[electrowave]

I had this same issue, I was able to overcome it. I don’t remember how at the moment. I will look into it and post back if I come up with something.

[electrowave]

I guess i jumped the gun here on posting. Looks like if i just do netstat it will show all of the servers, just gotta find the one that is ldap and msft

Thanks

[electrowave]

I am going to assume since you used deploy studio and imaged them from the same machine you may have to destroy and recreate the Local KDC.

If this fixes it, the cause was due to the LKDC being a duplicate from the master image. When imaging it carries over the same LKDC causing the server to believe it is a duplicate machine.

To fix this follow these steps:

1) In the Utilities folder, open Keychain Access. In the System keychain, find and delete the three com.apple.kerberos.kdc entries – a certificate and a public/private key pair generated from that certificate.
2) In Terminal, run ‘sudo rm -fr /var/db/krb5kdc’ – this will destroy the local KDC database.
3) In Terminal, run ‘sudo /usr/libexec/configureLocalKDC’ – this will regenerate the local KDC database, including a new certificate and SHA1 hash.
4) Bind the machine to OD.

[electrowave]

I had this same problem, we have since fixed the issue. The issue is Lion can not bind to a 10.5.8 server that requires Authenticated Binding. In order to have Lion bind to OD with authenticated binding you need at least 10.6 server. The way to get around this is to disable authenticated binding on the OD Master (Just uncheck “Enable authenticated binding”) Here is the other catch, if you disable this then your clients that are currently connected (We had over 300) will now require unbinding and rebinding, we were not looking to do this.

So there SHOULD be a second box under “Enable Authenticated Binding” that says “Require authenticated Binding” uncheck this and this will allow you to either authenticate or not authenticate, allowing new machines right away access and the old machines access without changing a thing.

Here is where we had a problem with that. For some reason our Admin Utility on our server was missing that second option to require authentication, that’s why I stressed SHOULD be there haha. The way we fixed this was to just install the admin tools on a client computer that was running the same version as our server (10.5.8) pointed it to our xServe server then the option was there on the client computer (still not the server) and we were able to then bind all the Lion Mac Books at that point.

Hope this helps!

Good luck

[electrowave]

[QUOTE][u]Quote by: aaulich[/u][p]Hi Ryan,

AD binding in Lion is broken (at least in the 10.7.0 version), so it might be that your script starts working again as soon as Apple has fixed AD binding.

Cheers,

André
[/p][/QUOTE]

AD binding in Lion works fine. I was able to bind to AD with Lion right out of the box. The issue with Lion is when you try to bind to Open Directory. 10.7 will not bind to a server that is not at least 10.6 if it requires Authenticated Binding. It will fail every time.

[electrowave]

I am having a problem binding a 10.7 client to a 10.5.8 OD server as well. We get an error that the computer name already exists and the user doesn’t have sufficient privileges to overwrite.

The computer definitely does not exist on the server, and the user name is directory admin so it definitely does have rights. We were told to attempt to remove the LKDC certificates and recreate them to hopefully create a new unique LKDC for OD to see, this proved to be of no help to us.

Not sure where to go from there.

[Author]

Posts