Posted on 07-07-2017 02:48 AM
Hello all,
Having trouble binding a machine to AD,
I'm currently using a Binding Profile set up in config manager with the following fields configured
General - obvious info
Directory
Directory type
Active Directory
Server address
region.office.domain.com
username + pw of generic account used for domain joining (cofirmed this account works with a manual bing through directory utility)
Client ID office.domain.com
OU
Computers_Macs (corresponds with relevant OU in our AD)
Create mobile account
Require confirmation before creating mobile account
Use UNC path
Certificate
Printserver certificate from our CA (recent - previously I tried binding without a cert as I had read this shouldn't be a problem)
I get fails on all attempts, 'attempt to bind to the server 'region.office.domain.com returned an unspecified error'
Is there something obvious I am doing wrong?
Is there a better way to do this, via script or something? Im not sure how I would get around the machine name settings in that case
Please go easy on me!
PS: I am aware some are of the opinion that it is easier to bind as part of the initial build, but I've build about a hundred machines already without a bind, so redoing them isn't an option at the moment.
Any help appreciated
Posted on 07-07-2017 03:19 AM
try this...
MacModel="$(system_profiler SPHardwareDataType | grep 'Model Name')"
computeridtmp="$(scutil --get ComputerName)"
computerid="$(echo ${computeridtmp})"
domain="DOMAIN NAME HERE"
udn="CasperLDAP"
password="$(echo SkBtZm5AdGlvbgo= | openssl enc -base64 -d)"
alldomains="enable"
localhome="enable"
protocol="smb"
mobile="enable"
mobileconfirm="disable"
useuncpath="enable"
user_shell="/bin/bash"
preferred="-nopreferred"
admingroups="domain admins,enterprise admins"
packetsign="allow"
packetencrypt="allow"
passinterval="14"
namespace="domain"
if [ ! -d "/Library/Preferences/DirectoryService/ActiveDirectory" ]; then
rm -R /Library/Preferences/DirectoryService/ActiveDirectory*
fi
if [ ! -d "/Library/Preferences/DirectoryService/DSLDAPv3PlugInConfig" ]; then
rm -R /Library/Preferences/DirectoryService/DSLDAPv3PlugInConfig*
fi
if [ ! -d "/Library/Preferences/DirectoryService/SearchNode" ]; then
rm -R /Library/Preferences/DirectoryService/SearchNode*
fi
if [ ! -d "/Library/Preferences/DirectoryService/ContactsNode" ]; then
rm -R /Library/Preferences/DirectoryService/ContactsNode*
fi
if [ ! -d "/Library/Preferences/edu.mit.Kerberos" ]; then
rm -R /Library/Preferences/edu.mit.Kerberos
fi
if [ ! -d "/etc/krb5.keytab" ]; then
rm -R /etc/krb5.keytab
fi
rm -vfR "/Library/Preferences/DirectoryService/"
rm -vfR "/Library/Preferences/DirectoryService/."
defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"
plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist
dsconfigad -force -add $domain -computer $computerid -username $udn -password "$password" -ou "$ou"
if [ "$admingroups" = "" ]; then
dsconfigad -nogroups
else
dsconfigad -groups "$admingroups"
fi
dsconfigad -alldomains $alldomains -localhome $localhome -protocol $protocol -mobile $mobile -mobileconfirm $mobileconfirm -useuncpath $useuncpath -shell $user_shell $preferred -packetsign $packetsign -packetencrypt $packetencrypt -passinterval $passinterval -namespace $namespace
if [ "$alldomains" = "enable" ]; then
csp="/Active Directory/All Domains"
else
csp="/Active Directory/$domain"
fi
exit 0
Posted on 07-07-2017 04:00 AM
@kerouk, thanks so much for the reply!! but excuse my thickness.
Should I separate that as 8 different scripts set to run, with triggers being the ending of the previously run script?
Posted on 07-07-2017 06:11 AM
Looks like @kerouak forgot to enclose his script in the script tags here. The large bolded text are all comments, like this
# Add the OD & AD node to the search path
They aren't separate scripts.
That being said, have you explored using the built in JSS binding config? That still works interestingly enough.
Scripting an AD bind is fine, sometimes even preferable since you have more granular control over it. We sometimes use scripts, but we also use the built in Directory Binding configuration to do this, which really does work well in most cases.
I would at least explore this before resorting to using scripts.
Though I'm not certain why the Config Profile route is giving you trouble, I wonder if the OU you're binding to is the issue. You noted the OU is Computers_Macs, but is there a full OU in there, something like: OU=Computers,OU=Computer_Macs,DC=domain,DC=org,DC=com
?
I think it needs to be a full OU designation like that to work.
One other suggestion is to try manually binding a Mac with Directory Utility using all the same settings in the GUI. If it works, then the same settings in a Binding config, or Configuration Profile, or even a script should work.
Posted on 07-07-2017 05:58 PM
@EmDee Have you tried configuring directory binding in the JAMF settings > Computer management > Directory Bindings and then set a policy with the directory binding config you created?
Posted on 07-10-2017 02:12 AM
@mm2270 Thanks!
Sadly I can't get the script to work for me when pushed from JAMF, after running sudo jamf -policy in order to fetch the script, I get a load of 'command not found' errors when it runs.
Checking on the OU now
Yup I've used the directory bindings feature (global system settings > Directory bindings) and then added that directory binding to a profile - but still no luck, and I can bind with the exact details that I enter, and I have no time mismatch or anything obvious that would prevent the bind from working, I get errors ranging from 'the authentication server could not be contacted' to an error 10001.
Very frustrating
Thanks for the help guys, I really appreciate it
Posted on 07-10-2017 02:21 AM
Hey, so turns out that the domain joiner account I was using with my directory binding profile was the problem - I'm not quite sure why, as I had used it to manually bind a machine to AD in order to test it, so I tried my own credentials in the binding profile (not ideal) and everything worked fine.