13-Inch Retina MacBook Pro, Early-2015 not binding to AD within JAMF

cainehorr
Contributor III

I have a strange one-off issue.

We bind our Macs to AD (I know, I know, spare me the rhetoric about no AD on Mac. Believe me... I know).

So here's the deal...

  • We have a directory binding set up in the JSS 9.81
  • We have a policy that binds any unbound system to AD.
  • It works on the 13" MacBook Air
  • It works on the 15" Retina MacBook Pro
  • As of this posting, all OS patch levels are 10.11.3 (15D21)

However...

  • The MacBook Pro (Retina, 13-inch,Early 2015) [MacBookPro12,1] won't bind.

The JAMF policy fail.

JAMF Policy Logs for this machine states the following:

Executing Policy Active Directory - Bind to AD...
Binding User's MacBook Pro to domain.com...
Computer name must be less than 15 characters. (domain.com) was specified. (Attempt 1)
An error occurred binding to Active Directory: dsconfigad: The plugin encountered an error processing request. (10001). (Attempt 2)
An error occurred binding to Active Directory: dsconfigad: The plugin encountered an error processing request. (10001). (Attempt 3)
An error occurred binding to Active Directory: dsconfigad: The plugin encountered an error processing request. (10001). (Attempt 4)
An error occurred binding to Active Directory: dsconfigad: The plugin encountered an error processing request. (10001). (Attempt 5)
Error: Giving up on Active Directory binding after 5 attempts.

The computer name is 15 characters or less and meets NetBIOS requirements.

If I join the system manually via the GUI using the EXACT same settings as found in JAMF Directory Binding, the machine binds to AD without any issue.

It's only when JAMF tries to bind it does it fail and it's only on this hardware model.

Has anyone else seen this particular issue/bug before?

If so, what was your method to resolution?

Thanks!

P.S. - I've also checked up on https://jamfnation.jamfsoftware.com/discussion.html?id=9588 and no, it's not a clock issue. ;-)

Kind regards,

Caine Hörr

A reboot a day keeps the admin away!

4 REPLIES 4

mlavine
Contributor

Does it bind if you attempt to do it directly on the machine?

Have you checked to see if it's a bug in v9.81?

cainehorr
Contributor III

@mlavine - As previously stated, "If I join the system manually via the GUI using the EXACT same settings as found in JAMF Directory Binding, the machine binds to AD without any issue."

So yes, it does bind if I do it directly on the machine.

No. I have not checked to see if it's a bug in 9.81. Thanks for the tip. I'll check on that.

Kind regards,

Caine Hörr

A reboot a day keeps the admin away!

Olivier
New Contributor II

To enable AD verbose logging, run "odutil set logo debug", log files are generated in /var/log/opendirectoryd.log. You may want to use "info" instead of "debug", as debug generated really tons of output, but it means also less chances to catch the error.

Disable them again with "odutil set log default".

You can also use "sudo newproc.d" if you disabled SIP on a test machine, as it will show you the dsconfigad command with arguments, that jamf binary triggers in the background (if you need to see more than 5 command line arguments, you need to edit the /usr/bin/newproc.d file and add few additional blocks to catch the additional arguments).

themacallan
New Contributor III

I've seen this type of issue often at Jump Starts. The Directory Bindings option does not do well with special characters in passwords. Try resetting the password of the service account you are using to bind to something that is purely alpha-numeric. If it still does not bind using the JSS, then I'd proceed with the troubleshooting suggestions that @Olivier mentioned.