Can not bind clients to AD

[wiitho]

Hello!

We are using an OS 10.4.9 server for MCX and 10.4.9 Clients.
We installa an NetInstall Image on our clients and bind them to our AD Server (Win 2003 server)

This has worked flawlessly in the past, but now we are unable to join AD…
Here is the log from the client:

2007-04-18 14:17:19 CEST – ADPlugin: Changing Password for User [email protected] as [email protected]
2007-04-18 14:19:19 CEST – ADPlugin: Changing Password for User [email protected] as [email protected]
2007-04-18 14:21:19 CEST – ADPlugin: Changing Password for User [email protected] as [email protected]
2007-04-18 14:23:19 CEST – ADPlugin: Setting Computer Password FAILED for existing record……
2007-04-18 14:23:19 CEST – ADPlugin: Updating Local Admin Group
2007-04-18 14:23:19 CEST – ADPlugin: Cleaning Previous Additions to Local Admin Group
2007-04-18 14:23:19 CEST – ADPlugin: Sending lookupd flushcache at request!
2007-04-18 14:23:19 CEST – ADPlugin: Resetting memberd cache also!
2007-04-18 14:23:19 CEST – ADPlugin: Closing All Connections – Connection Manager
2007-04-18 14:23:19 CEST – ADPlugin: Closing Connection – [email protected]@hfk.vgs.no:389
2007-04-18 14:23:19 CEST – ADPlugin: Closing All Connections – Connection Manager Completed
2007-04-18 14:23:19 CEST – ADPlugin: Bind/Join failed – Launching kerberosautoconfig -u
2007-04-18 14:23:20 CEST – ADPlugin: Calling CloseDirNode

It seems to have something to do with passwords as far as I can see, however the passwords are the same as they were when this setup worked..
Anyone know what this migth be?

Any help would be greatly appreciated!
Thanks!

[wiitho]

Hello again!

Im not on site, but I got my contact to run get the debug log for me.
Its about 5 pages, but here is where I think the problem starts.
If anyone need to see the entire thing I could email it. That way its more comfortable to read.

Im really appreciate help with this!

/Library/Logs/DirectoryService/DirectoryService.debug.log | grep ADPlugin ^C h-fuv-mbb-71:~ root# sudo killall -USR1 DirectoryServiceh-fuv-mbb-71:~ root# tail -f /Library/Logs/DirectoryService/DirectoryService.debug.log | grep ADPlugin 2007-04-18 13:58:49 CEST – ADPlugin: Changing Password for User [email protected] as [email protected] 2007-04-18 14:00:50 CEST – ADPlugin: Changing Password for User [email protected] as [email protected] 2007-04-18 14:02:50 CEST – ADPlugin: Changing Password for User [email protected] as [email protected] 2007-04-18 14:04:50 CEST – ADPlugin: Changing Password for User [email protected] as [email protected] 2007-04-18 14:06:50 CEST – ADPlugin: Changing Password for User [email protected] as [email protected] 2007-04-18 14:15:19 CEST – ADPlugin: Changing Password for User [email protected] as [email protected] 2007-04-18 14:17:19 CEST – ADPlugin: Changing Password for User [email protected] as [email protected] 2007-04-18 14:19:19 CEST – ADPlugin: Changing Password for User [email protected] as [email protected] 2007-04-18 14:21:19 CEST – ADPlugin: Changing Password for User [email protected] as [email protected] 2007-04-18 14:23:19 CEST – ADPlugin: Setting Computer Password FAILED for existing record…… 2007-04-18 14:23:19 CEST – ADPlugin: Updating Local Admin Group 2007-04-18 14:23:19 CEST – ADPlugin: Cleaning Previous Additions to Local Admin Group 2007-04-18 14:23:19 CEST – ADPlugin: Sending lookupd flushcache at request! 2007-04-18 14:23:19 CEST – ADPlugin: Resetting memberd cache also! 2007-04-18 14:23:19 CEST – ADPlugin: Closing All Connections – Connection Manager 2007-04-18 14:23:19 CEST – ADPlugin: Closing Connection – [email protected]@hfk.vgs.no:389 2007-04-18 14:23:19 CEST – ADPlugin: Closing All Connections – Connection Manager Completed 2007-04-18 14:23:19 CEST – ADPlugin: Bind/Join failed – Launching kerberosautoconfig -u 2007-04-18 14:23:20 CEST – ADPlugin: Calling CloseDirNode ^A^A

[gabester]

It is important that the user account authenticating to AD for the bind not be a member of too many groups. This apparently causes too much information to be sent along on the data.

Is it possible someone at your organization instituted a firewall change and didn’t inform you? When I recently encountered this problem it was because only port 464 TCP was open to the AD Domain Controllers; that is fine for Windows PCs but Macs and everything else using standard kerberos will also need 464 UDP. Your bind attempt will fail at the point where it attempts to change the machine password – I saw the exact same error log you’ve reported (if your hunch about “where things are going wrong” is correct and there’s nothing indicative of a different problem earlier in the log.

Hope that helps.
g=

[Author]

Posts