Skip to main content
Question

AD Bind Issues

  • August 22, 2017
  • 5 replies
  • 31 views
J
Forum|alt.badge.img+8

having some very strange issues with active directory bind on machines in office. Am noticing that randomly the connection will break ... new network users unable to login through loginwindow and also unable to login new users via terminal to check connectivity...

while the bind is in this broken state i can see in users and groups under login options that the option 'allow network users to login at login window' disappears.

whats even more strange is if i kill opendirectoryd in activity monitor, this option re-appears and users can then log in again as normal.

The option 'allow network users to login at login window' will then sometimes randomly disappear.... killing opendirectoryd again will then make it pop right back.

Rebooting always puts the machine back into a broken state.

anyone seen anything like this before?

    5 replies

    J
    Forum|alt.badge.img+12
    • johnklimeck
    • Contributor
    • August 22, 2017

    What version of macOS (10.12.6), and do you use dsconfigad command line to bind or the Mac GUI?

    Do you have an AD "Delegated" account that add Macs (AD computer objects) to AD at will?

    Also, time must be exact on the Mac, if off by 5 minutes max (Kerberos), will not bind.

    John K

    J
    Forum|alt.badge.img+8
    • jamesdurler
    • Author
    • Contributor
    • August 23, 2017

    think i may have sorted this as per this article...

    https://support.apple.com/en-gb/TS3070

    J
    Forum|alt.badge.img+4
    • jzeles
    • New Contributor
    • August 23, 2017

    I haven't noticed this specifically, but I have noticed that sometimes our machines get into a state where they are no longer actually talking to AD even though they think they are connected (I haven't tried to kill and restart opendirectoryd as a workaround). We have a script that uses the 'id' command (i.e. "id enteryourADusernamehere") with any user that has never logged into that computer. When working correctly, this returns a list of all groups a specific user is in, when it's not, it returns nothing. Anyway, we have a script that runs that command with a service account that should have never logged in. If the command returns nothing, then we ensure we are on the corp network and then unbind and rebind. This all occurs in the background and is transparent to the end user.

    A
    • Anonymous
    • August 23, 2017

    Thanks for your info

    A
    • Anonymous
    • August 23, 2017

    Thanks for your info

    Terms & ConditionsCookie settingsAccessibility statement