SearchPolicy CSPSearchPath

sleep 30
dscl /Search -append / CSPSearchPath “/Active Directory/All Domains”
dscl /Search -append / CSPSearchPath /LDAPv3/yourodserver

sleep 15
dscl /Search/Contacts -append / CSPSearchPath “/Active Directory/All Domains”
dscl /Search/Contacts -append / CSPSearchPath /LDAPv3/yourodserver

# Restart DirectoryService (necessary to reload AD plugin activation settings)
killall DirectoryService

exit 0

[ptrondsen]

I was getting the node error in the final beta, and had to go back to the previous version first, and then go to gm to get it to work. I think they fixed that in the final release.

[Macleod]

If you look at dsconfigad, you will see that the arguments have changed.
10.6:
dsconfigad [-f] [-a computerid] -domain fqdn -u username [-p password]
[-lu username] [-lp password] [-ou dn] [-status]
10.7:
dsconfigad -add domain -username value [-computer value] [-force]
[-password value] [-ou dn] [-preferred server]
[-localuser value] [-localpassword value]
Update your scripts to use the new arguments, and you should be fine.
You should note though that dsconfigad now automatically adds “All Domains” to the search path on bind, and few options can be configured before the machine is bound, since there is no longer a persistent plist tracking the ad options. If you turn off “All Domains”, you will need to manually remove it from the Search Path.

–DH

[wadewei]

[QUOTE][u]Quote by: Macleod[/u][p]If you look at dsconfigad, you will see that the arguments have changed.
10.6:
dsconfigad [-f] [-a computerid] -domain fqdn -u username [-p password]
[-lu username] [-lp password] [-ou dn] [-status]
10.7:
dsconfigad -add domain -username value [-computer value] [-force]
[-password value] [-ou dn] [-preferred server]
[-localuser value] [-localpassword value]
Update your scripts to use the new arguments, and you should be fine.
You should note though that dsconfigad now automatically adds “All Domains” to the search path on bind, and few options can be configured before the machine is bound, since there is no longer a persistent plist tracking the ad options. If you turn off “All Domains”, you will need to manually remove it from the Search Path.

–DH[/p][/QUOTE]

I agree with that, and we should use new bind script specially for Lion with correct syntax and parameters order of command dsconfigad to try it. According to some tests on Lion 10.7.1 with Win 2003 AD, I wrote a simple one bind script. Sure, it’s still based on previous AD bind scripts, but you can see some things are changed in “#Bind to AD” and “#Configure advanced options” sections. Please feel free to try, and give feedback.
[code]
#!/bin/sh

# Active Directory Bind Script For Lion Client
# Modified by Wade Wei according to previous popular bind script

#Basic parameters
computerid=`scutil –get LocalHostName`
domain=”contoso.com”
udn=”macbinder”
password=”afp54801!”
ou=”OU=maccomputers,DC=contoso,DC=com”

#Advanced parameters
alldomains=”enable”
localhome=”enable”
protocol=”smb”
mobile=”enable”
mobileconfirm=”disable”
useuncpath=”enable”
user_shell=”/bin/bash”
preferred=”ad1.contoso.com”
admingroups=”CONTOSO\Domain Users”
localadmin=”maclocaladmin”
localpwd=”mac01!”
ksauthority=”enable”
namespace=”domain”
packetsign=”require”
packetencrypt=”require”

# Bind to AD
dsconfigad -add $domain -username $udn -password “$password” -computer $computerid -ou “$ou” -preferred $preferred -force -localuser $localadmin -localpassword “$localpwd” -packetencrypt $packetencrypt
sleep 5

#Configure advanced options
dsconfigad -localuser $localadmin -localpassword “$localpwd” -alldomains $alldomains -localhome $localhome -groups “$admingroups” -mobile $mobile -mobileconfirm $mobileconfirm -namespace $namespace -packetsign $packetsign -useuncpath $useuncpath -protocol $protocol -shell $user_shell -authority $ksauthority
echo “Bind domain done!”
exit 0
[/code]

Thanks,

Wade

[prometheon123]

Thanks to everyone who responded. I really appreciate all the help.

I’ve tried some of the posts here and I’m still getting the segmentation fault errors intermittently across our network. What’s worse, even after I delete the object out of AD, remove all prefs from DirectoryService, I now get an error that the system is already bound to AD and that I have to unbind it first.

Our Apple SE told me that 10.7.2 focuses heavily on fixing dsconfigad. I have a developer account so I’ll have to try 10.7.2 out in the lab to see if things are better. Fingers crossed.

[electrowave]

[QUOTE][u]Quote by: aaulich[/u][p]Hi Ryan,

AD binding in Lion is broken (at least in the 10.7.0 version), so it might be that your script starts working again as soon as Apple has fixed AD binding.

Cheers,

André
[/p][/QUOTE]

AD binding in Lion works fine. I was able to bind to AD with Lion right out of the box. The issue with Lion is when you try to bind to Open Directory. 10.7 will not bind to a server that is not at least 10.6 if it requires Authenticated Binding. It will fail every time.

[KWik]

[QUOTE][u]Quote by: aaulich[/u][p]Hi Ryan,

AD binding in Lion is broken (at least in the 10.7.0 version), so it might be that your script starts working again as soon as Apple has fixed AD binding.

Cheers,

André
[/p][/QUOTE]
[QUOTE][u]Quote by: electrowave[/u][p]
AD binding in Lion works fine. I was able to bind to AD with Lion right out of the box. The issue with Lion is when you try to bind to Open Directory. 10.7 will not bind to a server that is not at least 10.6 if it requires Authenticated Binding. It will fail every time.[/p][/QUOTE]

AD binding in Lion depends on server, I’d say. Wednesday I was unable to bind to a Win2008 server. Friday I managed to bind, but today the binding seems to be broken. After trying to fix it, DirectoryService isn’t even running after a reboot. Turns out killall DirectoryService is outdated. [CODE]opendirectoryd is a launchd(8) job which replaces “DirectoryService”[/CODE] …
Anyhow, before a softwareupdate at least I had contact with the catalogue (checking with id) but still I was unable to log in. I got the spinning beachball and had to force a restart after quite some time.

Logs say:
[CODE]
Sep 19 10:04:22 hf-foo com.apple.SecurityServer[22]: Succeeded authorizing right ‘system.login.console’ by client ‘/System/Library/CoreServices/loginwindow.app’ [58] for authorization created by ‘/System/Library/CoreServices/loginwindow.app’ [58]
Sep 19 10:04:22 hf-foo loginwindow[58]: Login Window – Returned from Security Agent
[/CODE]
and /Users/username dir has been created. But looking at all the logs, it seems that after my user was checked and cleared by Security Agent, parentalcontrolsd is acting up even before authorizationhost confirms a cerated home dir:

[CODE]
19.09.11 10:04:20,238 parentalcontrolsd: ActivityTrackerForUID [693:] — *** Couldn’t get user name from uid 3180098417
19.09.11 10:04:20,238 parentalcontrolsd: _FCXMIGUserCanLogin [2251:] — *** tracker for uid 3180098417 was nil.
…
19.09.11 10:04:21,774 com.apple.authorizationhost.00000000-0000-0000-0000-0000000186A4: creating home directories for (hf-foo.local)
19.09.11 10:04:21,774 com.apple.authorizationhost.00000000-0000-0000-0000-0000000186A4: created (/Users/klaus)
[/CODE]

and then the dealbreaker:
[CODE]
19.09.11 10:10:02,542 com.apple.launchd: (com.apple.launchd.peruser.3180098417[193]) getpwuid(“3180098417”) failed
[/CODE]

repeated ad nauseam.

IANAACSA, but this hints at some problems with the AD-OD communication, specifically that while OD manages to lookup my user name (through AD) and get my uid, it fails to do the reverse.

EDIT: formatting the quotes a bit.
—
Klaus Wik
(The ids has been changed to protect the inn innoc … *cough*)

[KWik]

[QUOTE]
[CODE]
19.09.11 10:04:20,238 parentalcontrolsd: ActivityTrackerForUID [693:] — *** Couldn’t get user name from uid 3180098417
19.09.11 10:04:20,238 parentalcontrolsd: _FCXMIGUserCanLogin [2251:] — *** tracker for uid 3180098417 was nil.
…
19.09.11 10:04:21,774 com.apple.authorizationhost.00000000-0000-0000-0000-0000000186A4: creating home directories for (hf-foo.local)
19.09.11 10:04:21,774 com.apple.authorizationhost.00000000-0000-0000-0000-0000000186A4: created (/Users/klaus)
[/CODE]

and then the dealbreaker:
[CODE]
19.09.11 10:10:02,542 com.apple.launchd: (com.apple.launchd.peruser.3180098417[193]) getpwuid(“3180098417”) failed
[/CODE]

repeated ad nauseam.

IANAACSA, but this hints at some problems with the AD-OD communication, specifically that while OD manages to lookup my user name (through AD) and get my uid, it fails to do the reverse.
[/p][/QUOTE]

*sigh* OK

So a hint for you if you see the same as I do. Log in as a local user and try
[CODE]
id username
netstat | less
[/CODE]

and verify that you get all the required established connections to the server. I was on the wrong subnet. Trying again now.
—
Klaus Wik
(The ids has been changed to protect the inn innoc … *cough*)

[prometheon123]

All –

I’m happy to report that the binding with a shell script has been fixed in 10.7.2. Hard to believe Lion shipped with this being so broken.

Regardless, things are working as they should now.

– Ryan

[Author]

Posts