- Jamf Nation Community
- Products
- Jamf Pro
- Binding to Active Directory using config profile, ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Binding to Active Directory using config profile, Sierra 10.12.5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-07-2017 02:48 AM
Hello all,
Having trouble binding a machine to AD,
I'm currently using a Binding Profile set up in config manager with the following fields configured
- General
- Directory
- Certificate (is this necessary?)
General - obvious info
Directory
Directory type
Active Directory
Server address
region.office.domain.com
username + pw of generic account used for domain joining (cofirmed this account works with a manual bing through directory utility)
Client ID office.domain.com
OU
Computers_Macs (corresponds with relevant OU in our AD)
Create mobile account
Require confirmation before creating mobile account
Use UNC path
Certificate
Printserver certificate from our CA (recent - previously I tried binding without a cert as I had read this shouldn't be a problem)
I get fails on all attempts, 'attempt to bind to the server 'region.office.domain.com returned an unspecified error'
Is there something obvious I am doing wrong?
Is there a better way to do this, via script or something? Im not sure how I would get around the machine name settings in that case
Please go easy on me!
PS: I am aware some are of the opinion that it is easier to bind as part of the initial build, but I've build about a hundred machines already without a bind, so redoing them isn't an option at the moment.
Any help appreciated
Labels:
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-07-2017 03:19 AM
try this...
MacModel="$(system_profiler SPHardwareDataType | grep 'Model Name')"
computeridtmp="$(scutil --get ComputerName)"
computerid="$(echo ${computeridtmp})"
Standard parameters
domain="DOMAIN NAME HERE"
udn="CasperLDAP"
password="$(echo SkBtZm5AdGlvbgo= | openssl enc -base64 -d)"
Advanced options AD Plugin
alldomains="enable"
localhome="enable"
protocol="smb"
mobile="enable"
mobileconfirm="disable"
useuncpath="enable"
user_shell="/bin/bash"
preferred="-nopreferred"
admingroups="domain admins,enterprise admins"
packetsign="allow"
packetencrypt="allow"
passinterval="14"
namespace="domain"
Time Sync
Remove Existing Directory Services Config
if [ ! -d "/Library/Preferences/DirectoryService/ActiveDirectory" ]; then
rm -R /Library/Preferences/DirectoryService/ActiveDirectory*
fi
if [ ! -d "/Library/Preferences/DirectoryService/DSLDAPv3PlugInConfig" ]; then
rm -R /Library/Preferences/DirectoryService/DSLDAPv3PlugInConfig*
fi
if [ ! -d "/Library/Preferences/DirectoryService/SearchNode" ]; then
rm -R /Library/Preferences/DirectoryService/SearchNode*
fi
if [ ! -d "/Library/Preferences/DirectoryService/ContactsNode" ]; then
rm -R /Library/Preferences/DirectoryService/ContactsNode*
fi
if [ ! -d "/Library/Preferences/edu.mit.Kerberos" ]; then
rm -R /Library/Preferences/edu.mit.Kerberos
fi
if [ ! -d "/etc/krb5.keytab" ]; then
rm -R /etc/krb5.keytab
fi
Clean up the DirectoryService configuration files
rm -vfR "/Library/Preferences/DirectoryService/"
rm -vfR "/Library/Preferences/DirectoryService/."
Activate the AD plugin
defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"
plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist
Bind to AD
dsconfigad -force -add $domain -computer $computerid -username $udn -password "$password" -ou "$ou"
Configure advanced AD plugin options
if [ "$admingroups" = "" ]; then
dsconfigad -nogroups
else
dsconfigad -groups "$admingroups"
fi
dsconfigad -alldomains $alldomains -localhome $localhome -protocol $protocol -mobile $mobile -mobileconfirm $mobileconfirm -useuncpath $useuncpath -shell $user_shell $preferred -packetsign $packetsign -packetencrypt $packetencrypt -passinterval $passinterval -namespace $namespace
Add the OD & AD node to the search path
if [ "$alldomains" = "enable" ]; then
csp="/Active Directory/All Domains"
else
csp="/Active Directory/$domain"
fi
exit 0
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-07-2017 04:00 AM
@kerouk, thanks so much for the reply!! but excuse my thickness.
Should I separate that as 8 different scripts set to run, with triggers being the ending of the previously run script?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-07-2017 06:11 AM
Looks like @kerouak forgot to enclose his script in the script tags here. The large bolded text are all comments, like this
# Add the OD & AD node to the search pathThey aren't separate scripts.
That being said, have you explored using the built in JSS binding config? That still works interestingly enough.
Scripting an AD bind is fine, sometimes even preferable since you have more granular control over it. We sometimes use scripts, but we also use the built in Directory Binding configuration to do this, which really does work well in most cases.
I would at least explore this before resorting to using scripts.
Though I'm not certain why the Config Profile route is giving you trouble, I wonder if the OU you're binding to is the issue. You noted the OU is Computers_Macs, but is there a full OU in there, something like: OU=Computers,OU=Computer_Macs,DC=domain,DC=org,DC=com ?
I think it needs to be a full OU designation like that to work.
One other suggestion is to try manually binding a Mac with Directory Utility using all the same settings in the GUI. If it works, then the same settings in a Binding config, or Configuration Profile, or even a script should work.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-07-2017 05:58 PM
@EmDee Have you tried configuring directory binding in the JAMF settings > Computer management > Directory Bindings and then set a policy with the directory binding config you created?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-10-2017 02:12 AM
@mm2270 Thanks!
Sadly I can't get the script to work for me when pushed from JAMF, after running sudo jamf -policy in order to fetch the script, I get a load of 'command not found' errors when it runs.
Checking on the OU now
Yup I've used the directory bindings feature (global system settings > Directory bindings) and then added that directory binding to a profile - but still no luck, and I can bind with the exact details that I enter, and I have no time mismatch or anything obvious that would prevent the bind from working, I get errors ranging from 'the authentication server could not be contacted' to an error 10001.
Very frustrating
Thanks for the help guys, I really appreciate it
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-10-2017 02:21 AM
Hey, so turns out that the domain joiner account I was using with my directory binding profile was the problem - I'm not quite sure why, as I had used it to manually bind a machine to AD in order to test it, so I tried my own credentials in the binding profile (not ideal) and everything worked fine.
