M1 AD Binding Woes

whiteb
New Contributor II

We are needing to bind some M1 Mac Mini's as well as some iMac's we purchased that will be delivered soon.

We're already seeing issues even just binding the Mac Mini's.

I realize the baked-in AD integration isn't the best. We've fought with it in the past, but it's always worked.

I'm barely able to bind a test computer. 

I'm reading some people think that something about the M1's is where the problem with AD binding lies:

https://community.jamf.com/t5/jamf-pro/big-sur-active-directory-binding/m-p/242080#M227788

I get 5200 errors that it couldn't contact the authentication server.

If I look through the console the specific error is 'KDC is unreachable - 'unable to reach any KDC in realm __our AD domain__, tried 0 KDCs'

Time is synced. 

I've read of this workaround - 'Configuring KDC in krb5.conf' - https://github.com/Microsoft/vscode-mssql/wiki/How-to-enable-Integrated-Authentication-on-macOS-and-...

But it appears Big Sur doesn't have a krb5.conf file, it has a 'krb5.keytab' file which is different.

I was briefly able to get it bound at some point but it didn't stay bound.

We are using JAMF Connect for some use cases, but binding would be a better option for us in shared lab settings.

5 REPLIES 5

dvasquez
Contributor II

Hello.

In another thread, I read that "using NoMAD Login or even Jamf Connect as a solution to AD for shared devices/labs could work."

Maybe this will help you: https://community.jamf.com/t5/jamf-pro/pros-cons-of-going-local-vs-using-a-mobile-account/td-p/23320...

They discuss the pros and cons. But to me, if your looking for a shared workflow for a lab situation NoMAD and Jamf connects will help you achieve success.

 

kyle_erickson
New Contributor III

This is likely of limited help, but we've been binding macOS Big Sur to Active Directory without issue since launch (both on Intel and Apple Silicon).  I know Microsoft had some mandatory security updates last year related to signing or LDAPS I believe, although I'm not on the team that manages AD so I'm trying to recall what specifically that was or if it could be related.  Either way though, I suspect your issue is related to something in AD / DNS, and not Apple Silicon or the krb5.conf file (we don't have that either on our devices).

dvasquez
Contributor II

Ok, I know I am using Big Sur and have configured NoMAD to help with auth to domain resources without the need to bind. It is working well in Big Sur and Catalina. For our use, I just do not see the need to actually bind anymore. Takes a little testing and configuring but it does work:  https://nomad.menu/products/

Sorry, not much more help. 

jhuls
Contributor III

I've only worked with a couple of m1 laptops but haven't had any issue binding them. Do you have intel Big Sur systems binding ok?

One thing I'll mention is that even if you get them bound, printing might be an issue if you print through an AD print server. We've yet to update our campus intel systems to Big Sur because our test systems can't print through our servers. If we install Catalina, they're fine. They bind fine but printing? Forget about it.

whiteb
New Contributor II

We do have Intel Big Sur systems binding fine. We have an ongoing script that runs on a few Intel systems that binds them, and that same script doesn't want to run on M1 Big Sur. But I can't even bind through the baked-in method/GUI on these M1's. Ultimately we're just going to use NoMAD - https://nomad.menu/products/ - It's still free. We also use JAMF connect which costs money for different use-cases.

Good note on the printing caveat, we dealt with that whole deal. We use this: https://github.com/haircut/self-service-printer-installer/wiki

Uses CocoaDialog. Works via LPD protocol. Can't take credit for implementing it, but I maintain it, and it works great on unbound Mac's.