- Jamf Nation Community
- Products
- Jamf Pro
- Ad Binding Execution Frequency
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-20-2015 11:55 AM
What's everyone doing for AD binding execution frequency? I was thinking of setting it to weekly to just rebind every computer using the default JSS Directory Binding.
Does anyone have a script to determine if the trust is broken?
Thanks!
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-21-2015 11:46 AM
@mm2270][/url][/url][/url Yes, I am aware of all that, just didn't realize you can set the pass to not update.
Any who I put this script together pretty quickly to test the current account binding authentication/trust. If anyone wants to use it you'll need to adjust for your environment.
#!/bin/bash
MYDOMAIN='YOURDOMAIN.COM'
COMPNAME=`scutil --get ComputerName | tr '[:upper:]' '[:lower:]'`
SERVICEACCOUNTPASS=`security 2>&1 >/dev/null find-generic-password -ga $COMPNAME$ | cut -d'"' -f2`
echo $SERVICEACCOUNTPASS | kinit --password-file=STDIN $COMPNAME$@$MYDOMAIN
if [[ $? != 0 ]]
then
echo "fail"
else
echo "pass"
fi
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-20-2015 12:01 PM
We bind at time of imaging. Never had an issue with trust breaking, etc.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-20-2015 12:15 PM
@spraguga, same as @CasperSally for us.
But we also set the Mac's AD password to never change, & spent time getting NTP & AD replication fixed.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-20-2015 12:33 PM
i generally include it with my imaging but in the event we have some ship to the UE then i have it a policy with a trigger of complete on enrollment, once per computer.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-20-2015 12:38 PM
I've been checking the AD binding with an Extension Attribute that tests a directory lookup. It seems to be a good way to test that the binding is in working order.
I don't try to rebind anything on a schedule or even via a change in this EA...I use this more for validation and as a prereq for other scripts that will fail without the binding.
#!/bin/sh
#change service_account to a user in your domain that won't be deleted
id service_account 1>/dev/null
if [ $? == 0 ] ; then
echo "<result>Yes</result>"
else
echo "<result>No</result>"
fi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-20-2015 01:52 PM
I wouldn't re-bind regularly, only on error or auth failure.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-21-2015 08:46 AM
@CasperSally][/url][/url][/url We bind during imaging as well. However, every once in a while some computers lose their trust.
@bentoms][/url][/url Are you referring to the service account you are binding with? You can set this to not update the password during bind time? That would be great but wouldn't fly here.
@Josh.Smith][/url][/url][/url This might actually work. I'll have to test this out. However, you might still be able to do AD lookups with a broken trust.
Thanks for the replies everyone! ;)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-21-2015 09:10 AM
@spraguga - Every bound Mac has an Active Directory password, that as of at least 10.7 and up, gets stored in the System level keychain. Its typically named the same as your domain, so something like "/Active Directory/ORG" The password stored in there is what the Mac uses when its communicating with AD, same as you as a user would need a name/password to connect to domain resources. By default that has a 14 day password change interval, meaning every 14 days the Mac attempts to connect up to AD and ask for a new password and, as long as everything is working, the 2 stay in sync. But when a Mac is stuffed in a drawer for a month and not powered up and connected to your network, or if its used at someone's home and not on VPN, etc. the password eventually gets out of sync with AD and then communication is broken between the Mac and AD. We see this kind of scenario fairly often here.
What @bentoms was referring to was that computer AD password. You can set it to never ask for a new one.
Some places consider this to be a security risk though. Given a scenario where a Mac hasn't been powered up for 6 months and is way out of compliance with patches, then gets on the 'net, possibly gets exploited by Flash/Java/whatever being out of date, and then connects to your network and allowed on b/c the password hasn't expired, it represents a security risk.
Also, some places just have an AD based policy that will purge records that go stale after a certain date which means even if the password change interval is turned off, you can still lose connection to your AD environment.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-21-2015 11:46 AM
@mm2270][/url][/url][/url Yes, I am aware of all that, just didn't realize you can set the pass to not update.
Any who I put this script together pretty quickly to test the current account binding authentication/trust. If anyone wants to use it you'll need to adjust for your environment.
#!/bin/bash
MYDOMAIN='YOURDOMAIN.COM'
COMPNAME=`scutil --get ComputerName | tr '[:upper:]' '[:lower:]'`
SERVICEACCOUNTPASS=`security 2>&1 >/dev/null find-generic-password -ga $COMPNAME$ | cut -d'"' -f2`
echo $SERVICEACCOUNTPASS | kinit --password-file=STDIN $COMPNAME$@$MYDOMAIN
if [[ $? != 0 ]]
then
echo "fail"
else
echo "pass"
fi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-21-2015 11:53 AM
I use this to check if the Mac is still talking to the domain properly. If this comes back as blank then a force unbind and re-bind is usually in order.
#!/bin/sh
ad_computer_name=`dsconfigad -show | grep "Computer Account" | awk '{print $4}'`
ad_computer_ou=`dscl /Search read /Computers/$ad_computer_name |
grep -A 1 dsAttrTypeNative:distinguishedName |
cut -d, -f2- | sed -n 's/OU=//gp' |
sed -n 's/(.*),DC=/1./gp' |
sed -n 's/DC=//gp' |
awk -F, '{
N = NF
while ( N > 1 )
{
printf "%s/",$N
N--
}
printf "%s",$1
}'`
echo "<result>$ad_computer_ou</result>"Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-21-2015 12:21 PM
@jhbush1973][/url The issue is that you can still do an AD lookup with a broken trust. My script will determine if the trust is out of sync.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-02-2015 09:48 AM
Some of my Macs have broken trust--I know a force unbind and re-bind will fix, but is there a fix for the underlying issue?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-02-2015 10:00 AM
@stevehahn No this is the standard working of Active Directory. There are multiple reasons for computers losing trust.
- Password doesn't sync for whatever reason
- Computer name change
- Computer time is off
- Binding account change
But you can use my script to see if the trust is actually broken.
