What's everyone doing for AD binding execution frequency? I was thinking of setting it to weekly to just rebind every computer using the default JSS Directory Binding.
Does anyone have a script to determine if the trust is broken?
Thanks!
Solved
Ad Binding Execution Frequency
+9Best answer by spraguga
@mm2270][/url][/url][/url Yes, I am aware of all that, just didn't realize you can set the pass to not update.
Any who I put this script together pretty quickly to test the current account binding authentication/trust. If anyone wants to use it you'll need to adjust for your environment.
#!/bin/bash
MYDOMAIN='YOURDOMAIN.COM'
COMPNAME=`scutil --get ComputerName | tr '[:upper:]' '[:lower:]'`
SERVICEACCOUNTPASS=`security 2>&1 >/dev/null find-generic-password -ga $COMPNAME$ | cut -d'"' -f2`
echo $SERVICEACCOUNTPASS | kinit --password-file=STDIN $COMPNAME$@$MYDOMAIN
if [[ $? != 0 ]]
then
echo "fail"
else
echo "pass"
fi
+35@spraguga, same as @CasperSally for us.
But we also set the Mac's AD password to never change, & spent time getting NTP & AD replication fixed.
+5i generally include it with my imaging but in the event we have some ship to the UE then i have it a policy with a trigger of complete on enrollment, once per computer.
+14I've been checking the AD binding with an Extension Attribute that tests a directory lookup. It seems to be a good way to test that the binding is in working order.
I don't try to rebind anything on a schedule or even via a change in this EA...I use this more for validation and as a prereq for other scripts that will fail without the binding.
#!/bin/sh
#change service_account to a user in your domain that won't be deleted
id service_account 1>/dev/null
if [ $? == 0 ] ; then
echo "<result>Yes</result>"
else
echo "<result>No</result>"
fi
+28I wouldn't re-bind regularly, only on error or auth failure.
+9@CasperSally][/url][/url][/url We bind during imaging as well. However, every once in a while some computers lose their trust.
@bentoms][/url][/url Are you referring to the service account you are binding with? You can set this to not update the password during bind time? That would be great but wouldn't fly here.
@Josh.Smith][/url][/url][/url This might actually work. I'll have to test this out. However, you might still be able to do AD lookups with a broken trust.
Thanks for the replies everyone! ;)
+16@spraguga - Every bound Mac has an Active Directory password, that as of at least 10.7 and up, gets stored in the System level keychain. Its typically named the same as your domain, so something like "/Active Directory/ORG" The password stored in there is what the Mac uses when its communicating with AD, same as you as a user would need a name/password to connect to domain resources. By default that has a 14 day password change interval, meaning every 14 days the Mac attempts to connect up to AD and ask for a new password and, as long as everything is working, the 2 stay in sync. But when a Mac is stuffed in a drawer for a month and not powered up and connected to your network, or if its used at someone's home and not on VPN, etc. the password eventually gets out of sync with AD and then communication is broken between the Mac and AD. We see this kind of scenario fairly often here.
What @bentoms was referring to was that computer AD password. You can set it to never ask for a new one.
Some places consider this to be a security risk though. Given a scenario where a Mac hasn't been powered up for 6 months and is way out of compliance with patches, then gets on the 'net, possibly gets exploited by Flash/Java/whatever being out of date, and then connects to your network and allowed on b/c the password hasn't expired, it represents a security risk.
Also, some places just have an AD based policy that will purge records that go stale after a certain date which means even if the password change interval is turned off, you can still lose connection to your AD environment.
+9@mm2270][/url][/url][/url Yes, I am aware of all that, just didn't realize you can set the pass to not update.
Any who I put this script together pretty quickly to test the current account binding authentication/trust. If anyone wants to use it you'll need to adjust for your environment.
#!/bin/bash
MYDOMAIN='YOURDOMAIN.COM'
COMPNAME=`scutil --get ComputerName | tr '[:upper:]' '[:lower:]'`
SERVICEACCOUNTPASS=`security 2>&1 >/dev/null find-generic-password -ga $COMPNAME$ | cut -d'"' -f2`
echo $SERVICEACCOUNTPASS | kinit --password-file=STDIN $COMPNAME$@$MYDOMAIN
if [[ $? != 0 ]]
then
echo "fail"
else
echo "pass"
fi
+26I use this to check if the Mac is still talking to the domain properly. If this comes back as blank then a force unbind and re-bind is usually in order.
#!/bin/sh
ad_computer_name=`dsconfigad -show | grep "Computer Account" | awk '{print $4}'`
ad_computer_ou=`dscl /Search read /Computers/$ad_computer_name |
grep -A 1 dsAttrTypeNative:distinguishedName |
cut -d, -f2- | sed -n 's/OU=//gp' |
sed -n 's/(.*),DC=/1./gp' |
sed -n 's/DC=//gp' |
awk -F, '{
N = NF
while ( N > 1 )
{
printf "%s/",$N
N--
}
printf "%s",$1
}'`
echo "<result>$ad_computer_ou</result>"@jhbush1973][/url The issue is that you can still do an AD lookup with a broken trust. My script will determine if the trust is out of sync.
+13Some of my Macs have broken trust--I know a force unbind and re-bind will fix, but is there a fix for the underlying issue?
+9@stevehahn No this is the standard working of Active Directory. There are multiple reasons for computers losing trust.
- Password doesn't sync for whatever reason
- Computer name change
- Computer time is off
- Binding account change
But you can use my script to see if the trust is actually broken.
Reply
Most helpful members this week
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.