Can’t bind Mac’s to a w2k AD

[dcrew]

One thing I found with Win2k and NT domains… if you manually add the Mac Computer name to the directory first then bind the Mac, telling it you want to join the existing account you should have success.

I also found that with 10.3 there was greater ease to bind with 10.3.7 and higer.

We’ve moved to Win2003 servers here before our 10.4 issues I’m looking into so I can’t help there.

[neilt]

Below is the tail from the ad plugin when trying to bind. this particular mac was bound to the domain this morning. i unbound it to see if i could get it to bind again. It failed at the exact same place as the other 3 machines (2 tiger client and one tiger server) I have tried. It times out while during step 5, which translates to this in the log:

2005-11-15 12:54:06 EST – ADPlugin: Changing Password for User [email protected] as [email protected]
2005-11-15 12:56:06 EST – ADPlugin: Setting Computer Password FAILED for existing record……

Here is a tail from the ad plugin:

2005-11-15 12:35:35 EST – ADPlugin: Initialize Called
2005-11-15 12:35:35 EST – ADPlugin: Initialize Returned
2005-11-15 12:35:35 EST – ADPlugin: State Changed Called 4
2005-11-15 12:35:35 EST – ADPlugin: Received ServerRunLoop Mutex
2005-11-15 12:35:35 EST – ADPlugin: Received Kerberos Mutex
2005-11-15 12:35:35 EST – ADPlugin: State Changed Called 1
2005-11-15 12:35:35 EST – ADPlugin: State Changed Called 1
2005-11-15 12:35:35 EST – ADPlugin: Calling OpenDirNode
2005-11-15 12:35:35 EST – ADPlugin: Calling CustomCall
2005-11-15 12:35:35 EST – ADPlugin: Calling CustomCall
2005-11-15 12:35:35 EST – ADPlugin: Calling CustomCall
2005-11-15 12:35:35 EST – ADPlugin: Calling CloseDirNode
2005-11-15 12:35:48 EST – ADPlugin: Calling OpenDirNode
2005-11-15 12:35:48 EST – ADPlugin: Calling CustomCall
2005-11-15 12:35:48 EST – ADPlugin: Doing CheckServerRecords……
2005-11-15 12:35:48 EST – ADPlugin: wcu.edu – Start checking servers for site “any”
2005-11-15 12:35:48 EST – ADPlugin: Total Servers “any” LDAP – 5, Kerberos – 5, kPasswd – 5
2005-11-15 12:35:48 EST – ADPlugin: Server #1 picked – “gazetteer.wcu.edu”
2005-11-15 12:35:48 EST – ADPlugin: Server #2 picked – “gc4.wcu.edu”
2005-11-15 12:35:48 EST – ADPlugin: Got rootDSE for server gc4.wcu.edu to determine forest
2005-11-15 12:35:48 EST – ADPlugin: Determined Forest of wcu.edu from Domain Controller gc4.wcu.edu
2005-11-15 12:35:48 EST – ADPlugin: Found Default Domain wcu.edu
2005-11-15 12:35:48 EST – ADPlugin: Global Catalogs – Start checking servers for site “any”
2005-11-15 12:35:48 EST – ADPlugin: Total Servers “any” LDAP – 2, Kerberos – 5, kPasswd – 5
2005-11-15 12:35:48 EST – ADPlugin: Server #1 picked – “gc2.wcu.edu”
2005-11-15 12:35:49 EST – ADPlugin: Server #2 picked – “gc4.wcu.edu”
2005-11-15 12:35:49 EST – ADPlugin: Found Forest Domain GC wcu.edu
2005-11-15 12:35:49 EST – ADPlugin: Something wrong, unable to determine domain information from Config container……
2005-11-15 12:35:49 EST – ADPlugin: Finished CheckServerRecords……
2005-11-15 12:35:49 EST – ADPlugin: Created KerberosClient record Generation ID 153768949
2005-11-15 12:35:49 EST – ADPlugin: Rebuilt Kerberos File
2005-11-15 12:35:49 EST – ADPlugin: Calling CloseDirNode
2005-11-15 12:35:49 EST – ADPlugin: Calling OpenDirNode
2005-11-15 12:35:49 EST – ADPlugin: Calling CustomCall
2005-11-15 12:35:49 EST – ADPlugin: Doing CheckServerRecords……
2005-11-15 12:35:53 EST – ADPlugin: Good credentials for [email protected]
2005-11-15 12:35:53 EST – ADPlugin: No existing connection in connection mgr for [email protected]@wcu.edu:389
2005-11-15 12:35:55 EST – ADPlugin: Secure BIND Session with server gazetteer.wcu.edu:389
2005-11-15 12:35:55 EST – ADPlugin: Read Context information from server for configurationNamingContext of CN=Configuration,DC=wcu,DC=edu
2005-11-15 12:35:55 EST – ADPlugin: Processing Site Search with found IP
2005-11-15 12:35:55 EST – ADPlugin: Returning connection to pool for domain wcu.edu with dsStatus 0.
2005-11-15 12:35:55 EST – ADPlugin: wcu.edu – Start checking servers for site “any”
2005-11-15 12:35:55 EST – ADPlugin: Total Servers “any” LDAP – 5, Kerberos – 5, kPasswd – 5
2005-11-15 12:35:55 EST – ADPlugin: Server #1 picked – “gazetteer.wcu.edu”
2005-11-15 12:35:55 EST – ADPlugin: Server #2 picked – “gc4.wcu.edu”
2005-11-15 12:35:55 EST – ADPlugin: Got rootDSE for server gc4.wcu.edu to determine forest
2005-11-15 12:35:55 EST – ADPlugin: Determined Forest of wcu.edu from Domain Controller gc4.wcu.edu
2005-11-15 12:35:55 EST – ADPlugin: Found Default Domain wcu.edu
2005-11-15 12:35:55 EST – ADPlugin: Global Catalogs – Start checking servers for site “any”
2005-11-15 12:35:55 EST – ADPlugin: Total Servers “any” LDAP – 2, Kerberos – 5, kPasswd – 5
2005-11-15 12:35:55 EST – ADPlugin: Server #1 picked – “gc2.wcu.edu”
2005-11-15 12:35:55 EST – ADPlugin: Server #2 picked – “gc4.wcu.edu”
2005-11-15 12:35:55 EST – ADPlugin: Found Forest Domain GC wcu.edu
2005-11-15 12:35:55 EST – ADPlugin: Good credentials for [email protected]
2005-11-15 12:35:55 EST – ADPlugin: Retrieved existing connection from connection mgr [email protected]@wcu.edu:389
2005-11-15 12:35:55 EST – ADPlugin: Read Context information from server for configurationNamingContext of CN=Configuration,DC=wcu,DC=edu
2005-11-15 12:35:55 EST – ADPlugin: Returning connection to pool for domain wcu.edu with dsStatus 0.
2005-11-15 12:35:55 EST – ADPlugin: Finished CheckServerRecords……
2005-11-15 12:35:55 EST – ADPlugin: Created KerberosClient record Generation ID 153768955
2005-11-15 12:35:55 EST – ADPlugin: Rebuilt Kerberos File
2005-11-15 12:35:55 EST – ADPlugin: Closing All Connections – Connection Manager
2005-11-15 12:35:55 EST – ADPlugin: Closing Connection – [email protected]@wcu.edu:389
2005-11-15 12:35:55 EST – ADPlugin: Closing All Connections – Connection Manager Completed
2005-11-15 12:35:55 EST – ADPlugin: Calling CloseDirNode
2005-11-15 12:35:55 EST – ADPlugin: Calling OpenDirNode
2005-11-15 12:35:55 EST – ADPlugin: Calling CustomCall
2005-11-15 12:35:55 EST – ADPlugin: Verify called for [email protected]
2005-11-15 12:35:56 EST – ADPlugin: Verify successful for [email protected]
2005-11-15 12:35:56 EST – ADPlugin: Calling CloseDirNode
2005-11-15 12:35:56 EST – ADPlugin: Calling OpenDirNode
2005-11-15 12:35:56 EST – ADPlugin: Calling CustomCall
2005-11-15 12:35:56 EST – ADPlugin: Good credentials for [email protected]
2005-11-15 12:35:56 EST – ADPlugin: No existing connection in connection mgr for [email protected]@wcu.edu:389
2005-11-15 12:35:56 EST – ADPlugin: Secure BIND Session with server gazetteer.wcu.edu:389
2005-11-15 12:35:56 EST – ADPlugin: Read Context information from server for schemaNamingContext of CN=Schema,CN=Configuration,DC=wcu,DC=edu
2005-11-15 12:35:58 EST – ADPlugin: Returning connection to pool for domain wcu.edu with dsStatus 0.
2005-11-15 12:35:58 EST – ADPlugin: Updating Mappings from Schema……….
2005-11-15 12:35:58 EST – ADPlugin: Doing Computer search for Ethernet address – 00:03:93:c7:e9:3c
2005-11-15 12:35:58 EST – ADPlugin: Doing DN search for account – wcu67748
2005-11-15 12:35:58 EST – ADPlugin: Good credentials for [email protected]
2005-11-15 12:35:58 EST – ADPlugin: Retrieved existing connection from connection mgr [email protected]@wcu.edu:389
2005-11-15 12:35:58 EST – ADPlugin: Returning connection to pool for domain wcu.edu with dsStatus 0.
2005-11-15 12:35:58 EST – ADPlugin: Calling CloseDirNode
2005-11-15 12:36:04 EST – ADPlugin: Calling OpenDirNode
2005-11-15 12:36:04 EST – ADPlugin: Calling CustomCall
2005-11-15 12:36:04 EST – ADPlugin: Looking for existing Record of wcu67748
2005-11-15 12:36:04 EST – ADPlugin: Doing DN search for account – wcu67748
2005-11-15 12:36:04 EST – ADPlugin: Good credentials for [email protected]
2005-11-15 12:36:04 EST – ADPlugin: Retrieved existing connection from connection mgr [email protected]@wcu.edu:389
2005-11-15 12:36:04 EST – ADPlugin: Returning connection to pool for domain wcu.edu with dsStatus 0.
2005-11-15 12:36:04 EST – ADPlugin: Good credentials for [email protected]
2005-11-15 12:36:04 EST – ADPlugin: Retrieved existing connection from connection mgr [email protected]@wcu.edu:389
2005-11-15 12:36:04 EST – ADPlugin: KerberosID Found for account CN=wcu67748,CN=Computers,DC=wcu,DC=edu – wcu67748$
2005-11-15 12:36:04 EST – ADPlugin: Returning connection to pool for domain wcu.edu with dsStatus 0.
2005-11-15 12:36:04 EST – ADPlugin: Existing record found @ CN=wcu67748,CN=Computers,DC=wcu,DC=edu with [email protected].
2005-11-15 12:36:04 EST – ADPlugin: Changing Password for User [email protected] as [email protected]
2005-11-15 12:38:05 EST – ADPlugin: Changing Password for User [email protected] as [email protected]
2005-11-15 12:40:05 EST – ADPlugin: Changing Password for User [email protected] as [email protected]
2005-11-15 12:42:05 EST – ADPlugin: Changing Password for User [email protected] as [email protected]
2005-11-15 12:44:05 EST – ADPlugin: Changing Password for User [email protected] as [email protected]
2005-11-15 12:46:06 EST – ADPlugin: Changing Password for User [email protected] as [email protected]
2005-11-15 12:48:06 EST – ADPlugin: Changing Password for User [email protected] as [email protected]
2005-11-15 12:50:06 EST – ADPlugin: Changing Password for User [email protected] as [email protected]
2005-11-15 12:52:06 EST – ADPlugin: Changing Password for User [email protected] as [email protected]
2005-11-15 12:54:06 EST – ADPlugin: Changing Password for User [email protected] as [email protected]
2005-11-15 12:56:06 EST – ADPlugin: Setting Computer Password FAILED for existing record……
2005-11-15 12:56:06 EST – ADPlugin: Updating Local Admin Group
2005-11-15 12:56:06 EST – ADPlugin: Cleaning Previous Additions to Local Admin Group
2005-11-15 12:56:06 EST – ADPlugin: Sending lookupd flushcache at request!
2005-11-15 12:56:06 EST – ADPlugin: Resetting memberd cache also!
2005-11-15 12:56:06 EST – ADPlugin: Closing All Connections – Connection Manager
2005-11-15 12:56:06 EST – ADPlugin: Closing Connection – [email protected]@wcu.edu:389
2005-11-15 12:56:06 EST – ADPlugin: Closing All Connections – Connection Manager Completed
2005-11-15 12:56:06 EST – ADPlugin: Bind/Join failed – Launching kerberosautoconfig -u
2005-11-15 12:56:06 EST – ADPlugin: Calling CloseDirNode

[Anonymous]

We had Client1 (a panther client) succesfully bound to a w2k ad. Then Client1 was upgraded to tiger and it still worked fine. It still worked fine after moving to Win 2003 Server….
After having problems with Client2 (machine with a freshly installed 10.4.3), I disconnected Client1 from AD and then wanted to reconnect. Suddenly the same problems as with Client2 appeared. I can not get a sense out of this…

[curt]

I actually just had the same problem after a botched 10.4.3 client upgrade. Had to reinstalll the OS. After I changed the Computer ID I was able to bind to our AD server successfully once again.

HTH
Curt

[neilt]

[QUOTE BY= MacTroll] [email protected] is your computer account. Denoted by the $ in the name.

You’re having issues resetting the password for it.

It seems that an existing computer account is already in the domain for this machine. However, you don’t have rights to change the password on it.[/QUOTE]

True, this particular machine was already in AD, i unbound it and was trying to rebind it to the same account, using the password I used initially to bind it in the first place.

When you say i don’t have the rights to change the password on it, which password is that, or which it (the domain or the mac)?

I get this same exact erro though even if the machine I am binding has never been bound before or has a completely different machine name than anything in AD.

very odd.

[Anonymous]

The problem is no server-side problem, because I used an evaluation copy of ADmitMac and had no problems at all binding a Tiger client to an AD Domain. Giving the same amount of information to Directory Access.app (or the command line tool dsconfigad) results in failure. I noticed that the DirectoryService Process forces a rebuild of the /Library/Preferences/mit.edu.Kerberos file – I would be interested in how to prevent that, because the config file that was generated by ADmitMac had other entries.

[Anonymous]

I have just upgraded to windows 2003 server and have found this article useful, it has also helped with binding our macs to the server. It all has to do with Microsoft tightening permissions so as to seem secure . . .

Hope this helps some

http://support.microsoft.com/?kbid=232070

[Waragainstsleep]

I am most likely in way over my head here, but I will account an experience I had in case it helps anyone.

I had to bind a couple of macs to an AD a while back, I triple checked everything and they kept failing to authenticate. It turned out that there was some kind of encryption enabled by default on the AD (and on windows clients) which was not even supported on OS X (Pretty sure it was Tiger). Switching this off on the AD server solved the problem instantly and the customer never called back. Having said that, they had a service contract with another Apple Centre, they called us because their contracted guys had given up trying to fix the problem.
I found the solution using Google.

Just wish I could rmember the name of the encryption that was causing the problem….

[maccanada]

For anyone still having the issue with Step 5 ‘Changing password for user…’
I’ve just managed to recreate this in my lab and found a solution.
Try going into AD Users+Computers and right-click on the Computers folder under your domain. Run through the delegate control wizard and ensure the account you are using to bind is given correct permissions (to test you can check off every box).

Then try binding again. After delegating permissions to the Administrator account, the Directory Access bind process completed without issue.

~Ian

[traveler400]

None of these fixes work for me…Any other ideas?

[Author]

Posts