JSS reports Active Directory Status as "Not Bound" when bound using Centrify 5.2.4

Field
New Contributor

Hi All,

We recently updated the Centrify Join Assistant app to version 5.2.4 to allow El Capitan to be joined to the domain. We've pushed this out to a test group but now the JSS does not seem to pickup that the Mac is bound to the domain and shows "Not Bound". Also tested on OS X 10.10.5 and the same thing is happening so appears to be a problem with the recon command detecting Centrify is bound to the domain. Centrify 5.2.3 and 5.2.2 work fine so maybe something has moved in 5.2.4.

The mac is definitely domain joined as domain users can log in successfully and the adinfo command reports as "Connected".

Could get around this by setting up an extension attribute to report back but as this is a built in check it would be better to have it working that add an additional script.

Is anyone else experiencing these issues and do you know what the jamf recon command actually checks for when it runs "Checking AD Status... "

We're on JSS version 9.81.

12 REPLIES 12

were_wulff
Valued Contributor II

@Field

It’s possible you may be running into an issue that we’re aware of.

With El Capitan, we had to move our binaries from /usr/sbin, as did everyone else, so the build of Centrify for El Capitan moved theirs to /usr/local/sbin/adjoin.
However, our binary still looks for it in /usr/sbin/adjoin and finds it ‘not installed’ because it’s looking in the wrong place.

If this is what you’re seeing, you’ll see the following in the jamf.log on an affected client:

Preparing to bind to AD using Centrify... 
Error: Centrify does not appear to be properly installed. (/usr/sbin/adjoin is missing)

If that error appears, it’s possible that you’re running into the issue we’re aware of (D-009723).

If you do see that error on El Capitan machines that aren’t binding to Centrify correctly, please get in touch with your Technical Account Manager so they can verify or rule out the possibility of D-009723 and get a case attached to it for tracking if necessary.

If that error does not appear in the jamf.log, something else may be going on, and it’d be a good idea to get in touch with your Technical Account Manager so we can help dig into it further.

Thanks!
Amanda Wulff
JAMF Software Support

Field
New Contributor

Hi @amanda.wulff

Yeah it's probably related then if the recon command is looking in the old location as the only version affected is 5.2.4 which moves the binary.

I'll give our Technical Account Manager a shout as you suggest so it can be tracked.

Thanks

BLau
New Contributor

Hi @Field

Just wanted to confirm @amanda.wulff's statement - in Centrify Mac agent version 5.2.4 (and onwards), we moved everything that we used to place in /usr/... location to their corresponding locations under /usr/local/... .

This is to comply with El Capitan's new System Integrity Protection feature.

Once JSS is updated with the new path location, you should things go back to normal again.

Hope that helps and kind regards,
Brian

Disclosure: I work in the Support Team at Centrify.

Gocobachi
New Contributor III

Hi @Field & @amanda.wulff I realize this is an old thread, but I am just now encountering the same issue. How do I update the JSS to point to the new path location?

Field
New Contributor

Hi @Gocobachi

I ended up creating an Extension attribute to report back whether the Mac was bound to the domain or not and then reported on that.

As far as i'm aware JAMF would need to update the location in their JSS release unless i'm mistaken, maybe @amanda.wulff could confirm?

When i noticed the problem we were on 9.81 and are now on 9.82 and problem still exists so hopefully will be fixed in a future release.

bpavlov
Honored Contributor

Might be worth checking out the current beta to see if its fixed in that release.

Field
New Contributor

I've requested access to the beta so will stick on my test lab and post back if all is fixed.

JPDyson
Valued Contributor

We've created EA's for this stuff since JAMF is taking quite a long time to fix this.

Gocobachi
New Contributor III

Thanks all for the responses. @Field I will look at this reporting back extension you described...seems like that would be useful. By the way, what is the workflow that you have in place? I am currently writing up/test a custom script.

Field
New Contributor

After further testing it appears that this is still not fixed in the current 9.9 beta.

Gocobachi
New Contributor III

Hopefully this will someday get fixed. I have not upgraded to 9.9x yet.

franton
Valued Contributor III

I wrote this a while back. I thought this thread would be perfect time to dust it off and post. Hopefully this helps people here until this is fixed.

https://github.com/franton/Centrify-AD-Bind