Unable to bind OS X Server 10.3.9 to AD (Win2K3)

[emailman]

I’m unable to bind an Xserve (10.3.9) to AD (2003). I’ve verified DNS/rDNS and time sync. I’ve added the computer account to AD before binding. Restarting the DirectoryService process in debug mode, the ADPlugin yields the following in the debug file (note the GSSAPI FAILED error toward the bottom):

[QUOTE]
2005-11-03 15:33:41 CST – ADPlugin: PeriodicTask Called…….
2005-11-03 15:34:04 CST – ADPlugin: Calling OpenDirNode
2005-11-03 15:34:04 CST – ADPlugin: Calling CustomCall
2005-11-03 15:34:04 CST – ADPlugin: Doing CheckServerRecords……
2005-11-03 15:34:04 CST – ADPlugin: Found Default Domain ac2
2005-11-03 15:34:04 CST – ADPlugin: Found Forest Domain GC ac2
2005-11-03 15:34:04 CST – ADPlugin: Finished CheckServerRecords……
2005-11-03 15:34:04 CST – ADPlugin: Rebuilt Kerberos File
2005-11-03 15:34:04 CST – ADPlugin: Calling CloseDirNode
2005-11-03 15:34:04 CST – ADPlugin: Calling OpenDirNode
2005-11-03 15:34:04 CST – ADPlugin: Calling CustomCall
2005-11-03 15:34:04 CST – ADPlugin: Doing CheckServerRecords……
2005-11-03 15:34:11 CST – ADPlugin: PeriodicTask Called…….
2005-11-03 15:34:25 CST – ADPlugin: Good credentials for ws@AC2
2005-11-03 15:34:25 CST – ADPlugin: No connection in connection mgr for ws@AC2@ac2:389
2005-11-03 15:34:25 CST – ADPlugin: Found Default Domain ac2
2005-11-03 15:34:25 CST – ADPlugin: Found Forest Domain GC ac2
2005-11-03 15:34:41 CST – ADPlugin: PeriodicTask Called…….
2005-11-03 15:34:44 CST – ADPlugin: Good credentials for ws@AC2
2005-11-03 15:34:44 CST – ADPlugin: No connection in connection mgr for ws@AC2@ac2:389
2005-11-03 15:34:44 CST – ADPlugin: Finished CheckServerRecords……
2005-11-03 15:34:44 CST – ADPlugin: Rebuilt Kerberos File
2005-11-03 15:34:44 CST – ADPlugin: Closing All Connections – Connection Manager
2005-11-03 15:34:44 CST – ADPlugin: Closing All Connections – Connection Manager Completed
2005-11-03 15:34:44 CST – ADPlugin: Calling CloseDirNode
2005-11-03 15:34:44 CST – ADPlugin: Calling OpenDirNode
2005-11-03 15:34:44 CST – ADPlugin: Calling CustomCall
2005-11-03 15:34:44 CST – ADPlugin: Verify called for ws@AC2
2005-11-03 15:34:45 CST – ADPlugin: Verify successful for ws@AC2
2005-11-03 15:34:45 CST – ADPlugin: Calling CloseDirNode
2005-11-03 15:34:45 CST – ADPlugin: Calling OpenDirNode
2005-11-03 15:34:45 CST – ADPlugin: Calling CustomCall
2005-11-03 15:35:04 CST – ADPlugin: Good credentials for ws@AC2
2005-11-03 15:35:04 CST – ADPlugin: No connection in connection mgr for ws@AC2@ac2:389
2005-11-03 15:35:04 CST – ADPlugin: GSSAPI FAILED doing gss_init_sec_context: Credential cache is empty
2005-11-03 15:35:04 CST – ADPlugin: Secure BIND Session FAILED with server dc1.ac2:389
2005-11-03 15:35:04 CST – ADPlugin: GSSAPI FAILED doing gss_init_sec_context: Credential cache is empty
2005-11-03 15:35:04 CST – ADPlugin: Secure BIND Session FAILED with server dc2.ac2:389
2005-11-03 15:35:04 CST – ADPlugin: Unable to read the schema, something wrong, using existing info…
2005-11-03 15:35:04 CST – ADPlugin: Calling CloseDirNode
2005-11-03 15:35:11 CST – ADPlugin: PeriodicTask Called…….
2005-11-03 15:35:41 CST – ADPlugin: PeriodicTask Called…….[/QUOTE]

Any suggestions are appreciated.

[s_groening]

Have you entered your AD DNS ip-address as the only specified DNS server in your network preferences on the Mac OS X Server?
Also, do not create the computer account manually on the AD server, dsconfigad (AD plugin) will do this for you.
Furthermore, make sure that you attempt to bind as an AD ‘Domain Admin’

[emailman]

Thanks! I got it bound by using a Domain Admin’s credentials. Also, it didn’t like the OU in which I was attempting to put it, but it bound fine in the default OU (“CN=Computers,DC=ac2”). This might be due to policy/permissions on the other OU.

> Have you entered your AD DNS ip-address as the only specified DNS server in your network preferences on the Mac OS X Server?

I have 2 DNS servers in the prefs (both being Win2K3 DCs). I left that unchanged. I did however prefer a DC for the bind.

[Author]

Posts