Ad Binding Execution Frequency

spraguga
Contributor

What's everyone doing for AD binding execution frequency? I was thinking of setting it to weekly to just rebind every computer using the default JSS Directory Binding.

Does anyone have a script to determine if the trust is broken?

Thanks!

1 ACCEPTED SOLUTION

spraguga
Contributor

@mm2270][/url][/url][/url Yes, I am aware of all that, just didn't realize you can set the pass to not update.

Any who I put this script together pretty quickly to test the current account binding authentication/trust. If anyone wants to use it you'll need to adjust for your environment.

#!/bin/bash

MYDOMAIN='YOURDOMAIN.COM'

COMPNAME=`scutil --get ComputerName | tr '[:upper:]' '[:lower:]'`

SERVICEACCOUNTPASS=`security 2>&1 >/dev/null find-generic-password -ga $COMPNAME$ | cut -d'"' -f2`

echo $SERVICEACCOUNTPASS | kinit --password-file=STDIN $COMPNAME$@$MYDOMAIN

if [[ $? != 0 ]]
then
    echo "fail"
else
    echo "pass"
fi

View solution in original post

12 REPLIES 12

CasperSally
Valued Contributor II

We bind at time of imaging. Never had an issue with trust breaking, etc.

bentoms
Release Candidate Programs Tester

@spraguga, same as @CasperSally for us.

But we also set the Mac's AD password to never change, & spent time getting NTP & AD replication fixed.

Felipe_hernande
New Contributor III

i generally include it with my imaging but in the event we have some ship to the UE then i have it a policy with a trigger of complete on enrollment, once per computer.

Josh_Smith
Contributor III

I've been checking the AD binding with an Extension Attribute that tests a directory lookup. It seems to be a good way to test that the binding is in working order.

I don't try to rebind anything on a schedule or even via a change in this EA...I use this more for validation and as a prereq for other scripts that will fail without the binding.

#!/bin/sh
#change service_account to a user in your domain that won't be deleted
id service_account 1>/dev/null
if [ $? == 0 ] ; then
    echo "<result>Yes</result>"
else
    echo "<result>No</result>"
fi

RobertHammen
Valued Contributor II

I wouldn't re-bind regularly, only on error or auth failure.

spraguga
Contributor

@CasperSally][/url][/url][/url We bind during imaging as well. However, every once in a while some computers lose their trust.

@bentoms][/url][/url Are you referring to the service account you are binding with? You can set this to not update the password during bind time? That would be great but wouldn't fly here.

@Josh.Smith][/url][/url][/url This might actually work. I'll have to test this out. However, you might still be able to do AD lookups with a broken trust.

Thanks for the replies everyone! ;)

mm2270
Legendary Contributor III

@spraguga - Every bound Mac has an Active Directory password, that as of at least 10.7 and up, gets stored in the System level keychain. Its typically named the same as your domain, so something like "/Active Directory/ORG" The password stored in there is what the Mac uses when its communicating with AD, same as you as a user would need a name/password to connect to domain resources. By default that has a 14 day password change interval, meaning every 14 days the Mac attempts to connect up to AD and ask for a new password and, as long as everything is working, the 2 stay in sync. But when a Mac is stuffed in a drawer for a month and not powered up and connected to your network, or if its used at someone's home and not on VPN, etc. the password eventually gets out of sync with AD and then communication is broken between the Mac and AD. We see this kind of scenario fairly often here.

What @bentoms was referring to was that computer AD password. You can set it to never ask for a new one.
Some places consider this to be a security risk though. Given a scenario where a Mac hasn't been powered up for 6 months and is way out of compliance with patches, then gets on the 'net, possibly gets exploited by Flash/Java/whatever being out of date, and then connects to your network and allowed on b/c the password hasn't expired, it represents a security risk.
Also, some places just have an AD based policy that will purge records that go stale after a certain date which means even if the password change interval is turned off, you can still lose connection to your AD environment.

spraguga
Contributor

@mm2270][/url][/url][/url Yes, I am aware of all that, just didn't realize you can set the pass to not update.

Any who I put this script together pretty quickly to test the current account binding authentication/trust. If anyone wants to use it you'll need to adjust for your environment.

#!/bin/bash

MYDOMAIN='YOURDOMAIN.COM'

COMPNAME=`scutil --get ComputerName | tr '[:upper:]' '[:lower:]'`

SERVICEACCOUNTPASS=`security 2>&1 >/dev/null find-generic-password -ga $COMPNAME$ | cut -d'"' -f2`

echo $SERVICEACCOUNTPASS | kinit --password-file=STDIN $COMPNAME$@$MYDOMAIN

if [[ $? != 0 ]]
then
    echo "fail"
else
    echo "pass"
fi

jhbush
Valued Contributor II

I use this to check if the Mac is still talking to the domain properly. If this comes back as blank then a force unbind and re-bind is usually in order.

#!/bin/sh
ad_computer_name=`dsconfigad -show | grep "Computer Account" | awk '{print $4}'`
ad_computer_ou=`dscl /Search read /Computers/$ad_computer_name | 
grep -A 1 dsAttrTypeNative:distinguishedName | 
cut -d, -f2- | sed -n 's/OU=//gp' | 
sed -n 's/(.*),DC=/1./gp' | 
sed -n 's/DC=//gp' | 
awk -F, '{
N = NF
while ( N > 1 )
{
printf "%s/",$N
N--
}

printf "%s",$1
}'`

echo "<result>$ad_computer_ou</result>"

spraguga
Contributor

@jhbush1973][/url The issue is that you can still do an AD lookup with a broken trust. My script will determine if the trust is out of sync.

stevehahn
Contributor

Some of my Macs have broken trust--I know a force unbind and re-bind will fix, but is there a fix for the underlying issue?

spraguga
Contributor

@stevehahn No this is the standard working of Active Directory. There are multiple reasons for computers losing trust.
- Password doesn't sync for whatever reason
- Computer name change
- Computer time is off
- Binding account change

But you can use my script to see if the trust is actually broken.