Skip to main content

All of a sudden, I am having a very strange issue and cannot bind my Mac computers to my Active Directory. Windows machines bind perfectly fine.



I am getting the following error:



/Active Directory, Module: ActiveDirectory - krb5.dylib - set password using MS set password returned: 0 result_code 3
2017-05-15 14:03:55.372321 EDT - AID: 0x0000000000000000 - 74357.1515673, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - Changing password failed for 'bpage-imac$@CORP.MYDOMAIN.COM' with error '' (3)
2017-05-15 14:03:55.372328 EDT - AID: 0x0000000000000000 - 74357.1515673, Node: /Active Directory, Module: ActiveDirectory - failed to change computer password deleting record - 'cn=bpage-imac,CN=Computers,DC=corp,DC=mydomain,DC=com'



It is driving me crazy. DNS looks fine. Time and date is set to the domian controller.



I have tried..
shortening the computer name
creating a record in AD first
using a different account to bind
using a different OU to add the machine to..
preferring one of my DC's over another.



Any ideas?

Have you looked at your /etc/krb5.conf file?

I don't seem to have a krb5.conf file located in /etc ... only krb5.keytab & krb5.keytab~orig

Try running dsconfigad -show and make sure that the computer account matches what you see in ADU&C on your Windows Server. If your Mac had spaces in the name (e.g., My Cool Mac), your AD server might not be interpreting it correctly. Also make sure your advanced Administrative options are not in conflict.

Try using the -force option of dsconfigad to remove it from the domain. Then try adding it back to AD without the -force option. If that fails, try again WITH force

I have sometimes seen instances where the binder account cannot re-add a machine to the domain. I'm guessing that is not the case here, but I always check for that.

I did have similar issues, however, Binding via Terminal was successful.



cheers

So, via the Mac Admins Slack channel, I found a fix.



I needed to create the record in AD first...but create it in a different OU than the standard Computers container. Once I create the record and bind to a different OU, in my case OU=Macs ... the machines started to bind just fine.

Terms & ConditionsCookie settings