Posted on 05-15-2017 11:09 AM
All of a sudden, I am having a very strange issue and cannot bind my Mac computers to my Active Directory. Windows machines bind perfectly fine.
I am getting the following error:
/Active Directory, Module: ActiveDirectory - krb5.dylib - set password using MS set password returned: 0 result_code 3
2017-05-15 14:03:55.372321 EDT - AID: 0x0000000000000000 - 74357.1515673, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - Changing password failed for 'bpage-imac$@CORP.MYDOMAIN.COM' with error '' (3)
2017-05-15 14:03:55.372328 EDT - AID: 0x0000000000000000 - 74357.1515673, Node: /Active Directory, Module: ActiveDirectory - failed to change computer password deleting record - 'cn=bpage-imac,CN=Computers,DC=corp,DC=mydomain,DC=com'
It is driving me crazy. DNS looks fine. Time and date is set to the domian controller.
I have tried..
shortening the computer name
creating a record in AD first
using a different account to bind
using a different OU to add the machine to..
preferring one of my DC's over another.
Any ideas?
Solved! Go to Solution.
Posted on 05-16-2017 06:48 AM
So, via the Mac Admins Slack channel, I found a fix.
I needed to create the record in AD first...but create it in a different OU than the standard Computers container. Once I create the record and bind to a different OU, in my case OU=Macs ... the machines started to bind just fine.
Posted on 05-15-2017 11:13 AM
Posted on 05-15-2017 12:08 PM
Have you looked at your /etc/krb5.conf file?
Posted on 05-15-2017 12:34 PM
I don't seem to have a krb5.conf file located in /etc ... only krb5.keytab & krb5.keytab~orig
Posted on 05-16-2017 03:42 AM
Try running dsconfigad -show and make sure that the computer account matches what you see in ADU&C on your Windows Server. If your Mac had spaces in the name (e.g., My Cool Mac), your AD server might not be interpreting it correctly. Also make sure your advanced Administrative options are not in conflict.
Posted on 05-16-2017 03:43 AM
Try using the -force option of dsconfigad to remove it from the domain. Then try adding it back to AD without the -force option. If that fails, try again WITH force
Posted on 05-16-2017 04:31 AM
I have sometimes seen instances where the binder account cannot re-add a machine to the domain. I'm guessing that is not the case here, but I always check for that.
Posted on 05-16-2017 05:09 AM
I did have similar issues, however, Binding via Terminal was successful.
cheers
Posted on 05-16-2017 06:48 AM
So, via the Mac Admins Slack channel, I found a fix.
I needed to create the record in AD first...but create it in a different OU than the standard Computers container. Once I create the record and bind to a different OU, in my case OU=Macs ... the machines started to bind just fine.