AD Binding Issues with 10.5

gnowosad
New Contributor

Is anyone having AD binding issues with the 10.5 migration? We have a number of laptops and workstations that need to be unbound and rebound consistently. Apple is working on the issue as an escalated ticket but I am not sure if it is just us or a plugin issue. In some instances mobile accounts on a given workstation can't even log into the computer with a mobile account already existing on the box. Anyone experiencing similar issues???

Glenn Nowosad
Director of Technology
Lakeland Catholic Schools
4810-46 Street Bonnyville, AB, Canada
780-826-3764 District Office
780-812-3414 Tech Shop
http://www.lcsd150.ab.ca
gnowosad at lcsd150.ab.ca

4 REPLIES 4

Not applicable

I've had similar inconsistent issues. Usually the computer will bind to AD ok manually or via Casper if the computer name is 15 characters or less. Sometimes it still works with longer names and just truncates. My issue is that some known good AD user accts can't login to certain machine randomly. Will work one day and not the next. Other computers in the same lab work, but then go back to the first bad one and it works. Timing issue? I can't nail it down much. Also, some logins are really slow for users, especially the first time they login to a computer and it creates the acct, and homedir and settings, 2-3 minutes sometimes. Maybe that is network related, but it frustrates our users. Other problem I have is AD users that login and are members of an AD admin group that should get local admin rights when logging in, lose that setting when they are off our internal network. Known issue, but various fixes with scripts or other WGM tools. I'd like it to just work they way it is supposed to, though. Call me crazy.
-Nathaniel

jstrauss
Contributor

I've shared Nathaniel's experiences with binding. I've also seen some cases where binding will break when the computer is put into a custom-named container, but will work fine when the default container is used. Oh, and a big annoyance is when I've had to disable a user's home folder in AD because OS X will generate a logon error if the home folder's enabled. It's been random, and has only occurred with a few users, but it's annoying nonetheless.

- Jeff

Not applicable

I am having similar issues here as well. Mostly to do with intermittently
being unable to login to a machine via AD even though OS X indicates it is
bound and can communicate with the domain.

I also found that sporadically machines would lose connectivity to the DC
and would require an unbind and rebind to get logins to work again.

After a bit of prompting our networks people created a service account for
binding and so far things have improved a little. Still get the occasional
user who cant login so I am not sure if it is timing between client and
server (clients are pointing at our internal NTP server).

Hopefully Apple get this one sorted as it is painful.

macmckee
New Contributor

10.5 update just rolled out yesterday, and I had the same issue. What I noticed is that the Date & Time Timezone settings were changed on the client. Check to see if the correct time is displayed. Ours switched from central to some west coast location. Time synchronization is very important in Active Directory. If your time is not in sync with AD, kerberos authentication will fail, resulting in domain users not being able to log in.