Jamf Nation Community

Castro · ‎01-29-2013

Hello,

My machine is bound to AD and when I type, "id" from terminal, I don't see any of my AD groups, only local groups. I am on the network, and have unbound and then rebound a couple of times; it works (I can see my AD groups) for a couple of days, but then they're gone again. I can however continue to access network resources, and obtain a Kerberos ticket, but a script that maps drives based on the logged in users' (me) AD groups fails. Any thoughts? Thank you.

scottb · ‎01-29-2013

Does your AD setup require your Macs to be moved to another OU after binding? We have a "staging" OU and if a machine is left there, it will get disabled after x days. If you have access to Active Roles, you should be able to find the object (Mac) there and see what's up.

Castro · ‎01-29-2013

No, the Macs are joined to the correct OU as part of the AD binding.

scottb · ‎01-29-2013

Dumb question, but do you utilize a Time Server (System Pref's / Date & Time)? Seems that if you're bound OK and working, then something changes, it could be something like that.

Castro · ‎01-29-2013

Yes, our Macs are using a time server/Apple.

mcrispin · ‎01-29-2013

Some AD deployments block group enumeration for non-Windows bound clients. Sometimes this is done in academic environments per a strange reading of FERPA rules. It is possible to provide exceptions for computer objects, or by OU. You might want to check other longer established Mac AD-bound clients and see if there is a different behavior and see what the differences might be.

Nix4Life · ‎01-30-2013

hey Guys;
just to further what boettchs said, had a similar issue with snow leopard. did notice a time server drift. wrote the following script to use the DC as my time server. seemed to have cleared the "weirdness" up:

#!/bin/bash
sudo systemsetup -setusingnetworktime off sudo systemsetup -setnetworktimeserver "name or ip of your dc"
sudo systemsetup -setusingnetworktime on

LS

scottb · ‎01-30-2013

That's what I was thinking. We have our AD servers and all clients use the same internal Time Servers to avoid the drift/offset. If it gets beyond 5 minutes - which I think is the norm - it will keep you from authenticating. I don't know if it's a good idea to use an external Time Server or not - never seen that done with any of my work environments.

Castro · ‎02-04-2013

thank you all for the comments! i will test the script for setting the time server.

ClassicII · ‎11-26-2013

is any one else seeing this?

For us it seems to be on and off. Some times we can pull ad groups other times we can only pull local groups.

Jamf Nation Community

Active Directory account doesn't show AD group membership in terminal, and drive mounts fail