Home Forums OS X Server and Client Discussion Questions and Answers Yet another AD binding problem

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • September 16, 2008 at 8:23 pm #374127
    jimbosyn
    Participant

    Hello all. I’ve been trying to get 10.5.x computers to bind to AD for quite some time now. Here is my debug output. I suspect is a permission issue with the AD account. I am able to bind windows clients with no issue whatsoever. The problem seems to be that the computer password cannot be changed. I have tried to pre-populate the computer entry in AD, and get the same error message. Can you guys please help me with this, I have been trying to get it working for over a week.

    2008-09-16 15:04:02 EDT – T[0xB0103000] – Active Directory: Bind Step 1 – Searching for Forest/Domain information
    2008-09-16 15:04:02 EDT – T[0xB0103000] – Active Directory: chick-fil-a.com – Start checking servers for site “any”
    2008-09-16 15:04:02 EDT – T[0xB0103000] – Active Directory: Total Servers “any” LDAP – 3, Kerberos – 3, kPasswd – 3
    2008-09-16 15:04:02 EDT – T[0xB0103000] – Active Directory: DomainConfiguration reachabilityNotification – Node: chick-fil-a.com – resolves – enabled
    2008-09-16 15:04:02 EDT – T[0xB0103000] – Active Directory: Bind Step 2 – Finding nearest Domain controllers
    2008-09-16 15:04:02 EDT – T[0xB0103000] – Active Directory: Bind Step 3 – Verifying credentials
    2008-09-16 15:04:02 EDT – T[0xB0103000] – Active Directory: chick-fil-a.com – Start checking servers for site “any”
    2008-09-16 15:04:02 EDT – T[0xB0103000] – Active Directory: Total Servers “any” LDAP – 3, Kerberos – 3, kPasswd – 3
    2008-09-16 15:04:02 EDT – T[0xB0103000] – Active Directory: DomainConfiguration reachabilityNotification – Node: chick-fil-a.com – resolves – enabled
    2008-09-16 15:04:02 EDT – T[0xB0103000] – Active Directory: FindSuitableReplica – Node chick-fil-a.com – Established connection to cfadom01.chick-fil-a.com.
    2008-09-16 15:04:02 EDT – T[0xB0103000] – Active Directory: kadmEntry port is nil, will use default 464
    2008-09-16 15:04:02 EDT – T[0xB0103000] – Active Directory: Password verify for [email protected] succeeded – cache MEMORY:iCsN4KW
    2008-09-16 15:04:02 EDT – T[0xB0103000] – Active Directory: Secure BIND Session Success with server cfadom01.chick-fil-a.com.:389 using cache MEMORY:iCsN4KW user [email protected]
    2008-09-16 15:04:02 EDT – T[0xB0103000] – Active Directory: Processing Site Search with found IP
    2008-09-16 15:04:02 EDT – T[0xB0103000] – Active Directory: No site name available
    2008-09-16 15:04:02 EDT – T[0xB0103000] – Active Directory: chick-fil-a.com – Start checking servers for site “any”
    2008-09-16 15:04:02 EDT – T[0xB0103000] – Active Directory: Total Servers “any” LDAP – 3, Kerberos – 3, kPasswd – 3
    2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: Updated schema for node name chick-fil-a.com
    2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: Updating domain hierarchy cache
    2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: Updating policies from domain chick-fil-a.com
    2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: Updated policies for node name chick-fil-a.com
    2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: Bind Step 4 – Searching for existing computer
    2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: kadmEntry port is nil, will use default 464
    2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: Password verify for [email protected] succeeded – cache MEMORY:V55FqU2
    2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: Secure BIND Session Success with server cfadom01.chick-fil-a.com.:389 using cache MEMORY:V55FqU2 user [email protected]
    2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: Doing Computer search for Ethernet address – 00:1e:c2:0b:b6:d6
    2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: Doing DN search for account – grendel
    2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: Closing All Connections
    2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: Bind Step 5 – Bind/Join computer to domain
    2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: kadmEntry port is nil, will use default 464
    2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: Password verify for [email protected] succeeded – cache MEMORY:ZeksKvC
    2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: Secure BIND Session Success with server cfadom01.chick-fil-a.com.:389 using cache MEMORY:ZeksKvC user [email protected]
    2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: Looking for existing Record of grendel
    2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: Doing DN search for account – grendel
    2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: kadmEntry port is nil, will use default 464
    2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: Secure BIND Session Success with server cfadom01.chick-fil-a.com.:389 using cache MEMORY:ZeksKvC user [email protected]
    2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: Attempting Add Record……
    2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: Adding in OU = CN=Computers,DC=chick-fil-a,DC=com
    2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: Added record CN=grendel,CN=Computers,DC=chick-fil-a,DC=com
    2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: Setting Computer Password……
    2008-09-16 15:04:06 EDT – T[0xB0103000] – Active Directory: Deleting Record CN=grendel,CN=Computers,DC=chick-fil-a,DC=com…
    2008-09-16 15:04:06 EDT – T[0xB0103000] – Active Directory: Setting Computer Password FAILED Deleted Record……
    2008-09-16 15:04:06 EDT – T[0xB0103000] – Active Directory: Computer password change date is 2008-09-15 16:21:09 -0400
    2008-09-16 15:04:06 EDT – T[0xB0103000] – Active Directory: Scheduled computer password change every 1209600 seconds – starting 2008-09-16 15:04:06 -0400
    2008-09-16 15:04:06 EDT – T[0xB0103000] – Active Directory: Closing All Connections
    2008-09-16 15:04:06 EDT – T[0xB031C000] – Active Directory: Failed to changed computer password in Active Directory domain chick-fil-a.com

    September 17, 2008 at 6:00 am #374131
    Timothy Perfitt
    Member

    Try opening port 464 (UDP) to the domain controller, as this is the port that kpassword5 communicates over.

    See also:

    http://discussions.apple.com/thread.jspa?threadID=1540591

    tim

    September 17, 2008 at 8:46 pm #374137
    jimbosyn
    Participant

    The problem is that I am on the same VLAN as the domain controller, so there is no packet filtering between the client I am trying to bind and AD. Is there something on the domain controller I need to do to explicitly turn it on?

    September 18, 2008 at 5:34 pm #374158
    jimbosyn
    Participant

    Here is some more info for you guys to chew on. I’m getting a kerberos error that does not seem to make sense. I did a packet capture on the mac client. I’m getting this KPASSWD error:

    error_code: KPASSWD KRB Error: KRB5KRB_AP_ERR_REPEAT

    I’m really confused as to what to do at this point. I have validated time is synchronized on both sides to the same NTP server, so I’m positive it is not a clock issue.

    Any suggestions?

  • Author
    Posts
Viewing 4 posts - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.