Home › Forums › OS X Server and Client Discussion › Questions and Answers › Yet another AD binding problem
Hello all. I’ve been trying to get 10.5.x computers to bind to AD for quite some time now. Here is my debug output. I suspect is a permission issue with the AD account. I am able to bind windows clients with no issue whatsoever. The problem seems to be that the computer password cannot be changed. I have tried to pre-populate the computer entry in AD, and get the same error message. Can you guys please help me with this, I have been trying to get it working for over a week.
2008-09-16 15:04:02 EDT – T[0xB0103000] – Active Directory: Bind Step 1 – Searching for Forest/Domain information
2008-09-16 15:04:02 EDT – T[0xB0103000] – Active Directory: chick-fil-a.com – Start checking servers for site “any”
2008-09-16 15:04:02 EDT – T[0xB0103000] – Active Directory: Total Servers “any” LDAP – 3, Kerberos – 3, kPasswd – 3
2008-09-16 15:04:02 EDT – T[0xB0103000] – Active Directory: DomainConfiguration reachabilityNotification – Node: chick-fil-a.com – resolves – enabled
2008-09-16 15:04:02 EDT – T[0xB0103000] – Active Directory: Bind Step 2 – Finding nearest Domain controllers
2008-09-16 15:04:02 EDT – T[0xB0103000] – Active Directory: Bind Step 3 – Verifying credentials
2008-09-16 15:04:02 EDT – T[0xB0103000] – Active Directory: chick-fil-a.com – Start checking servers for site “any”
2008-09-16 15:04:02 EDT – T[0xB0103000] – Active Directory: Total Servers “any” LDAP – 3, Kerberos – 3, kPasswd – 3
2008-09-16 15:04:02 EDT – T[0xB0103000] – Active Directory: DomainConfiguration reachabilityNotification – Node: chick-fil-a.com – resolves – enabled
2008-09-16 15:04:02 EDT – T[0xB0103000] – Active Directory: FindSuitableReplica – Node chick-fil-a.com – Established connection to cfadom01.chick-fil-a.com.
2008-09-16 15:04:02 EDT – T[0xB0103000] – Active Directory: kadmEntry port is nil, will use default 464
2008-09-16 15:04:02 EDT – T[0xB0103000] – Active Directory: Password verify for jolivertest@CHICK-FIL-A.COM succeeded – cache MEMORY:iCsN4KW
2008-09-16 15:04:02 EDT – T[0xB0103000] – Active Directory: Secure BIND Session Success with server cfadom01.chick-fil-a.com.:389 using cache MEMORY:iCsN4KW user jolivertest@CHICK-FIL-A.COM
2008-09-16 15:04:02 EDT – T[0xB0103000] – Active Directory: Processing Site Search with found IP
2008-09-16 15:04:02 EDT – T[0xB0103000] – Active Directory: No site name available
2008-09-16 15:04:02 EDT – T[0xB0103000] – Active Directory: chick-fil-a.com – Start checking servers for site “any”
2008-09-16 15:04:02 EDT – T[0xB0103000] – Active Directory: Total Servers “any” LDAP – 3, Kerberos – 3, kPasswd – 3
2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: Updated schema for node name chick-fil-a.com
2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: Updating domain hierarchy cache
2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: Updating policies from domain chick-fil-a.com
2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: Updated policies for node name chick-fil-a.com
2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: Bind Step 4 – Searching for existing computer
2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: kadmEntry port is nil, will use default 464
2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: Password verify for jolivertest@CHICK-FIL-A.COM succeeded – cache MEMORY:V55FqU2
2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: Secure BIND Session Success with server cfadom01.chick-fil-a.com.:389 using cache MEMORY:V55FqU2 user jolivertest@CHICK-FIL-A.COM
2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: Doing Computer search for Ethernet address – 00:1e:c2:0b:b6:d6
2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: Doing DN search for account – grendel
2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: Closing All Connections
2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: Bind Step 5 – Bind/Join computer to domain
2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: kadmEntry port is nil, will use default 464
2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: Password verify for jolivertest@CHICK-FIL-A.COM succeeded – cache MEMORY:ZeksKvC
2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: Secure BIND Session Success with server cfadom01.chick-fil-a.com.:389 using cache MEMORY:ZeksKvC user jolivertest@CHICK-FIL-A.COM
2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: Looking for existing Record of grendel
2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: Doing DN search for account – grendel
2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: kadmEntry port is nil, will use default 464
2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: Secure BIND Session Success with server cfadom01.chick-fil-a.com.:389 using cache MEMORY:ZeksKvC user jolivertest@CHICK-FIL-A.COM
2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: Attempting Add Record……
2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: Adding in OU = CN=Computers,DC=chick-fil-a,DC=com
2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: Added record CN=grendel,CN=Computers,DC=chick-fil-a,DC=com
2008-09-16 15:04:03 EDT – T[0xB0103000] – Active Directory: Setting Computer Password……
2008-09-16 15:04:06 EDT – T[0xB0103000] – Active Directory: Deleting Record CN=grendel,CN=Computers,DC=chick-fil-a,DC=com…
2008-09-16 15:04:06 EDT – T[0xB0103000] – Active Directory: Setting Computer Password FAILED Deleted Record……
2008-09-16 15:04:06 EDT – T[0xB0103000] – Active Directory: Computer password change date is 2008-09-15 16:21:09 -0400
2008-09-16 15:04:06 EDT – T[0xB0103000] – Active Directory: Scheduled computer password change every 1209600 seconds – starting 2008-09-16 15:04:06 -0400
2008-09-16 15:04:06 EDT – T[0xB0103000] – Active Directory: Closing All Connections
2008-09-16 15:04:06 EDT – T[0xB031C000] – Active Directory: Failed to changed computer password in Active Directory domain chick-fil-a.com
Try opening port 464 (UDP) to the domain controller, as this is the port that kpassword5 communicates over.
See also:
http://discussions.apple.com/thread.jspa?threadID=1540591
tim
The problem is that I am on the same VLAN as the domain controller, so there is no packet filtering between the client I am trying to bind and AD. Is there something on the domain controller I need to do to explicitly turn it on?
Here is some more info for you guys to chew on. I’m getting a kerberos error that does not seem to make sense. I did a packet capture on the mac client. I’m getting this KPASSWD error:
error_code: KPASSWD KRB Error: KRB5KRB_AP_ERR_REPEAT
I’m really confused as to what to do at this point. I have validated time is synchronized on both sides to the same NTP server, so I’m positive it is not a clock issue.
Any suggestions?