Jamf Nation Community

rhettelliot · ‎01-30-2014

in settings>computer management>Directory Bindings I filled in all our AD info

created a policy to distribute to all computers recurring checkin + Ongoing

fails:

log = similar to this:

Mon Dec 10 15:12:27 cr-imac102874 jamf[239]: An error occurred binding to Active Directory: dsconfigad: The plugin encountered an error processing request. (10001). (Attempt 1)
Mon Dec 10 15:12:38 cr-imac102874 jamf[239]: An error occurred binding to Active Directory: dsconfigad: The plugin encountered an error processing request. (10001). (Attempt 2)
Mon Dec 10 15:12:49 cr-imac102874 jamf[239]: An error occurred binding to Active Directory: dsconfigad: The plugin encountered an error processing request. (10001). (Attempt 3)
Mon Dec 10 15:12:59 cr-imac102874 jamf[239]: An error occurred binding to Active Directory: dsconfigad: The plugin encountered an error processing request. (10001). (Attempt 4)
Mon Dec 10 15:13:10 cr-imac102874 jamf[239]: An error occurred binding to Active Directory: dsconfigad: The plugin encountered an error processing request. (10001). (Attempt 5)
Mon Dec 10 15:13:10 cr-imac102874 jamf[239]: Error: Giving up on Active Directory binding after 5 attempts.

I’ve tried Mappings and without mappings.

I’ve also tried Joining to AD via a config profile... however the setting to cache a mobile account locally isn’t available so I add a user level mobility profile but I cannot get that to push out.

HELP?
Rhett

mm2270 · ‎01-30-2014

No such thing really as stealing where that's concerned. There's a wealth of information out there. Honestly if it weren't for all the good folks out there with blogs or answering n00b question on places like stackoverflow, I wouldn't know a 3rd of the scripting that I do today. No-ones re-inventing the wheel here :)

Here's an example "template" binding script you could toy with and modify for your needs. Most of what you see here will correspond to the settings in your binding configuration in your JSS. The comments between each line briefly describe what each one is for. Also take a look at the manual page for dsconfigad for more-
man dsconfigad in Terminal. There are a few additional options not included below that you may need.

#!/bin/bash

## Use your FQDN domain name between the quotes
**dsconfigad -add "your.company.domain."** 

        ## A username with binding authority
    **-username "binding_username"** 

        ## Password for the above user
    **-password "binding_password"** 

        ## Enter the computer name, or direct the script to pull the computer name with 
        ## something like "scutil --get ComputerName"
    **-computer "COMPUTERNAME"** 

        ## Set to disable if you don't want mobile accounts
    **-mobile enable** 

        ## Goes in hand with the above setting, warns on mobile account creation, or not
    **-mobileconfirm disable** 

        ## Use disable if you don't want a locally cached home directory
    **-localhome enable** 

        ## Set to enable or disable based on whether the HOME should mount based on UNC path
    **-useuncpath disable** 

        ## Leave this as is unless you have a good reason to change the default user shell
    **-shell /bin/bash** 

        ## Set your OU to join the Mac to here
    **-ou "OU=Macs,OU=Computers,DC=org,DC=company,DC=com"** 

        ## Add any AD groups here that you want to allow local admin access on the Macs
        ## while in range of your DC
    **-groups "ORGmac admins"**

View solution in original post

mm2270 · ‎01-30-2014

Check the time on the Macs to be sure they aren;t way off from the time of your domain controllers. AD joining is touchy with this and if off by more than a couple of minutes will fail.

If the time is OK, can you manually bind one of these Macs to AD, by using Directory Utility.app?

rhettelliot · ‎01-30-2014

time is spot on.

can bind manually and with a config profile pushed from the JSS.

I'd be cool with using the config profile to bind but i also want to create a mobile account.... problem there is i can't get the mobility user-level profile to push.

rhettelliot · ‎01-30-2014

time is spot on.

can bind manually and with a config profile pushed from the JSS.

I'd be cool with using the config profile to bind but i also want to create a mobile account.... problem there is i can't get the mobility user-level profile to push.

mm2270 · ‎01-30-2014

Personally I'd just script the entire thing with dsconfigad. Its not hard to do and you potentially get access to a more granular level of control over how the binding happens.
I don't use Config Profiles currently so i can't help you much with that.

If you're interested in just scripting the entire bind process, let me know and I'll post an example of how to do it. Otherwise someone else may chime on how to do some of this with config profiles.

rhettelliot · ‎01-30-2014

admittedly i am no master scripter :(

got a resource online i could steal & edit? LOL #lazy #learnsfromtheft

rhettelliot · ‎01-30-2014

p.s. i'm in week 3 post jumpstart. :) be kind.

rhettelliot · ‎01-30-2014

trying to make this one work: http://macadmincorner.com/bind-to-ad-using-apple-remote-desktop/

mm2270 · ‎01-30-2014

No such thing really as stealing where that's concerned. There's a wealth of information out there. Honestly if it weren't for all the good folks out there with blogs or answering n00b question on places like stackoverflow, I wouldn't know a 3rd of the scripting that I do today. No-ones re-inventing the wheel here :)

Here's an example "template" binding script you could toy with and modify for your needs. Most of what you see here will correspond to the settings in your binding configuration in your JSS. The comments between each line briefly describe what each one is for. Also take a look at the manual page for dsconfigad for more-
man dsconfigad in Terminal. There are a few additional options not included below that you may need.

#!/bin/bash

## Use your FQDN domain name between the quotes
**dsconfigad -add "your.company.domain."** 

        ## A username with binding authority
    **-username "binding_username"** 

        ## Password for the above user
    **-password "binding_password"** 

        ## Enter the computer name, or direct the script to pull the computer name with 
        ## something like "scutil --get ComputerName"
    **-computer "COMPUTERNAME"** 

        ## Set to disable if you don't want mobile accounts
    **-mobile enable** 

        ## Goes in hand with the above setting, warns on mobile account creation, or not
    **-mobileconfirm disable** 

        ## Use disable if you don't want a locally cached home directory
    **-localhome enable** 

        ## Set to enable or disable based on whether the HOME should mount based on UNC path
    **-useuncpath disable** 

        ## Leave this as is unless you have a good reason to change the default user shell
    **-shell /bin/bash** 

        ## Set your OU to join the Mac to here
    **-ou "OU=Macs,OU=Computers,DC=org,DC=company,DC=com"** 

        ## Add any AD groups here that you want to allow local admin access on the Macs
        ## while in range of your DC
    **-groups "ORGmac admins"**

jimlee · ‎01-31-2014

http://support.apple.com/kb/HT5981?viewlocale=en_US&locale=en_US

You can use the settings available in Advanced Options and modify a Configuration Profile.

Jamf Nation Community

Directory Bindings... An error occurred binding to Active Directory: dsconfigad: The plugin encountered an error processing request. (10001).