- Jamf Nation Community
- Products
- Jamf Pro
- Re: Mac is bound to AD, but users cant log in
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Mac is bound to AD, but users cant log in
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-21-2018 08:22 AM
We have a fleet of over 850 Macs. 99% of them operate just fine when bound to AD. However, every couple of weeks one stops allowing AD users to log in. The machine shows as bound to AD and the computer record for it exists in AD but the command
id someUsernamereturns "No such user" for all AD users. Unbind and rebind fixes it.
What could cause a machine that was working and shows as currently bound to AD to stop being able to actually log users in and verify their existence? How can I troubleshoot it when it happens again?
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-21-2018 08:31 AM
Hey,
i have this issue also with loosing ad bind and dsconfig still says i am bound to ad.
I use an EA to check if the computer connected to the Active Directory.
To date i don't know whats the reason for this problem.
#!/bin/bash
orgdomain="my.domain.corp.net"
ping -c 3 -o ${domain} 1> /dev/null 2> /dev/null
# If the ping was successful
if [[ $? == 0 ]]; then
# Check the domain returned with dsconfigad
domain=$( dsconfigad -show | awk '/Active Directory Domain/{print $NF}' )
# If the domain is correct
if [[ "$orgdomain" == "${domain}" ]]; then
# Check the id of a user
id -u ADUSERAccount
# If the check was successful...
if [[ $? == 0 ]]; then
echo "<result>Bound Correctly</result>"
else
# If the check failed
echo "<result>Cannot communicate with AD</result>"
fi
else
# If the domain returned did not match our expectations
echo "<result>Incomplete bind</result>"
fi
else
echo "<result>Not in range of a DC</result>"
fi
exit 0
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-21-2018 08:38 AM
I've run into the same thing running 10.13.6 on random machines. Rebind always fixes it. We bind with a config profile.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-21-2018 08:39 AM
The Macs that are bound to AD need to re-sync their passwords with AD from time to time. When they fail to do so (eg because they have been off or sleeping for too long) they can not talk anymore to the domain controller, and users can not log in.
When this happens the User & Groups Pref Pane shows the Mac as bound to your Network Account Server, but the line that should show whether or not network accounts are allowed to login is not present.
This was the most frequent reason for 'bound but not working' Macs. The fix consists of unbinding and rebinding in that case. Prevention: regular use or not allowing Mac to sleep.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-21-2018 08:50 AM
I am note sure if its a problem with re-sync.
The default domain policy setting configures domain-joined computers to update their passwords every 30 days.
All my clients are connected every day and also the computer object was updated in AD.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-21-2018 09:01 AM
Thanks for the info @mschroder We do leave our iMacs on later into the evening as that's when we pull some of our policies (outside 9-5). I'll look into the sleep issue and see if that solves it
