Using AD though OD

[egadsby]

I hope somebody has done this. We are having the same problem that was pointed out in https://www.afp548.com/forum/viewtopic.php?showtopic=22286. Some Macs bound to AD (with OD too) will stop connecting and can not be unbound or rebound. Ultimately reimaging solves the problem.

As repeated reimaging is not a solution we have started looking for a third way. Is there a way to import to have a Mac OS X server pass AD information through to OD while only having the Mac’s bound to OD? Could this be done in real-time or by using some sort of scheduled dump from the AD DC’s?

We have also looked at AdmitMac and found it too slow. we would appreciate any ideas?

Eric Gadsby
Goucher College

[bezzoh]

I have this issue and indeed the kerberos files have zero’d in size.

Deleting them and rebooting allows me to rebind successfully and resolves, however I look after several high schools each with 100+ Mac’s and unfortunately this isnt a practical fix for our on-site engineers to continually perform this ad-hoc when a particular mac becomes unusable.

I have read that the cause of this might be due to imaging the clients (I use deploystudio) and in the way that Windows clients have issues if not sys-prep’d this is ultimately what happens to the Mac clients… however I do not know how true this is.

Basically however, what I need is a working solution to this once and for all.
Does anybody know if by ensuring that there are no kerberos tickets present in /var/db/dslocal/nodes/config in the master image, will the problem no longer persist, or is there a way of ensuring that the tickets stay valid and do not corrupt over time as seems to be the case now.

On a related topic the admin.plist files keep screwing up as well.. but i’m taking this one step at a time and can cope with my workaround for that for the time being.

Thanks in advance

bez

[bezzoh]

Turns out it was due to the computer account password issue. Modified my base Mac OS image by running the [b]dsconfigad -passinterval 0[/b] command (without it being bound to AD) to resolve.

All machines with new image are fine as are ones I fixed by unbinding, deleting corrupt kerberos files and running above command before re-binding.

[Macleod]

Be aware that the failure with the computer password rotation could be a symptom of bigger issues.
Most of the time when I see this it is because there are kerberos/dns issues that are causing the password change to fail.
Just an FYI.

–DH

[bezzoh]

I was just about to update this actually…

6 weeks on from re-imaging 4 large ICT suites using DeployStudio (some rc11, some more recently on rc12) AND ensuring that the dsconfigad passinterval was set to 0 in the image, I have today discovered approximately 10% have again encountered kerberos file corruptions.

Due to the forest structure of our AD, my clients typically pick up 2 Kerberos plist files along the lines of….

Kerberos/ad.[i]domain[/i].xxx.xx.plist
Kerberos/xxx.ad.[i]domain[/i].xxx.xx.plist

On the machines I couldnt log into as an AD user, either one [b]’or’ [/b]both of these had changed to zero kb in size. Simply deleting the 0kb files and restarting resolves the issue immediately, but when we have 300 of these machines per site and we have a 10% outage, then that is an unmanagable fix.

Apple’s own KB article explains that it happens due to LKDC issues when multiple identical computer accounts bind to the domain (bit like non sysprep’d/newSID’ PC’s) however this is apparently fixed in the 10.5.6 version of NetInstall (and as far as I am aware the later versions of DeployStudio, as i’ve seen that it implements an LKDC fix during the imaging process).

I am therefore at a bit of a loss. As apart from these file corruptions the Mac’s themselves ‘appear’ fine. They say that network accounts are available, the servers and domain show as available in Directory Utility and I have a preferred server even set.

ANY help would be greatly appreciated… eg can you elaborate on what kerberos/DNS issues could cause this.

Thanks in advance

[bezzoh]

Ooo, just read another Apple KB article that says that real time AV scanners can also cause Kerberos file issues in this folder and they should be configured not to scan within /var/db/dslocal…. Looks like I might need to push out a config change for Mcafee perhaps

[hondamusprime]

[b]bezzoh[/b]

has 10.5.7 fixed this issue for you? I haven’t seen this problem in about a month, and I’m hoping that 10.5.7 has resolved it.

also, could you post the KB articles from Apple?

my temporary solution has been to use a launch daemon to detect a zero byte value on the Kerberos plist file and remove it.

you don’t need a full reboot in order for the file to be rebuilt, it should detect that the file is missing and rebuild it in about 90-120 seconds.

[bezzoh]

Just emailed the on-site engineer at our big site to give me an update. I upgraded 3 suites to 10.5.7 and left 2 at 10.5.6 for a couple of weeks to see which continued to have issues. Had no reports as yet, but then they’re all dual boot and the users prefer windows to Mac OS because they dont know what they’re doing with it, so it just might not have been noticed…

The article below says update to 10.5.7, and goes on to talk about the possible Anti-Virus Scanner issue…

http://support.apple.com/kb/TS2691

Any chance you can share the launch daemon with me that you’ve previously used?! That could save my ass a bit if this problem persists…

[hondamusprime]

sure thing….
a few minor notes though… I have this writting to the system.log file as it makes it easy to check on. I haven’t bothered testing it for performance effects as it shouldn’t tax the CPU or memory being a very small script.

the launch daemon just runs a shell script that is looking for a zero byte value on the kerberos file, so you’ll need to edit both the plist file for the launch agent, and the shell script for your environment.

I have the shell script sitting in /Users/Shared/scripts

here’s the launch agent… save it as com.YOURCOMPANYNAME.KerberosFixer.plist in /Library/LaunchAgents/

[code]


Label
com.YOURCOMPANYNAME.KerberosFixer
ProgramArguments

/Users/Shared/scripts/KerberosFixer.sh

OnDemand

[/code]
here’s the shell script:

[code]

#! /bin/sh
#
# Checks Kerberos plist file for corruption based on file size
# Doesn’t replace the file, only removes corrupted files
# The PLIST file will automatically be recreated.

#establish the kerberos file in question

kerberos_file=”/var/db/dslocal/nodes/Default/config/Kerberos:YOURDOMAIN.COM.plist”

# Make sure only root can run our script
if [ “$(id -u)” != “0” ]; then
echo “This script must be run as root” 1>&2
logger “KerberosFixer.sh was not run as root!”
exit 1
fi

sleep 1
echo “Checking Kerberos, please wait”
echo “File location: $kerberos_file”

#Check the file size on the KERBEROSFILE

eval $(stat -s $kerberos_file)

kerberos_filesize=”$st_size”

if [ “$kerberos_filesize” == “0” ]

then
echo “Kerberos file corrupted, resetting file. Please wait…”
rm $kerberos_file
logger “KerberosFixer.sh has repaired your Kerberos file.”
else
echo “The Kerberos file appears to be okay. Have a nice day.”
fi

exit 0
[/code]
let me know if i left out any details, thanks for the quick reply too.

[bezzoh]

That’s quality that, really appreciate.

Will give it a test on one of my 10.5.6 clients and see how I get on. Fingers crossed though that my 10.5.7’s are alright!

[forumposting12]

Basically however, what I need is a working solution to this once and for all.
Does anybody know if by ensuring that there are no kerberos tickets present in /var/db/dslocal/nodes/config in the master image, will the problem no longer persist, or is there a way of ensuring that the tickets stay valid and do not corrupt over time as seems to be the case now.

Thanks & Regards

Jasmine

[URL=”http://www.fvs-cctv.com”%5Dcctv monitors[/URL]
[URL=”http://www.luxurynavi.com”%5DHermes Handbag[/URL]
[URL=”http://www.inforecipe.com/index.php?option=com_rapidrecipe&page=viewcategory&category_id=13&p=1″%5Deasy candy recipe[/URL]
[URL=”http://www.rinrobyn.com”%5Dswimming pools designs[/URL]

[forumposting12]

As repeated reimaging is not a solution we have started looking for a third way. Is there a way to import to have a Mac OS X server pass AD information through to OD while only having the Mac’s bound to OD

Regards & Thanks

Kaler

[forumposting12]

As repeated reimaging is not a solution we have started looking for a third way. Is there a way to import to have a Mac OS X server pass AD information through to OD while only having the Mac’s bound to OD

Regards & Thanks

Kaler

[forumposting12]

As repeated reimaging is not a solution we have started looking for a third way. Is there a way to import to have a Mac OS X server pass AD information through to OD while only having the Mac’s bound to OD? Could this be done in real-time or by using some sort of scheduled dump from the AD DC’s?

Regards & Thanks

Kaler

[URL=”http://www.fvs-cctv.com”%5Dcctv suppliers[/URL]

[bezzoh]

Since my build image was upgraded to 10.5.7, dsonfigad -passinterval set to 0 AND probably more critically I incorporated the AD and OD binding into the deploystudio workflow, I have had absolutely NO recurrence of this problem in the past few months.

My base image has never been bound to any domain, so there are NO kerberos files in the aforementioned folder.

[Author]

Posts