JAMF bind to AD stops working, could it be linked to password expire message?

jhalvorson
Valued Contributor

I use the JAMF command in a post install script to bind to AD. The AD work account has the correct permissions to create computers in the desired OU and the password expires every 180. I believe our AD admins have something enabled to warn users 21 days prior to expiration.

I seems as if when the warning is active, the ability to bind to the domain starts to fail. when using the JAMF command. But using the same account to bind using the GUI in 10.7 or 10.8 works fine.

The JAMF logs show the following error:

The username (WA9999) and password provided for the domain (zip.zop.org) was not valid. (Attempt 5)

Usually resetting the AD work account password and updating the Directory Binding entry in the JSS restores the service.

Is it possible the JAMF ad bind command doesn't know how to handle the password notice or there is abnormal delay in the authentication reply?

Should I give up using the JAMF command to bind and script the process using dsconfigad?

5 REPLIES 5

mm2270
Legendary Contributor III

Could you possibly use a special AD binding only account instead of a regular account with elevated privileges? In many environments, it makes more sense to create an account that can't be used for anything except bind/unbind a system to AD.

Barring that, I guess you could go the route of using a script instead of the Casper Suite method?

brussell
New Contributor III

I concur with mm2270, as we have a dedicated A/D account used strictly for binding Macs to A/D. That account has a non-expiring password.

jhalvorson
Valued Contributor

The Work account I use for this purpose has only enough privileges to bind computers as you mentioned. I was informed that it was even limited to just adding to that single OU. I have to take the AD admins word for it. As I mentioned, it works using the Mac 10.8 or 10.7 GUI.

I have seen other post pertaining the inconsistent success when using JAMF to bind to AD. It seems like the solution always ends up being to stop using the JAMF tools and use a dsconfigad script instead. I was wondering if that was now the general consensus of others.

ernstcs
Contributor III

I too use a dedicated account in AD for the sole purpose of binding Macs using the options with the Casper Suite. This account's password does not expire and the only thing it can do is bind to my Mac OU in AD. I've had very few problems for years now binding to AD using JAMF on any version. I have some custom scripts for AD tasks, but that's just for adding and removing specific groups as admins to a box from AD, and not binding.

mm2270
Legendary Contributor III

@jhalvorson, I understand. However, it seems that your AD team has decided to make the account's password expire, despite it only having privileges to bind and to only one OU. That seems like a gratuitous overstep of security to me. The account can't do anything other than bind a system to Active Directory, and so they should allow it to have a static password. That's just my 2¢, but maybe they have a valid reason to make the password rotate.