Jamf Nation Community

Matt · ‎07-12-2011

Is anyone else having an issue where a computer is bound to AD, the green light is on saying you are bound, but you can't login unless you bind and unbind?

Is this a known issue???

--
Matt Lee, CCA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group

nessts · ‎07-12-2011

well, its not that easy the current implementation is in Perl modules and has a bunch of stuff that would not work without some HPES packages, but in short if you know perl here is the meat of it, you will of course have to set variables to make this work.

$ds_args = "-f -a $bindname -domain $DOMAIN -u $ACCT -p #####"; $ds_args .= " -ou $OU" if($OU); print "$dsconfigad $ds_args "; $ds_args =~ s/#####/$PW/; open CONFIGAD, "$dsconfigad $ds_args 2>&1 |" or die "$progname: dsconfigad: $! "; while(<CONFIGAD>) { chomp; die "$progname: $dsconfigad: $_ " if(/^Error:/); } close CONFIGAD; syslog('notice', "setting bind option: passinterval "); $ds_args = "-passinterval $PI"; $rc = system("$dsconfigad $ds_args"); die "$progname: AD binding failed " if($rc); syslog('notice', "setting bind option: cached accounts "); $ds_args = "-mobile enable -mobileconfirm disable"; $rc = system("$dsconfigad $ds_args"); die "$progname: AD binding failed " if($rc); # disable logging in to all domains if needed if($AllDomains) { $sptmp = 'All Domains'; } else { syslog('notice', "setting bind option: alldomains disable "); $ds_args = "-alldomains disable"; $rc = system("$dsconfigad $ds_args"); die "$progname: AD binding failed " if($rc); $sptmp = "$DOMAIN"; } # set search policy syslog('notice', "setting search policy"); $rc = system("dscl /Search -create / SearchPolicy CSPSearchPath"); die "$progname: dscl create / " if($rc); $rc = system("dscl /Search/Contacts -create / SearchPolicy CSPSearchPath"); die "$progname: dscl create Contacts " if($rc); $rc = system("dscl /Search -append / CSPSearchPath "/Active Directory/$sptmp""); die "$progname: dscl append / " if($rc); $rc = system("dscl /Search/Contacts -append / CSPSearchPath "/Active Directory/$sptmp""); die "$progname: dscl append Contacts " if($rc); system("defaults write $DS "Active Directory" -string Active");

--
Todd Ness
Technology Consultant/Non-Windows Services
Americas Regional Delivery Engineering
HP Enterprise Services

View solution in original post

stevewood · ‎07-12-2011

What does /var/log/secure.log say?

This sounds very similar to a problem I see quite regularly on my OD and AD
bound machines (in the process of moving to all AD). User walks away from
their machine and comes back sometime later, after the screen saver has
activated. They go to clear the screen saver and receive "Incorrect
Password" for their troubles. I then try with a local admin account and
receive the same "Incorrect Password" message.

A quick peek at secure.log reveals the following error:

pam_sm_authenticate(): Failed to determine Kerberos principal name.

Unfortunately up to this point the only way I have found to fix the problem
is to force restart the machine. My suspicion is that the kerberos ticket
expires while the user is away and causes this problem. I filed a bug with
Apple, but it was closed because they said it was because my directory
server was unreachable. Huh?

So, what does secure.log say for you?

Steve Wood
Director of IT
swood at integer.com

The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
T 214.758.6813 | F 214.758.6901 | C 940.312.2475

rogerlee_teco · ‎07-12-2011

Had similar issues with bot workstations and servers doing same. Only resolve was like Todd mentioned, to re-add to domain and set "Dsconfigad -passinterval 0". Hav'nt had issues since. (Knocking on wood)…

Roger Lee
Office (813) 228-4424
iPhone (813) 610-1485
ralee at tecoenergy.comapplewebdata://2F6BA3B3-0E49-498E-A4ED-5A242500994B/ralee@tecoenergy.com

Tampa Electric
702 N. Franklin St. - Plaza 2
Tampa, FL 33602<http://www.tampaelecric.com/>
http://www.tampaelectric.com<http://www.tampaelecric.com/>

...........................................................................
A TECO Energy Company
(NYSE: TE)<http://www.tecoenergy.com/>
http://www.tecoenergy.com<http://www.tecoenergy.com/>
...........................................................................

Matt · ‎07-12-2011

Are you running a script or MCX for that?
--
Matt Lee, CCA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group

rogerlee_teco · ‎07-12-2011

Worse, Apple Remote Desktop Unix Command… As root

Matt · ‎07-12-2011

You're killing me!!! hahahaa!

Post Flight Imaging Script? Would that suffice?
--
Matt Lee, CCA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group

bentoms · ‎07-12-2011

We'll at my previous employ I only saw issue like this on 1 child domain & it was a multi-treed global domain.

Sooo... I'm thinking it's an AD issue. Macs are very finicky when it comes to AD.

Other than checking the domain time, you can also do an nslookup or host lookup to your domain & ping each entry that's returned. Remove all dead entries & create DNS entries for any that do not have.

Regards,

Ben.

nessts · ‎07-12-2011

my AD binding is a script that runs after the firstboot stuff is done, if it can ping the DC, after binding, then I set, AD admin groups, set the passinterval etc.
and if you are rebinding manually you can just run the command in a terminal after the rebind.

--
Todd Ness
Technology Consultant/Non-Windows Services
Americas Regional Delivery Engineering
HP Enterprise Services

Matt · ‎07-12-2011

Would you mind sharing this script. The lazy IT person in me wants to mooch.

--
Matt Lee, CCA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group

rogerlee_teco · ‎07-12-2011

Now that I'm re-living these wonder days, let me drop one more nugget on
this.

Environment = multi-treed AD Domain

The dsconfigad passinterval resolved the issue post re-adding the
wkstn/server back into the domain the bigger challenge was in getting it
back in the domain. Once the wkstn/server lost it's AD connection, I had
to make sure to manually go into AD and delete the object, allow enough
time for the object deletion to propogate across all to the secondary
domain controllers(approx 20 to 30min), then re-add. This was the only way
I was able to get the objects back in AD authenticating successfully.
ThenI ran the dsconfigad to get the systems to not regenerate their object
pass. Re-Add prior to propogation, no worky... Ask AD Admin group to
help....priceless...

Hey I was so happy to get them back in the domain (and users able to log
back in) I would've ran to each worstation (or skipped) and done it
manually...

nessts · ‎07-12-2011

well, its not that easy the current implementation is in Perl modules and has a bunch of stuff that would not work without some HPES packages, but in short if you know perl here is the meat of it, you will of course have to set variables to make this work.

$ds_args = "-f -a $bindname -domain $DOMAIN -u $ACCT -p #####"; $ds_args .= " -ou $OU" if($OU); print "$dsconfigad $ds_args "; $ds_args =~ s/#####/$PW/; open CONFIGAD, "$dsconfigad $ds_args 2>&1 |" or die "$progname: dsconfigad: $! "; while(<CONFIGAD>) { chomp; die "$progname: $dsconfigad: $_ " if(/^Error:/); } close CONFIGAD; syslog('notice', "setting bind option: passinterval "); $ds_args = "-passinterval $PI"; $rc = system("$dsconfigad $ds_args"); die "$progname: AD binding failed " if($rc); syslog('notice', "setting bind option: cached accounts "); $ds_args = "-mobile enable -mobileconfirm disable"; $rc = system("$dsconfigad $ds_args"); die "$progname: AD binding failed " if($rc); # disable logging in to all domains if needed if($AllDomains) { $sptmp = 'All Domains'; } else { syslog('notice', "setting bind option: alldomains disable "); $ds_args = "-alldomains disable"; $rc = system("$dsconfigad $ds_args"); die "$progname: AD binding failed " if($rc); $sptmp = "$DOMAIN"; } # set search policy syslog('notice', "setting search policy"); $rc = system("dscl /Search -create / SearchPolicy CSPSearchPath"); die "$progname: dscl create / " if($rc); $rc = system("dscl /Search/Contacts -create / SearchPolicy CSPSearchPath"); die "$progname: dscl create Contacts " if($rc); $rc = system("dscl /Search -append / CSPSearchPath "/Active Directory/$sptmp""); die "$progname: dscl append / " if($rc); $rc = system("dscl /Search/Contacts -append / CSPSearchPath "/Active Directory/$sptmp""); die "$progname: dscl append Contacts " if($rc); system("defaults write $DS "Active Directory" -string Active");

--
Todd Ness
Technology Consultant/Non-Windows Services
Americas Regional Delivery Engineering
HP Enterprise Services

bentoms · ‎07-12-2011

It's not normal. But i've to see it in my new role.

For me, it's been due to AD replication issues. Have the macs computer accounts been moved?

Regards,

Ben.

Walter · ‎07-12-2011

Have seen it on 10.6.7 and 10.6.8 systems. No explanation. Only resolution was to unbind/bind in the three instances I've seen. File a bugreport with Apple.
--
Walter Rowe, System Hosting
Enterprise Systems / OISM
walter.rowe at nist.gov<mailto:walter.rowe at nist.gov>
301-975-2885

nessts · ‎07-12-2011

I have seen problems like this, it could be that your trust relationships are not correct, if you have multiple domains.
to test this go to directory utility. edit the AD settings, show advanced options, uncheck the box that says allow authentication from any domain in the forest, click ok and save that change
then go to search policy in directory utility and choose custom path,
click the + and add the proper domain the users reside in.

that might clear up your being bound and not being able to login.

--
Todd Ness
Technology Consultant/Non-Windows Services
Americas Regional Delivery Engineering
HP Enterprise Services

Matt · ‎07-12-2011

Exactly what I did.

Must just be typical Apple in this case :(

--
Matt Lee, CCA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group

Matt · ‎07-12-2011

We have a flat AD environment (not by choice!)

--
Matt Lee, CCA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group

CasperSally · ‎07-12-2011

We also have a ticket in with apple for this issue, but it was probably ignored when I didn't send an EDC over (waiting for next time it happens).

nessts · ‎07-12-2011

the problem you guys are seeing where a machine has been online for months and all of the sudden cannot login can sometimes be addressed by using the -passinterval days how often to change computer trust account password in days
flag in the dsconfigad command, I have had to not change the password at some domains and change it at others, check with your AD admin.

and then every now and then you go to rebind and you cannot authenticate with your binding account, this usually points to a problem with kerberos,
at this point I do a manual reset of AD,
rm /Library/Preferences/DirectoryService/*
rm /var/db/dslocal/nodes/Default/config/Kerberos*
killall DirectoryService

then run your binding script again.

--
Todd Ness
Technology Consultant/Non-Windows Services
Americas Regional Delivery Engineering
HP Enterprise Services

nessts · ‎07-12-2011

I believe that unless it affects the general consumer, the likelihood of your AD bugs being fixed are slim. Case in point will be the release of Lion this month.

--
Todd Ness
Technology Consultant/Non-Windows Services
Americas Regional Delivery Engineering
HP Enterprise Services

rockpapergoat · ‎07-12-2011

have you checked this kb article?

http://support.apple.com/kb/TS2691

i've seen issues with the kerberos config files under /var/db/dslocal/nodes/Default/config, as described in the article. it happened mostly with 10.5 clients but could also affect 10.6.

bentoms · ‎07-12-2011

Another thing worth checking is the time sync of the DC's.

Run this in DOS on a PC on the domain:

W32tm /monitor /domain:yourdomainname

Replacing yourdomainname with your domain name.

Any errors will not help.

Regards,

Ben.

bentoms · ‎07-12-2011

Sorry but where in AD does it give the computer account password expiration interval?

My ad admins all looked at me blankly.

Regards,

Ben.

nessts · ‎07-12-2011

I just ask the AD admins if the computers have to change their password and they usually answer yeah every 30 days or no they don't, if they say no, I provide a 0 as an argument to the command if they say 30 days then 30 to the command. that’s all the info I have sorry.

--
Todd Ness
Technology Consultant/Non-Windows Services
Americas Regional Delivery Engineering
HP Enterprise Services

Matt · ‎07-12-2011

This is critical!!!
--
Matt Lee, CCA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group

Matt · ‎07-12-2011

Perfect! Thanks!!!
--
Matt Lee, CCA/ACMT/ACPT/ACDT
Senior IT Analyst / Desktop Architecture Team / Apple S.M.E / JAMF Casper Administrator
Fox Networks Group

bentoms · ‎07-12-2011

Alot of info in this thread/convo keep it coming!

I'm a domain admin & have just got Casper license (but am awaiting lion).

So I'll see what I can find tomorrow, I won't touch just look!

For us, I've found it reproducible.

Bind a mac to ad, find it's object on the Primary DC in /Computers. Move the object. Try to login or do a dscl lookup. FAILS.

Bind a mac to ad, find it's object on the Primary DC in /Computers. Move the object. Manually replicate all DC's from primary. Try to login or do a dscl lookup.
WORKS

But they may just be us.

Regards,

Ben.

nessts · ‎07-12-2011

Why are you moving the object instead of just putting it in the right place during binding? are you binding with a script or manually in the gui or command line?

--
Todd Ness
Technology Consultant/Non-Windows Services
Americas Regional Delivery Engineering
HP Enterprise Services

bentoms · ‎07-12-2011

Manually for now.

Once casper's in via Casper binds to correct OU.

But they changed the OU structure here recently (lots of projects on). And have only just agreed a structure.

Regards,

Ben.

nessts · ‎07-12-2011

when you authenticate manually the OU is right there on that screen you can type in the proper OU there and have it be in the correct place from the start.

--
Todd Ness
Technology Consultant/Non-Windows Services
Americas Regional Delivery Engineering
HP Enterprise Services

bentoms · ‎07-12-2011

True. But there was no correct place for the macs when I started. Someone then created one & moved some 20 macs into it. I then get a call the following morning that none of the macs can login to ad.

Since they stopped moving the objects, 0 issues.

But it does show an issue with ad replication that needs to be fixed.

Regards,

Ben.

Jamf Nation Community

AD Bindings Screwing Up