Help

Need help troubleshooting Active Directory issue...

Go to solution
bppage
New Contributor II

Posted on ‎05-15-2017 11:09 AM

All of a sudden, I am having a very strange issue and cannot bind my Mac computers to my Active Directory. Windows machines bind perfectly fine.

I am getting the following error:

/Active Directory, Module: ActiveDirectory - krb5.dylib - set password using MS set password returned: 0 result_code 3
2017-05-15 14:03:55.372321 EDT - AID: 0x0000000000000000 - 74357.1515673, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - Changing password failed for 'bpage-imac$@CORP.MYDOMAIN.COM' with error '' (3)
2017-05-15 14:03:55.372328 EDT - AID: 0x0000000000000000 - 74357.1515673, Node: /Active Directory, Module: ActiveDirectory - failed to change computer password deleting record - 'cn=bpage-imac,CN=Computers,DC=corp,DC=mydomain,DC=com'

It is driving me crazy. DNS looks fine. Time and date is set to the domian controller.

I have tried.. shortening the computer name
creating a record in AD first
using a different account to bind
using a different OU to add the machine to..
preferring one of my DC's over another.

Any ideas? 70cccffa30d641aeaa9db00ed47759db

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
bppage
New Contributor II

Posted on ‎05-16-2017 06:48 AM

So, via the Mac Admins Slack channel, I found a fix.

I needed to create the record in AD first...but create it in a different OU than the standard Computers container. Once I create the record and bind to a different OU, in my case OU=Macs ... the machines started to bind just fine.

View solution in original post

0 Kudos
8 REPLIES 8

Go to solution
bppage
New Contributor II

Posted on ‎05-15-2017 11:13 AM

 
0 Kudos

Go to solution
thoule
Valued Contributor II

Posted on ‎05-15-2017 12:08 PM

Have you looked at your /etc/krb5.conf file?

0 Kudos

Go to solution
bppage
New Contributor II

Posted on ‎05-15-2017 12:34 PM

I don't seem to have a krb5.conf file located in /etc ... only krb5.keytab & krb5.keytab~orig

0 Kudos

Go to solution
kerouak
Valued Contributor

Posted on ‎05-16-2017 03:42 AM

Try running dsconfigad -show and make sure that the computer account matches what you see in ADU&C on your Windows Server. If your Mac had spaces in the name (e.g., My Cool Mac), your AD server might not be interpreting it correctly. Also make sure your advanced Administrative options are not in conflict.

0 Kudos

Go to solution
kerouak
Valued Contributor

Posted on ‎05-16-2017 03:43 AM

Try using the -force option of dsconfigad to remove it from the domain. Then try adding it back to AD without the -force option. If that fails, try again WITH force

0 Kudos

Go to solution
blackholemac
Valued Contributor III

Posted on ‎05-16-2017 04:31 AM

I have sometimes seen instances where the binder account cannot re-add a machine to the domain. I'm guessing that is not the case here, but I always check for that.

0 Kudos

Go to solution
kerouak
Valued Contributor

Posted on ‎05-16-2017 05:09 AM

I did have similar issues, however, Binding via Terminal was successful.

cheers

0 Kudos

Go to solution
bppage
New Contributor II

Posted on ‎05-16-2017 06:48 AM

So, via the Mac Admins Slack channel, I found a fix.

I needed to create the record in AD first...but create it in a different OU than the standard Computers container. Once I create the record and bind to a different OU, in my case OU=Macs ... the machines started to bind just fine.

0 Kudos