Skip to main content

I've been working on a script that validates if a Mac's binding to AD is still active or not. This is an issue that seems to be caused when the computer is off the corporate network at the time of kerberos key cycling, typically set to 14 days (see dsconfigad -show; setting it to 0 will stop this cycling, which I am currently testing to see if it stops bindings from breaking).



This has been working fairly well, except for that we are getting some false failure reports when using the id command.



Has anyone had to do this and found a more consistent way to see if a device binding is working or broken using the id, dscl or other commands?



#!/bin/sh



adserver="directory.contoso.com"

testuser="_MacComputer"

pass="AD Binding OK"

fail="AD Binding Failed"

offline="Not in range of DC"

notbound="The Mac is not bound to contoso.com"



# Check if we can ping the AD Domain Controller, if ping was successful check if we can query a UPN



# If the ping was successful check if we can we query a UPN?

if ping -c 3 $adserver &> /dev/null; then

    # Check the domain returned with dsconfigad

    domain=$( dsconfigad -show | awk '/Active Directory Domain/{print $NF}' )

    # If the domain is correct

    if [[ "$domain" == "contoso.com" ]]; then

        # Check for the id of a user

        if id -u $testuser &> /dev/null; then

        # If the check was successful...

            echo "<result>$pass</result>"

        else

            # If the check failed

            echo "<result>$fail</result>"

        fi

    else

        # If the domain returned did not match our expectations

        echo "<result>$notbound</result>"

    fi

else

    # We can't see the DCs, so no way to properly check

    echo "<result>$offline</result>"

fi


Original source: https://www.jamf.com/jamf-nation/discussions/7039/how-to-check-if-a-computer-is-actually-bound-to-the-ad

https://www.jamf.com/jamf-nation/discussions/12776/apple-macs-losing-ad-binding#responseChild74510



The above thread has a post to @mm2270 with a great script to validate AD binding.

Thanks @thoule - it looks like that's a slightly messier (more nested if's) version of the same thing, but uses the dscl binary instead of the id binary and breaks the <result> tag out into a single run. I wonder if they are also seeing false positives, but I will try a version that uses a single <result> call.



dscl hasn't been playing nice with me, but I'll keep poking.

In case anyone stumbles on this, I was able to get some assistance back in October that has been running fairly well since then. There are still some false positives, but this appears to be due to the directory services hanging and are usually resolved by a restart. Thanks to @doggles for the assist on this one.



#!/bin/bash



SECURE_LDAP=TRUE

log="/private/tmp/$(date "+%F__%H-%M-%S")-adcheck.log"

domain="contoso.com"

dc="adserver.$domain"

ldap_user="_testaccount"

pass="AD Binding OK"

fail="AD Binding Failed"

offline="Not in range of DC"

notbound="The Mac is not bound to contoso.com"



if $SECURE_LDAP

then port=636

else port=389

fi



main()

{



if nc -z $dc $port; then

    if [[ $domain = $(dsconfigad -show | awk 'NR==2{print $5}') ]]; then

        if id -u $ldap_user; then

            result=$pass

        else

            result=$fail

        fi

    else

        result=$notbound

    fi

else

    result=$offline

fi



echo "<result>$result</result>"

}



main 2>&1 | tee -a $log

We have a few different domains(4 to be exact) and wanted to see if anyone has run into where people switch different domains in AD.
Example : User goes from the US to Europe, the mac would bind to the European Domain upon arrival.

Reply


Terms & ConditionsCookie settings