Skip to main content
Solved

Need help troubleshooting Active Directory issue...

  • May 15, 2017
  • 7 replies
  • 36 views
B
Forum|alt.badge.img+5

All of a sudden, I am having a very strange issue and cannot bind my Mac computers to my Active Directory. Windows machines bind perfectly fine.

I am getting the following error:

/Active Directory, Module: ActiveDirectory - krb5.dylib - set password using MS set password returned: 0 result_code 3
2017-05-15 14:03:55.372321 EDT - AID: 0x0000000000000000 - 74357.1515673, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - Changing password failed for 'bpage-imac$@CORP.MYDOMAIN.COM' with error '' (3)
2017-05-15 14:03:55.372328 EDT - AID: 0x0000000000000000 - 74357.1515673, Node: /Active Directory, Module: ActiveDirectory - failed to change computer password deleting record - 'cn=bpage-imac,CN=Computers,DC=corp,DC=mydomain,DC=com'

It is driving me crazy. DNS looks fine. Time and date is set to the domian controller.

I have tried.. shortening the computer name
creating a record in AD first
using a different account to bind
using a different OU to add the machine to..
preferring one of my DC's over another.

Any ideas?

Best answer by bppage

So, via the Mac Admins Slack channel, I found a fix.

I needed to create the record in AD first...but create it in a different OU than the standard Computers container. Once I create the record and bind to a different OU, in my case OU=Macs ... the machines started to bind just fine.

    7 replies

    T
    Forum|alt.badge.img+15
    • thoule
    • Contributor
    • May 15, 2017

    Have you looked at your /etc/krb5.conf file?

    B
    Forum|alt.badge.img+5
    • bppage
    • Author
    • New Contributor
    • May 15, 2017

    I don't seem to have a krb5.conf file located in /etc ... only krb5.keytab & krb5.keytab~orig

    K
    Forum|alt.badge.img+13
    • kerouak
    • Valued Contributor
    • May 16, 2017

    Try running dsconfigad -show and make sure that the computer account matches what you see in ADU&C on your Windows Server. If your Mac had spaces in the name (e.g., My Cool Mac), your AD server might not be interpreting it correctly. Also make sure your advanced Administrative options are not in conflict.

    K
    Forum|alt.badge.img+13
    • kerouak
    • Valued Contributor
    • May 16, 2017

    Try using the -force option of dsconfigad to remove it from the domain. Then try adding it back to AD without the -force option. If that fails, try again WITH force

    B
    Forum|alt.badge.img+26
    • blackholemac
    • Valued Contributor
    • May 16, 2017

    I have sometimes seen instances where the binder account cannot re-add a machine to the domain. I'm guessing that is not the case here, but I always check for that.

    K
    Forum|alt.badge.img+13
    • kerouak
    • Valued Contributor
    • May 16, 2017

    I did have similar issues, however, Binding via Terminal was successful.

    cheers

    B
    Forum|alt.badge.img+5
    • bppage
    • Author
    • New Contributor
    • Answer
    • May 16, 2017

    So, via the Mac Admins Slack channel, I found a fix.

    I needed to create the record in AD first...but create it in a different OU than the standard Computers container. Once I create the record and bind to a different OU, in my case OU=Macs ... the machines started to bind just fine.

    Terms & ConditionsCookie settingsAccessibility statement