Posted on 04-25-2013 05:27 AM
Any suggestions?
I can manually bind a MacBook to Active Directory using the Join... button in the Accounts Preferences. (Without any errors)
When I create a policy that calls the default directory binding from casper admin in JSS, I keep getting the error, even though I am using the Domain Administrator account:
Executing Policy Bind to AD...
Binding to domain.com...
The username (Administrator) and password provided for the domain (domain.com) does not have the privileges to join a computer to the domain. (Attempt 1)
The username (Administrator) and password provided for the domain (domain.com) does not have the privileges to join a computer to the domain. (Attempt 2)
The username (Administrator) and password provided for the domain (domain.com) does not have the privileges to join a computer to the domain. (Attempt 3)
The username (Administrator) and password provided for the domain (domain.com) does not have the privileges to join a computer to the domain. (Attempt 4)
The username (Administrator) and password provided for the domain (domain.com) does not have the privileges to join a computer to the domain. (Attempt 5)
Error: Giving up on Active Directory binding after 5 attempts.
Posted on 04-25-2013 06:48 AM
Is your domain admin account actually located within that domain? If not you may need to specify a domain before the username i.e. otherdomainadministrator
Posted on 04-25-2013 01:05 PM
Do you have multiple DC's?
Saw this error a while ago when the service account for binding had not synced properly to some DC's.
Binding has been inconsistent at best so we use a script in first run similar to the following:
#!/bin/sh
sleep 60
HOSTNAME=`/bin/hostname | /usr/bin/cut -d "." -f 1`
USER='user'
PASS='password'
DOMAIN='your.domain.com'
OU='YOUR_OU'
/usr/sbin/dsconfigad -f -a "$HOSTNAME" -u "$USER" -p "$PASS" -ou "$OU" -domain "$DOMAIN"
/usr/sbin/dsconfigad -mobile enable
/usr/sbin/dsconfigad -mobileconfirm disable
/usr/sbin/dsconfigad -localhome enable
/usr/sbin/dsconfigad -useuncpath disable
/usr/sbin/dsconfigad -shell '/bin/bash'
/usr/sbin/dsconfigad -nopreferred
/usr/sbin/dsconfigad -groups "groups, you, want"
/usr/sbin/dsconfigad -alldomains disable
/usr/bin/dscl /Search -append / CSPSearchPath "/Active Directory/YOURDOMAIN/...."
/usr/bin/dscl /Search -delete / CSPSearchPath "/Active Directory/YOURDOMAIN/.…."
/bin/rm /var/log/secure.log
Posted on 04-26-2013 12:34 AM
I have tried adding the domainadministrator and administrator@domain but neither seem to work, we don't have multiple domain names.
I am getting the same error if I use the jamf bind command from the command line. We are using Windows Server 2012, but I had it running perfectly before on a Windows 2012 test domain.
I will try to use a script, we still have a couple 10.6.8 clients, will there be a different script for 10.6. and 10.8?
Posted on 04-26-2013 12:31 PM
You can check on the link below that the dsconfigad options you want to use are available for each OS version.
Posted on 04-26-2013 12:40 PM
I should provide some extra explanation for the script..
You may not need the following lines:
/usr/bin/dscl /Search -append / CSPSearchPath "/Active Directory/YOURDOMAIN/...."
/usr/bin/dscl /Search -delete / CSPSearchPath "/Active Directory/YOURDOMAIN/.…."
These lines were specific to this location to ensure the Authentication search path was not using "All Domains", and explicitly listed the required path.
The deletion of the secure.log file is so the service account password is not left behind in clear text.
Posted on 10-24-2014 01:26 PM
Sorry to bring up an old thread, but this randomly started happening in our environment this week (while I, the only Casper Admin at my org, was at the JNUC of course). Was there a fix for this?
Posted on 10-24-2014 01:27 PM
Well actually, it keeps telling me the password is wrong even though it's right, and the same AD account is able to let privileged users log into the JSS and Casper apps… so something weird is going on. I've tried it on multiple IP ranges at our building to make sure it wasn't a scoping issue, but that hasn't helped.
Posted on 10-24-2014 01:30 PM
@emilykausalik I've had problems binding myself, and each time a restart of the machine has fixed it. Crazy, I know, but for some reason that's all it has taken for it to work. This is on 10.9 machines binding to a Win 2008 AD server, although we are still running a 2003 AD.
Posted on 10-24-2014 01:31 PM
We've tried imaging with 10.9.5 and 10.10.0, same thing. Multiple times. Reboots, the whole shebang.
Posted on 10-24-2014 01:38 PM
Hey @emilykausalik are you able to bind manually using that account?
Posted on 10-24-2014 01:57 PM
Manual binding isn't working either, I get "Authentication server encountered an error wile attempting the requested operation." Finally roped a Windows Software Architect into checking the domain controllers for me to see if something is up.
Posted on 10-24-2014 02:01 PM
I think I was getting this error when all the ports weren't open. Try verifying that LDAP and Kerberos are still open and talking to AD.
Posted on 10-24-2014 02:03 PM
I'm sure you checked this already but thought I would mention this. Does the time and date on the MAC match the time and date on your domain controller. I have ran into issues like that before.
Posted on 10-24-2014 02:25 PM
I think you're onto something @asegura, I think our Firewall may be blocking the Apple time servers. Is there a way to find out what that IP address is?
Posted on 10-24-2014 02:27 PM
http://www.somebits.com/weblog/tech/appleNTP.html Looks like this might have your answers.
Posted on 10-24-2014 02:28 PM
Using dig from the Terminal:
; <<>> DiG 9.8.3-P1 <<>> time.apple.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3851
;; flags: qr rd ra; QUERY: 1, ANSWER: 16, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;time.apple.com. IN A
;; ANSWER SECTION:
time.apple.com. 49 IN A 17.151.16.34
time.apple.com. 49 IN A 17.151.16.21
time.apple.com. 49 IN A 17.151.16.23
time.apple.com. 49 IN A 17.171.4.33
time.apple.com. 49 IN A 17.171.4.34
time.apple.com. 49 IN A 17.171.4.37
time.apple.com. 49 IN A 17.171.4.35
time.apple.com. 49 IN A 17.171.4.36
time.apple.com. 49 IN A 17.151.16.38
time.apple.com. 49 IN A 17.171.4.14
time.apple.com. 49 IN A 17.151.16.14
time.apple.com. 49 IN A 17.171.4.15
time.apple.com. 49 IN A 17.151.16.12
time.apple.com. 49 IN A 17.171.4.13
time.apple.com. 49 IN A 17.151.16.22
time.apple.com. 49 IN A 17.151.16.20
;; Query time: 3 msec
;; MSG SIZE rcvd: 288
Posted on 10-24-2014 02:29 PM
Hate when I hit "Post It" too soon....
You can try setting the time server for the Mac to be your AD server. That way you know that you're getting the proper time for the domain.
Posted on 10-24-2014 02:35 PM
I use a script that uses our internal domain controller for setting the time on our MAC's. Our helpdesk was getting allot of calls due to the time being off a couple of minutes. Since adapting that process those issues have went away. Ask your Windows guys if they have an internal time server. For the purpose of testing can you manually set the time on that MAC to match your domain controller and then try to bind?
Posted on 10-24-2014 02:51 PM
Here is the script I use to add our internal time server to our MAC's. Hope this helps anyone that has this issue.
#!/bin/sh
#Primary Time server for Company Macs
TimeServer1=
#Secondary Time server for Company Macs
TimeServer2=time.apple.com
# Set the primary network server with systemsetup -setnetworktimeserver
# Using this command will clear /etc/ntp.conf of existing entries and
# add the primary time server as the first line.
/usr/sbin/systemsetup -setnetworktimeserver $TimeServer1
# Add the secondary time server as the second line in /etc/ntp.conf
echo "server $TimeServer2" >> /etc/ntp.conf
#flush all the network things
/usr/sbin/systemsetup -setusingnetworktime on
/sbin/SystemStarter restart "NetworkTime"
sudo killall SystemUIServer
Posted on 10-24-2014 03:00 PM
So! My sneaking suspicion was to blame my networking team. And I was right! One of our external routers was turning away traffic from time.apple.com. They didn't want to poke a whole in it so I'm testing it with our domain NTP.
Hooray…
Posted on 10-24-2014 03:05 PM
Awesome. BTW enjoyed your session at JNUC. To be honest with you that was one of the major selling points for my company to send me. Also I found the patch on a windows server that houses the images. I can work with you on providing the details to make those changes on a server running windows.
Posted on 10-24-2014 03:24 PM
I would be super happy to get with you on that, @asegura! I've been debating installing a test JSS on a Windows VM so I can see what that whole workflow is like.
Posted on 10-25-2014 06:01 AM
Hi all,
I have a number of posts on NTP with Macs & AD.
Before changing your Macs NTP to, please verify that you're serving time from your DC's & what the source is. Usually a single DC will pull it's time from a external source, then all other DC's etc will sync with that DC.
You can find that out by following: https://macmule.com/2013/12/14/how-to-check-your-active-directory-domains-time/
Once you have the details of that external NTP, I would advise you see if your Macs can get time from that NTP & not your DC's. Why? Well that way they can sync their time when off-WAN & still have the correct time set. (Especially pertinent with MacBooks when battery dies).
That post also links to scripts that advise on how to set & sync Macs to an NTP.