Can seem to bind mac to ad

[AllanMarcus]

Hello,

I’m trying to bind a Mac to an AD using the AD pluin, but I’m getting an error. here’s the log file. for brevity, I’ve removed the “2005-02-11 12:46:42 MST – ADPlugin: ” from the beginning of each line. I’ve used this same account to add PCs to the AD, but it won’t work for a Mac. Any ideas?

Calling CustomCall
Setting Unique ID Generation with Attrib uidnumber
Looking for existing Record of marcusclient
Doing DN search for account – marcusclient
Good credentials for [email protected]
Retrieved connection from connection mgr [email protected]@win.ds.lanl.gov:389
Added connection to connection mgr [email protected]@win.ds.lanl.gov:389
Attempting Add Record……
Adding in OU = CN=Computers,DC=win,DC=ds,DC=lanl,DC=gov
In Server = dsmad2.win.ds.lanl.gov
Good credentials for [email protected]
Retrieved connection from connection mgr [email protected]@win.ds.lanl.gov:389
Add record CN=marcusclient,CN=Computers,DC=win,DC=ds,DC=lanl,DC=gov with FAILED when using Server dsmad2.win.ds.lanl.gov – LDAP Error 81
Added connection to connection mgr [email protected]@win.ds.lanl.gov:389
Closing All Connections – Connection Manager
Closing Connection – [email protected]@win.ds.lanl.gov:389
Closing All Connections – Connection Manager Completed

[s_groening]

Do you have a sane DNS configuration with A-Host records for each server, mac and Windows, and corresponding reverse ptr recordds? -Is your DNS located on the AD server, then add this as the only DNS server for the Mac OS X Server. That ought to do the trick.

regards,

Søren Grønning

[AllanMarcus]

I don’t know if this makes a difference, but I’m not trying to bind a MAc Os X Server; I’m trying to bind a Mac OS X client.

The only DNS entry is the AD server, which is running a DNS.

I’m not familiar with the term “sane DNS configuration”.

when I perform a dig on the client’s address, I get:

allan$ dig @128.165.47.1 marcusclient.lanl.gov any   

; <<>> DiG 9.2.2 <<>> @128.165.47.1 marcusclient.lanl.gov any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10978
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;marcusclient.lanl.gov.         IN      ANY

;; ANSWER SECTION:
marcusclient.lanl.gov.  3600    IN      A       128.165.113.123

;; AUTHORITY SECTION:
lanl.gov.               3600    IN      NS      nss.lanl.gov.
lanl.gov.               3600    IN      NS      ns1.lanl.gov.

;; ADDITIONAL SECTION:
ns1.lanl.gov.           3600    IN      A       128.165.4.4
nss.lanl.gov.           3600    IN      A       128.165.11.88

;; Query time: 192 msec
;; SERVER: 128.165.47.1#53(128.165.47.1)
;; WHEN: Mon Feb 14 08:47:17 2005
;; MSG SIZE  rcvd: 123

when I perform a dig on the server, I get:

allan$ dig @128.165.47.1 ns1.ds.lanl.gov any

; <<>> DiG 9.2.2 <<>> @128.165.47.1 ns1.ds.lanl.gov any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33199
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;ns1.ds.lanl.gov.               IN      ANY

;; ANSWER SECTION:
ns1.ds.lanl.gov.        3600    IN      A       128.165.47.1

;; AUTHORITY SECTION:
ds.lanl.gov.            3600    IN      NS      nss.lanl.gov.
ds.lanl.gov.            3600    IN      NS      ns1.lanl.gov.

;; ADDITIONAL SECTION:
ns1.lanl.gov.           3600    IN      A       128.165.4.4
nss.lanl.gov.           3600    IN      A       128.165.11.88

;; Query time: 2 msec
;; SERVER: 128.165.47.1#53(128.165.47.1)
;; WHEN: Mon Feb 14 08:58:16 2005
;; MSG SIZE  rcvd: 117

Does that look right to you?

Thanks,

Allan

[s_groening]

your DNS config certainly look ‘sane’ to me

however, are you sure that you are ‘Domain Admin’ on the W2K/W2K3 AD server???

-I believe a user with lesser group privileges than ‘Domain Admins’ can add a Windows client to the AD if he or she has ‘sufficient’ rights, that being ‘Account Operators’. -This works for Windows clients but I am less than sure about Mac OS X…..

Best regards

Søren Grønning

[AllanMarcus]

I’m pretty sure I’m a Domain Admin. I even had the actual AD admin come to my computer and try her password (she has all the rights), and I got the same message.

[max.wall]

I’ve got the same problem with a LDAP Error 81 when trying to add the computer to the domain.

I add the machine account to the domain first but still get the problem. The strange thing for me is it sometimes it works and sometimes it doesn’t. I’m trying to nail this by making sure it will add the Mac on every attempt.

Does anyone know what a LDAP Error 81 actually means?

Max

[Anonymous]

from my research, LDAP error 81 is an authentication error.

[max.wall]

I cracked the problem I was having with LDAP 81 error. It was permissions on the OU.

You need to go into the advanced properties and make sure you have 4 entries for the user/group you are using. There should be an Apply To: entry for the following:
User Objects
Group Objects
InetOrgPerson
This object and all child objects

I had originally just used the last one (This object and all child objects) which you would have thought covers everything. Now I’ve added the additional permissions it seems to work everytime now.

Max

[gtidave]

Max

Could you clarify your solution for me?
I assume you’re using AD Users and Computers with view advanced features enabled. Then you right click on the OU in question and select properties. Then select the Security tab and then click on the Advanced button at the bottom. This is where I get confused. For example we use an AD group called adsetup. Should there be 4 entries for adsetup with the create computer objects permission and each of the 4 objects in the Apply To column?

Thanks for any help you can give, this problem has been driving us crazy.

Dave

[Anonymous]

Max/Dave-

We’re in the same boat here. The real pain is that on newer hardware the AD plugin process seems to work fine. Systems older than 12 months are hit or miss, however. when they miss, the error generated in the GUI is the “Insufficient Privileges” warning. In the debug log, it comes back with the same LDAP Error 81.

Max, I’ve seen that you posted your solution to several boards, but I also need some clarification on how to implement it. Any chance for a dumbed down explanation?

Thanks,

Matt

[AllanMarcus]

Holy cow, I think this is the problem! I’m trying to bind a 500mhz tiBook and I get the LDAP -81. When I use my same account and bind a Aluminum PB, it works!

Now what could explain this, and how can we fix or work around it?

-Allan

[AllanMarcus]

Ug. I reinstalled and updated to 10.3.6 with the combo updater and guess what, I was able to bind. I will call my Apple rep and report this.

-Allan

[maxfurni]

Dave

In the Advanced Security dialog where you got to, the entries should look something like this:

Type Name Permissions Inherited Apply To
Allow adsetup Full Control This object and all child objects
Allow adsetup Full Control User objects
Allow adsetup Full Control Group ojbects
Allow adsetup Full Control InetOrgPerson Objects

I don’t know whether this permission fix works for everyone (were using Windows 2003 AD) but it could be worth a try.

Max

[QUOTE BY= Dave B] Max

Could you clarify your solution for me?
I assume you’re using AD Users and Computers with view advanced features enabled. Then you right click on the OU in question and select properties. Then select the Security tab and then click on the Advanced button at the bottom. This is where I get confused. For example we use an AD group called adsetup. Should there be 4 entries for adsetup with the create computer objects permission and each of the 4 objects in the Apply To column?

Thanks for any help you can give, this problem has been driving us crazy.

Dave
[/QUOTE]

[Anonymous]

I am having same issues

Does this refer to the AD user that is being used to do the binding or the default computer OU?
Brand new Win2003 AD all over the US 30+DCs and can’t bind some places with out upgrading to the lastest and greatest OS 10.3.9 any help would be appreciated

Here is the log

EDT – Client: Directory Access, PID: 495, API: dsVerifyDirRefNum(), Server Used : DAC : Dir Ref 16777427
EDT – Client: Directory Access, PID: 495, API: dsVerifyDirRefNum(), Server Used : DAR : Dir Ref 16777427 : Result code = 0
EDT – Client: Directory Access, PID: 495, API: dsVerifyDirRefNum(), Server Used : DAC : Dir Ref 16777427
EDT – Client: Directory Access, PID: 495, API: dsVerifyDirRefNum(), Server Used : DAR : Dir Ref 16777427 : Result code = 0
EDT – Client: Directory Access, PID: 495, API: dsOpenDirNode(), Active Directory Used : DAC : Dir Ref = 16777427 : Node Name = /Active Directory
EDT – ADPlugin: Calling OpenDirNode
EDT – Client: Directory Access, PID: 495, API: dsOpenDirNode(), Active Directory Used : DAR : Dir Ref = 16777427 : Node Ref = 16777452 : Result code = 0
EDT – ADPlugin: Calling CustomCall
EDT – ADPlugin: Doing CheckServerRecords……
EDT – ADPlugin: Found Default Domain primedia.prm
EDT – ADPlugin: Found Forest Domain GC primedia.root
EDT – ADPlugin: Found Forest Domain primedia.root
EDT – ADPlugin: Finished CheckServerRecords……
EDT – ADPlugin: Rebuilt Kerberos File
EDT – ADPlugin: Calling CloseDirNode
EDT – Plug-in call “dsCloseDirNode()” failed with error = -14278.
EDT – Port: 25967 Call: dsCloseDirNode() == -14278
EDT – Client: Directory Access, PID: 495, API: dsVerifyDirRefNum(), Server Used : DAC : Dir Ref 16777427
EDT – Client: Directory Access, PID: 495, API: dsVerifyDirRefNum(), Server Used : DAR : Dir Ref 16777427 : Result code = 0
EDT – Client: Directory Access, PID: 495, API: dsOpenDirNode(), Active Directory Used : DAC : Dir Ref = 16777427 : Node Name = /Active Directory
EDT – ADPlugin: Calling OpenDirNode
EDT – Client: Directory Access, PID: 495, API: dsOpenDirNode(), Active Directory Used : DAR : Dir Ref = 16777427 : Node Ref = 16777453 : Result code = 0
EDT – ADPlugin: Calling CustomCall
EDT – ADPlugin: Doing CheckServerRecords……
EDT – ADPlugin: Good credentials for [email protected]
EDT – ADPlugin: No connection in connection mgr for [email protected]@primedia.prm:389
EDT – ADPlugin: Secure BIND Session with server pstdc02.primedia.prm:389
EDT – ADPlugin: Got configuration context of CN=Configuration,DC=primedia,DC=root from rootDSE for locateSiteName
EDT – ADPlugin: Processing Site Search with found IP
EDT – ADPlugin: Site found of – Harrisburg
EDT – ADPlugin: Added connection to connection mgr [email protected]@primedia.prm:389
EDT – ADPlugin: Found Default Domain primedia.prm
EDT – ADPlugin: Found Forest Domain GC primedia.root
EDT – ADPlugin: Found Forest Domain primedia.root
EDT – ADPlugin: Good credentials for [email protected]
EDT – ADPlugin: Retrieved connection from connection mgr [email protected]@primedia.prm:389
EDT – ADPlugin: Got configuration context of CN=Partitions,CN=Configuration,DC=primedia,DC=root from rootDSE for getPartitions
EDT – ADPlugin: Added connection to connection mgr [email protected]@primedia.prm:389
EDT – ADPlugin: Found Additional Domain forestdnszones.primedia.root
EDT – ADPlugin: Found Additional Domain domaindnszones.primedia.prm
EDT – ADPlugin: Found Additional Domain domaindnszones.primedia.root
EDT – ADPlugin: Finished CheckServerRecords……
EDT – ADPlugin: Rebuilt Kerberos File
EDT – ADPlugin: Calling CloseDirNode
EDT – Plug-in call “dsCloseDirNode()” failed with error = -14278.
EDT – Port: 25967 Call: dsCloseDirNode() == -14278
EDT – Client: Directory Access, PID: 495, API: dsVerifyDirRefNum(), Server Used : DAC : Dir Ref 16777427
EDT – Client: Directory Access, PID: 495, API: dsVerifyDirRefNum(), Server Used : DAR : Dir Ref 16777427 : Result code = 0
EDT – Client: Directory Access, PID: 495, API: dsOpenDirNode(), Active Directory Used : DAC : Dir Ref = 16777427 : Node Name = /Active Directory
EDT – ADPlugin: Calling OpenDirNode
EDT – Client: Directory Access, PID: 495, API: dsOpenDirNode(), Active Directory Used : DAR : Dir Ref = 16777427 : Node Ref = 16777454 : Result code = 0
EDT – ADPlugin: Calling CustomCall
EDT – ADPlugin: Verify called for [email protected]
EDT – ADPlugin: Verify successful for [email protected]
EDT – ADPlugin: Calling CloseDirNode
EDT – Plug-in call “dsCloseDirNode()” failed with error = -14278.
EDT – Port: 25967 Call: dsCloseDirNode() == -14278
EDT – Client: Directory Access, PID: 495, API: dsVerifyDirRefNum(), Server Used : DAC : Dir Ref 16777427
EDT – Client: Directory Access, PID: 495, API: dsVerifyDirRefNum(), Server Used : DAR : Dir Ref 16777427 : Result code = 0
EDT – Client: Directory Access, PID: 495, API: dsOpenDirNode(), Active Directory Used : DAC : Dir Ref = 16777427 : Node Name = /Active Directory
EDT – ADPlugin: Calling OpenDirNode
EDT – Client: Directory Access, PID: 495, API: dsOpenDirNode(), Active Directory Used : DAR : Dir Ref = 16777427 : Node Ref = 16777455 : Result code = 0
EDT – ADPlugin: Calling CustomCall
EDT – ADPlugin: Doing DN search for account – MDP017661
EDT – ADPlugin: Good credentials for [email protected]
EDT – ADPlugin: Retrieved connection from connection mgr [email protected]@primedia.prm:389
EDT – ADPlugin: Added connection to connection mgr [email protected]@primedia.prm:389
EDT – ADPlugin: Calling CloseDirNode
EDT – Plug-in call “dsCloseDirNode()” failed with error = -14278.
EDT – Port: 25967 Call: dsCloseDirNode() == -14278
EDT – Client: Directory Access, PID: 495, API: dsVerifyDirRefNum(), Server Used : DAC : Dir Ref 16777427
EDT – Client: Directory Access, PID: 495, API: dsVerifyDirRefNum(), Server Used : DAR : Dir Ref 16777427 : Result code = 0
EDT – Client: Directory Access, PID: 495, API: dsOpenDirNode(), Active Directory Used : DAC : Dir Ref = 16777427 : Node Name = /Active Directory
EDT – ADPlugin: Calling OpenDirNode
EDT – Client: Directory Access, PID: 495, API: dsOpenDirNode(), Active Directory Used : DAR : Dir Ref = 16777427 : Node Ref = 16777456 : Result code = 0
EDT – ADPlugin: Calling CustomCall
EDT – ADPlugin: Looking for existing Record of MDP017661
EDT – ADPlugin: Doing DN search for account – MDP017661
EDT – ADPlugin: Good credentials for [email protected]
EDT – ADPlugin: Retrieved connection from connection mgr [email protected]@primedia.prm:389
EDT – ADPlugin: Added connection to connection mgr [email protected]@primedia.prm:389
EDT – ADPlugin: Attempting Add Record……
EDT – ADPlugin: Adding in OU = CN=Computers,DC=primedia,DC=prm
EDT – ADPlugin: In Server = pehdc03.primedia.prm
EDT – ADPlugin: Good credentials for [email protected]
EDT – ADPlugin: Retrieved connection from connection mgr [email protected]@primedia.prm:389
EDT – ADPlugin: Add record CN=MDP017661,CN=Computers,DC=primedia,DC=prm with FAILED when using Server pehdc03.primedia.prm – Error 81
EDT – ADPlugin: Added connection to connection mgr [email protected]@primedia.prm:389
EDT – ADPlugin: Closing All Connections – Connection Manager
EDT – ADPlugin: Closing Connection – [email protected]@primedia.prm:389
EDT – ADPlugin: Closing All Connections – Connection Manager Completed
EDT – Client: kerberosautoconf, PID: 517, API: dsOpenDirService(), Server Used : DAR : Dir Ref 16777457 : Result code = 0
EDT – Client: kerberosautoconf, PID: 517, API: dsFindDirNodes(), Server Used : DAC : Dir Ref 16777457 : Data buffer size = 2048
EDT – Client: kerberosautoconf, PID: 517, API: dsFindDirNodes(), Server Used : DAR : 1 : Dir Ref = 16777457 : Requested nodename = /Search
EDT – Client: kerberosautoconf, PID: 517, API: dsFindDirNodes(), Server Used : DAR : 2 : Dir Ref = 16777457 : Result code = 0
EDT – Client: kerberosautoconf, PID: 517, API: dsOpenDirNode(), Search Used : DAC : Dir Ref = 16777457 : Node Name = /Search
EDT – Client: kerberosautoconf, PID: 517, API: dsOpenDirNode(), Search Used : DAR : Dir Ref = 16777457 : Node Ref = 16777458 : Result code = 0
EDT – Client: kerberosautoconf, PID: 517, API: dsGetDirNodeInfo(), Search Used : DAC : Node Ref = 16777458 : Requested Attrs = dsAttrTypeStandard:SearchPath : Attr Type Only Flag = 0
EDT – Client: kerberosautoconf, PID: 517, API: dsGetDirNodeInfo(), Search Used : DAR : Node Ref = 16777458 : Result code = 0
EDT – Client: kerberosautoconf, PID: 517, API: dsCloseDirNode(), Search Used : DAC : Node Ref = 16777458
EDT – Client: kerberosautoconf, PID: 517, API: dsCloseDirNode(), Search Used : DAR : Node Ref = 16777458 : Result code = 0
EDT – Client: kerberosautoconf, PID: 517, API: dsCloseDirService(), Server Used : DAC : Dir Ref 16777457
EDT – Client: kerberosautoconf, PID: 517, API: dsCloseDirService(), Server Used : DAR : Dir Ref 16777457 : Result code = 0
EDT – Plug-in call “dsDoPlugInCustomCall()” failed with error = -14120.
EDT – Port: 25967 Call: dsDoPlugInCustomCall() == -14120
EDT – ADPlugin: Calling CloseDirNode
EDT – Plug-in call “dsCloseDirNode()” failed with error = -14278.
EDT – Port: 25967 Call: dsCloseDirNode() == -14278
EDT – The client PID 358 has ref count = 0.
EDT – The client PID 281 has ref count = 1.
EDT – The client PID 196 has ref count = 1.
EDT – The client PID 332 has ref count = 10.
EDT – The client PID 495 has ref count = 1.
2005-10-06 16:05:21 EDT – Client: automount, PID: 281, API: dsVerifyDirRefNum(), Server Used : DAC : Dir Ref 16777243
2005-10-06 16:05:21 EDT – Client: automount, PID: 281, API: dsVerifyDirRefNum(), Server Used : DAR : Dir Ref 16777243 : Result code = 0
2005-10-06 16:05:21 EDT – Client: automount, PID: 281, API: dsGetDirNodeChangeToken(), Server Used : DAC : Dir Ref 16777243
2005-10-06 16:05:21 EDT – Client: automount, PID: 281, API: dsGetDirNodeChangeToken(), Server Used : DAR : 1 : Dir Ref = 16777243 : Result code = 0
2005-10-06 16:05:21 EDT – Client: automount, PID: 281, API: dsGetDirNodeChangeToken(), Server Used : DAR : 2 : Dir Ref = 16777243 : Node Count = 8 : Change Token = 1009
2005-10-06 16:05:21 EDT – Client: automount, PID: 281, API: dsVerifyDirRefNum(), Server Used : DAC : Dir Ref 16777243
2005-10-06 16:05:21 EDT – Client: automount, PID: 281, API: dsVerifyDirRefNum(), Server Used : DAR : Dir Ref 16777243 : Result code = 0
2005-10-06 16:05:21 EDT – Client: automount, PID: 281, API: dsOpenDirService(), Server Used : DAR : Dir Ref 16777461 : Result code = 0
2005-10-06 16:05:21 EDT – Client: automount, PID: 281, API: dsVerifyDirRefNum(), Server Used : DAC : Dir Ref 16777243
2005-10-06 16:05:21 EDT – Client: automount, PID: 281, API: dsVerifyDirRefNum(), Server Used : DAR : Dir Ref 16777243 : Result code = 0
2005-10-06 16:05:21 EDT – Client: automount, PID: 281, API: dsGetDirNodeChangeToken(), Server Used : DAC : Dir Ref 16777461
2005-10-06 16:05:21 EDT – Client: automount, PID: 281, API: dsGetDirNodeChangeToken(), Server Used : DAR : 1 : Dir Ref = 16777461 : Result code = 0
2005-10-06 16:05:21 EDT – Client: automount, PID: 281, API: dsGetDirNodeChangeToken(), Server Used : DAR : 2 : Dir Ref = 16777461 : Node Count = 8 : Change Token = 1009

[Author]

Posts