Big Sur Active Directory Binding

kpeng09
New Contributor

We are trying to get binding working through Big Sur. Our configuration profile for binding worked previously in Catalina, but now it doesn't work on Big Sur.

When looking at Active Directory, the machine says it's binded but we can't seem to log in with our domain accounts.

Does anyone have this issue in Big Sur? Any suggestions/tips would be appreciated.

15 REPLIES 15

jcarr
Contributor III

While binding might work for non-mobile, shared devices (e.g. iMac in a lab), it can be a headache for mobile devices deployed in a 1:1.

I'd recommend looking at alternatives to binding, like the Kerberos Single Sign-on
Extension
. Pair this with authenticated enrollment and pre-setting the local account full name and short name to match the directory, and you have most (if not all) of the benefits of binding without the headache.

Just my $0.02

cbrewer
Valued Contributor II

What happens if you skip the config profile and bind with Directory Utility or dsconfigad? In general, binding works and is supported in Big Sur. There is a known bug, however, where an AD user with a mobile account doesn't get a login keychain on their first login.

kpeng09
New Contributor

@cbrewer We were able to fix the plugin error by adding the computer to our Windows AD list. However, even though manual binding is a successful now, we still cannot log in with our domain accounts. We're pretty stumped at the issue. I will update this post once we figured whats with our binding method and Big Sur.

efil4xiN
New Contributor III

No issue binding Catalina 10.15.7 or Big Sur 11.2.3, using JAMF built in utiliy

fernando_gonzal
Contributor

Do you have the same issue if you use a script? Sample below:

#Bind to AD
computerid=`scutil --get ComputerName`
dsconfigad -f -a $computerid -domain ad.yourcompany.com -u "adbindingaccount" -p "adbindingpassword" -ou "OU=OUWHERETHEYWILLLAND,DC=ad,DC=yourcompany,DC=com"
    sleep 1

#set advanced options


    dsconfigad -useuncpath disable
    sleep 1

    dsconfigad -passinterval 0
    sleep 1

# Enable encryption
dsconfigad -packetsign require
dsconfigad -packetencrypt require

# Restart opendirectoryd
killall opendirectoryd
sleep 5

JoySeeley
New Contributor III

I have started experiencing this exact same problem on the new M1 Mac minis we have gotten. I have gathered the logs and submitted a report to Apple, and am now working with one of the techs on this issue. I have 31 Mac minis I need to get working, so it's a priority for me and will share whatever resolution Apple offers.

mark_mahabir
Valued Contributor

@JoySeeley I am also beginning to see issues, particularly on M1 devices. In particular, our root and intermediate certificates are not automatically getting trusted whereas they were in previous OS revisions.

I would be very interested in seeing any feedback from Apple!

JoySeeley
New Contributor III

I have gotten a response, but all they wanted were the logs. I keep updating and I have also told Apple that there is this thread with others having the same issue.

Stay tuned!

EREAFSNJAMF
New Contributor III

Similar issue, getting back to basics found ARM machines can no longer resolve our Active Directory Domain name... Intel machines are unaffected... believed we were having a DNS issue - all records check out...? Testing more. Get back to you if I find something.

Found Sophos Endpoint and Cisco AnyConnect System Extensions clashed and caused this issue. Am waiting for Sophos to update the client about this known issue of not working with some VPN clients.

RamosC
New Contributor II

Hello! Did you get an update from Sophos? We use Sophos and am looking at all possibilities that may be causing this to be an issue before looking at alternatives like Jamf Connect, Kerberos, etc.

JoySeeley
New Contributor III

I also asked about Jamf Connect, but Apple was unwilling to state if it would resolve the issue or not.  Or at least work around it....

 

whiteb
New Contributor II

Any update on this? M1 Mac Mini's we are needing to bind for a shared lab setting. Having issues binding. 5200 error.

Console entry says 'KDC is unreachable - 'unable to reach KDC in realm '__our AD domain name__', tried 0 KDCs'

Was looking at this: https://www.blackvoid.club/how-to-join-a-mac-in-microsoft-active-directory/

That was published in 2019, these computers are 11.3 Big Sur and do not have a /etc/krb5.conf file, they have a krb5.keytab file though.

RamosC
New Contributor II

Has anyone received any updates? I am experiencing this issue with all M1 computers. I can connect to AD but no one but a specific group of users can sign in. Where as intel computer has no issue letting anyone sign in. (OS does not seem to be affected as some intel computers are on Big Sur 11.5 and bind and connect with no issue)

JoySeeley
New Contributor III

Apple is aware of the issue, as I have put in a support ticket.  They don't plan on addressing it, until the release of Monterey.  I had to find some intel Mac minis and not replace some iMacs while I wait for Apple to iron out the problem.  Something about DNS not being updated correctly, when binding to AD and a multiple domain environment.  The ticket is still open with Apple.

 

Long story, short, I have to wait for Monterey but still could not get a clear definitive answer if it would actually fix the problem.