Is anyone else having an issue where a computer is bound to AD, the green light is on saying you are bound, but you can't login unless you bind and unbind?
Is this a known issue???
--
Matt Lee, CCA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group
What does /var/log/secure.log say?
This sounds very similar to a problem I see quite regularly on my OD and AD
bound machines (in the process of moving to all AD). User walks away from
their machine and comes back sometime later, after the screen saver has
activated. They go to clear the screen saver and receive "Incorrect
Password" for their troubles. I then try with a local admin account and
receive the same "Incorrect Password" message.
A quick peek at secure.log reveals the following error:
pam_sm_authenticate(): Failed to determine Kerberos principal name.
Unfortunately up to this point the only way I have found to fix the problem
is to force restart the machine. My suspicion is that the kerberos ticket
expires while the user is away and causes this problem. I filed a bug with
Apple, but it was closed because they said it was because my directory
server was unreachable. Huh?
So, what does secure.log say for you?
Steve Wood
Director of IT
swood at integer.com
The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
T 214.758.6813 | F 214.758.6901 | C 940.312.2475
Had similar issues with bot workstations and servers doing same. Only resolve was like Todd mentioned, to re-add to domain and set "Dsconfigad -passinterval 0". Hav'nt had issues since. (Knocking on wood)…
Roger Lee
Office (813) 228-4424
iPhone (813) 610-1485
ralee at tecoenergy.comapplewebdata://2F6BA3B3-0E49-498E-A4ED-5A242500994B/ralee@tecoenergy.com
Tampa Electric
702 N. Franklin St. - Plaza 2
Tampa, FL 33602<http://www.tampaelecric.com/>
http://www.tampaelectric.com<http://www.tampaelecric.com/>
...........................................................................
A TECO Energy Company
(NYSE: TE)<http://www.tecoenergy.com/>
http://www.tecoenergy.com<http://www.tecoenergy.com/>
...........................................................................
Are you running a script or MCX for that?
--
Matt Lee, CCA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group
Worse, Apple Remote Desktop Unix Command… As root
You're killing me!!! hahahaa!
Post Flight Imaging Script? Would that suffice?
--
Matt Lee, CCA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group
We'll at my previous employ I only saw issue like this on 1 child domain & it was a multi-treed global domain.
Sooo... I'm thinking it's an AD issue. Macs are very finicky when it comes to AD.
Other than checking the domain time, you can also do an nslookup or host lookup to your domain & ping each entry that's returned. Remove all dead entries & create DNS entries for any that do not have.
Regards,
Ben.
my AD binding is a script that runs after the firstboot stuff is done, if it can ping the DC, after binding, then I set, AD admin groups, set the passinterval etc.
and if you are rebinding manually you can just run the command in a terminal after the rebind.
--
Todd Ness
Technology Consultant/Non-Windows Services
Americas Regional Delivery Engineering
HP Enterprise Services
Would you mind sharing this script. The lazy IT person in me wants to mooch.
--
Matt Lee, CCA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group
Now that I'm re-living these wonder days, let me drop one more nugget on
this.
Environment = multi-treed AD Domain
The dsconfigad passinterval resolved the issue post re-adding the
wkstn/server back into the domain the bigger challenge was in getting it
back in the domain. Once the wkstn/server lost it's AD connection, I had
to make sure to manually go into AD and delete the object, allow enough
time for the object deletion to propogate across all to the secondary
domain controllers(approx 20 to 30min), then re-add. This was the only way
I was able to get the objects back in AD authenticating successfully.
ThenI ran the dsconfigad to get the systems to not regenerate their object
pass. Re-Add prior to propogation, no worky... Ask AD Admin group to
help....priceless...
Hey I was so happy to get them back in the domain (and users able to log
back in) I would've ran to each worstation (or skipped) and done it
manually...
well, its not that easy the current implementation is in Perl modules and has a bunch of stuff that would not work without some HPES packages, but in short if you know perl here is the meat of it, you will of course have to set variables to make this work.
$ds_args = "-f -a $bindname -domain $DOMAIN -u $ACCT -p #####";
$ds_args .= " -ou $OU" if($OU);
print "$dsconfigad $ds_args
";
$ds_args =~ s/#####/$PW/;
open CONFIGAD, "$dsconfigad $ds_args 2>&1 |" or die "$progname: dsconfigad: $!
";
while(<CONFIGAD>) {
chomp;
die "$progname: $dsconfigad: $_
" if(/^Error:/);
}
close CONFIGAD;
syslog('notice', "setting bind option: passinterval
");
$ds_args = "-passinterval $PI";
$rc = system("$dsconfigad $ds_args");
die "$progname: AD binding failed
" if($rc);
syslog('notice', "setting bind option: cached accounts
");
$ds_args = "-mobile enable -mobileconfirm disable";
$rc = system("$dsconfigad $ds_args");
die "$progname: AD binding failed
" if($rc);
# disable logging in to all domains if needed
if($AllDomains) {
$sptmp = 'All Domains';
}
else {
syslog('notice', "setting bind option: alldomains disable
");
$ds_args = "-alldomains disable";
$rc = system("$dsconfigad $ds_args");
die "$progname: AD binding failed
" if($rc);
$sptmp = "$DOMAIN";
}
# set search policy
syslog('notice', "setting search policy");
$rc = system("dscl /Search -create / SearchPolicy CSPSearchPath");
die "$progname: dscl create /
" if($rc);
$rc = system("dscl /Search/Contacts -create / SearchPolicy CSPSearchPath");
die "$progname: dscl create Contacts
" if($rc);
$rc = system("dscl /Search -append / CSPSearchPath "/Active Directory/$sptmp"");
die "$progname: dscl append /
" if($rc);
$rc = system("dscl /Search/Contacts -append / CSPSearchPath "/Active Directory/$sptmp"");
die "$progname: dscl append Contacts
" if($rc);
system("defaults write $DS "Active Directory" -string Active");
--
Todd Ness
Technology Consultant/Non-Windows Services
Americas Regional Delivery Engineering
HP Enterprise Services
It's not normal. But i've to see it in my new role.
For me, it's been due to AD replication issues. Have the macs computer accounts been moved?
Regards,
Ben.
Have seen it on 10.6.7 and 10.6.8 systems. No explanation. Only resolution was to unbind/bind in the three instances I've seen. File a bugreport with Apple.
--
Walter Rowe, System Hosting
Enterprise Systems / OISM
walter.rowe at nist.gov<mailto:walter.rowe at nist.gov>
301-975-2885
I have seen problems like this, it could be that your trust relationships are not correct, if you have multiple domains.
to test this go to directory utility. edit the AD settings, show advanced options, uncheck the box that says allow authentication from any domain in the forest, click ok and save that change
then go to search policy in directory utility and choose custom path,
click the + and add the proper domain the users reside in.
that might clear up your being bound and not being able to login.
--
Todd Ness
Technology Consultant/Non-Windows Services
Americas Regional Delivery Engineering
HP Enterprise Services
Exactly what I did.
Must just be typical Apple in this case :(
--
Matt Lee, CCA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group
We have a flat AD environment (not by choice!)
--
Matt Lee, CCA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group
We also have a ticket in with apple for this issue, but it was probably ignored when I didn't send an EDC over (waiting for next time it happens).
the problem you guys are seeing where a machine has been online for months and all of the sudden cannot login can sometimes be addressed by using the -passinterval days how often to change computer trust account password in days
flag in the dsconfigad command, I have had to not change the password at some domains and change it at others, check with your AD admin.
and then every now and then you go to rebind and you cannot authenticate with your binding account, this usually points to a problem with kerberos,
at this point I do a manual reset of AD,
rm /Library/Preferences/DirectoryService/*
rm /var/db/dslocal/nodes/Default/config/Kerberos*
killall DirectoryService
then run your binding script again.
--
Todd Ness
Technology Consultant/Non-Windows Services
Americas Regional Delivery Engineering
HP Enterprise Services
I believe that unless it affects the general consumer, the likelihood of your AD bugs being fixed are slim. Case in point will be the release of Lion this month.
--
Todd Ness
Technology Consultant/Non-Windows Services
Americas Regional Delivery Engineering
HP Enterprise Services
have you checked this kb article?
http://support.apple.com/kb/TS2691
i've seen issues with the kerberos config files under /var/db/dslocal/nodes/Default/config, as described in the article. it happened mostly with 10.5 clients but could also affect 10.6.
Another thing worth checking is the time sync of the DC's.
Run this in DOS on a PC on the domain:
W32tm /monitor /domain:yourdomainname
Replacing yourdomainname with your domain name.
Any errors will not help.
Regards,
Ben.
Sorry but where in AD does it give the computer account password expiration interval?
My ad admins all looked at me blankly.
Regards,
Ben.
I just ask the AD admins if the computers have to change their password and they usually answer yeah every 30 days or no they don't, if they say no, I provide a 0 as an argument to the command if they say 30 days then 30 to the command. that’s all the info I have sorry.
--
Todd Ness
Technology Consultant/Non-Windows Services
Americas Regional Delivery Engineering
HP Enterprise Services
This is critical!!!
--
Matt Lee, CCA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group
Perfect! Thanks!!!
--
Matt Lee, CCA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group
Alot of info in this thread/convo keep it coming!
I'm a domain admin & have just got Casper license (but am awaiting lion).
So I'll see what I can find tomorrow, I won't touch just look!
For us, I've found it reproducible.
Bind a mac to ad, find it's object on the Primary DC in /Computers. Move the object. Try to login or do a dscl lookup. FAILS.
Bind a mac to ad, find it's object on the Primary DC in /Computers. Move the object. Manually replicate all DC's from primary. Try to login or do a dscl lookup.
WORKS
But they may just be us.
Regards,
Ben.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.