Posted on 04-21-2015 09:23 AM
UPDATE: In the end, this was (apparently) a problem with DNS. Apparently we got "lucky" and took the brunt of it before everything else went problematic. The issue is resolved now, however. The sky is no longer falling.
So, suddenly I have devices that no longer bind to AD and cannot get a TGT from with kerberos.
AD binding via Casper fails.
kinit fails, "kinit: krb5_get_init_creds: unable to reach any KDC in realm blah.domain.edu, tried 0 KDCs"
Manual binding to the domain fails.
Manually trying to get a ticket via Ticket Viewer tells me that it's an "incorrect password" (it's not).
10.10.3 WITHOUT the Supplemental Update, no problems. Installed Supplemental Update, no longer works.
Anyone else seeing this?
Posted on 04-21-2015 09:51 AM
have you verified the clock skews and stuff? ours hasn't broken that I'm aware of for upgrades or fresh installs.
Are you seeing this on upgrades or fresh installs?
Posted on 04-21-2015 10:20 AM
Clocks are spot on.
Both. As well as manually trying to bind to AD and/or get a TGT. Unbind a Mac that was bound and try to rebind it using Casper OR manually.. failures.
We've confirmed it on half a dozen Macs so far.
I'm still waiting to hear from our enterprise core services folks to see if anything has changed in AD/DC.. but I doubt it. I'm also delving deeper into whether 10.10.3 pre supplemental actually works or we just got lucky a couple times.
Posted on 04-21-2015 10:35 AM
@yellow I'm not having any issues with manual AD bind or via the JSS with build 14D136. Both Create mobile account at login and Force local home directory on startup disk boxes are checked in my Directory Bind in the JSS.
Posted on 04-21-2015 10:39 AM
The only Yosemite lab I have on campus was experiencing the dreaded "50% Startup" issue for a long time.
10.10.3 appeared to resolve it, but the Supplemental Update was pushed out last night, and I came back to work to find 13 of 27 iMacs frozen at 50% of the boot process again.
Anybody else have this return?
Posted on 04-21-2015 11:01 AM
I think the core services folks changed something... just verified that vanilla 10.10.2 devices won't bind manually. Same error. Grrrrr....
Posted on 04-21-2015 11:04 AM
14D136 with AD bind/create mobile/force local home is checking in 100% here on 55 macs.
You may want to make sure your opendirectoryd build is correct and not off for some reason: 382.20.2
/usr/libexec/opendirectoryd -v
Posted on 04-21-2015 11:28 AM
AD binding with DSS 1.6.12 on 10.10.1 - 10.10.3 (14D136) with no issues. Currently testing 10.10.3 with (build 382.20.2) and no issues. Using both Create mobile account at login and Force local home directory on startup disk.
Posted on 04-21-2015 12:02 PM
I should note, either this hasn't been a problem until yesterday.. or I just hadn't noticed. I'm pretty sure it's the former.
Curiouser and curiouser...
So,
wired 10.9.5, binds no problem.
wireless 10.9.5, binds no problem.
wired 10.10.x, will not bind, will not get kerberos ticket.
wireless 10.10.x, binds no problem.
10.10.x (our image) & 10.10.x (vanilla), same issue. No binding. "Authentication server could not be contacted" when manual attempt to bind. "Incorrect password" when manually trying to get a kerberos ticket.
Enterprise Core Services says they made no changes to AD or the DCs.
Network Infrastructure says they made no changes to the wired infrastructure.
Posted on 04-21-2015 12:23 PM
Not having any trouble binding to AD (using the top level domain) or getting a kerberos ticket with a wired connection on 14D136. Are you trying to bind to a specific DC (FQDN or IP) or the top level domain?
Posted on 04-21-2015 12:47 PM
We've tried it all.. now there are authentication reports from all over covering all devices, applications, etc. So I might have just stumbled upon the tip of the spear, or, my issue is being overshadowed at the moment.
Seems pretty likely though that this is a me problem and not an OS X problem.
Posted on 04-21-2015 01:03 PM
Binding works and as others have noted the createmobileaccount binary is broken, and its not any better on any newer version of the OS either at the moment.
Posted on 04-21-2015 03:06 PM
UPDATE: In the end, this was (apparently) a problem with DNS. Apparently we got "lucky" and took the brunt of it before everything else went problematic. The issue is resolved now, however. The sky is no longer falling.
Posted on 04-21-2015 09:55 PM
I see this all of the time. Macs often are the "canary in the coal mine" and tend to find network/DNS/AD/Exchange issues long before Windows systems do. A good reason for platform diversity...
Posted on 04-22-2015 12:56 AM
I had my working machine that lost AD bind after 10.10.3 upgrade. I didn't do much testing by now, but I will dig more into it and testing a few upgrades from 10.10.2...
Posted on 05-05-2015 10:19 AM
Yellow.
I am experiencing in a recently created AD environment. Any way you could detail what the problem with DNS was?
Thanks,
Posted on 05-05-2015 10:24 AM
Unfortunately I don't know.. when I asked the Network Engineers about the issue and the solution I was encouraged to 'hold on' and that was it. We've had issues in the past where the DNS servers aren't updating in a timely fashion, so it's possible to get different names for the same device/IP. I briefly noticed this at the time, could be that was the source or a contributing factor?
Posted on 06-26-2015 09:25 AM
We had the same problem and found a fix for it.
sudo discoveryutil mdnsactivedirectory yes
Since Apple is moving away from discoveryd I'm not sure if this will be necessary in the future, but it's been working for us.