Unable to bind via Casper Admin directory binding

hhorn
New Contributor III

Any suggestions?
I can manually bind a MacBook to Active Directory using the Join... button in the Accounts Preferences. (Without any errors)
When I create a policy that calls the default directory binding from casper admin in JSS, I keep getting the error, even though I am using the Domain Administrator account:
Executing Policy Bind to AD... Binding  to domain.com... The username (Administrator) and password provided for the domain (domain.com) does not have the privileges to join a computer to the domain. (Attempt 1) The username (Administrator) and password provided for the domain (domain.com) does not have the privileges to join a computer to the domain. (Attempt 2) The username (Administrator) and password provided for the domain (domain.com) does not have the privileges to join a computer to the domain. (Attempt 3) The username (Administrator) and password provided for the domain (domain.com) does not have the privileges to join a computer to the domain. (Attempt 4) The username (Administrator) and password provided for the domain (domain.com) does not have the privileges to join a computer to the domain. (Attempt 5) Error: Giving up on Active Directory binding after 5 attempts.

23 REPLIES 23

mbrady
New Contributor

Is your domain admin account actually located within that domain? If not you may need to specify a domain before the username i.e. otherdomainadministrator

lisacherie
Contributor II

Do you have multiple DC's?
Saw this error a while ago when the service account for binding had not synced properly to some DC's.
Binding has been inconsistent at best so we use a script in first run similar to the following:

#!/bin/sh

sleep 60

HOSTNAME=`/bin/hostname | /usr/bin/cut -d "." -f 1`
USER='user'
PASS='password'
DOMAIN='your.domain.com'
OU='YOUR_OU'

/usr/sbin/dsconfigad -f -a "$HOSTNAME" -u "$USER" -p "$PASS" -ou "$OU" -domain "$DOMAIN"

/usr/sbin/dsconfigad -mobile enable
/usr/sbin/dsconfigad -mobileconfirm disable
/usr/sbin/dsconfigad -localhome enable
/usr/sbin/dsconfigad -useuncpath disable
/usr/sbin/dsconfigad -shell '/bin/bash'

/usr/sbin/dsconfigad -nopreferred
/usr/sbin/dsconfigad -groups "groups, you, want"
/usr/sbin/dsconfigad -alldomains disable

/usr/bin/dscl /Search -append / CSPSearchPath "/Active Directory/YOURDOMAIN/...."
/usr/bin/dscl /Search -delete / CSPSearchPath "/Active Directory/YOURDOMAIN/.…."
/bin/rm /var/log/secure.log

hhorn
New Contributor III

I have tried adding the domainadministrator and administrator@domain but neither seem to work, we don't have multiple domain names.
I am getting the same error if I use the jamf bind command from the command line. We are using Windows Server 2012, but I had it running perfectly before on a Windows 2012 test domain.
I will try to use a script, we still have a couple 10.6.8 clients, will there be a different script for 10.6. and 10.8?

lisacherie
Contributor II

You can check on the link below that the dsconfigad options you want to use are available for each OS version.

https://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man8/dsconfigad.8.h...

lisacherie
Contributor II

I should provide some extra explanation for the script..

You may not need the following lines:

/usr/bin/dscl /Search -append / CSPSearchPath "/Active Directory/YOURDOMAIN/...."
/usr/bin/dscl /Search -delete / CSPSearchPath "/Active Directory/YOURDOMAIN/.…."

These lines were specific to this location to ensure the Authentication search path was not using "All Domains", and explicitly listed the required path.

The deletion of the secure.log file is so the service account password is not left behind in clear text.

emily
Valued Contributor III
Valued Contributor III

Sorry to bring up an old thread, but this randomly started happening in our environment this week (while I, the only Casper Admin at my org, was at the JNUC of course). Was there a fix for this?

emily
Valued Contributor III
Valued Contributor III

Well actually, it keeps telling me the password is wrong even though it's right, and the same AD account is able to let privileged users log into the JSS and Casper apps… so something weird is going on. I've tried it on multiple IP ranges at our building to make sure it wasn't a scoping issue, but that hasn't helped.

stevewood
Honored Contributor II
Honored Contributor II

@emilykausalik I've had problems binding myself, and each time a restart of the machine has fixed it. Crazy, I know, but for some reason that's all it has taken for it to work. This is on 10.9 machines binding to a Win 2008 AD server, although we are still running a 2003 AD.

emily
Valued Contributor III
Valued Contributor III

We've tried imaging with 10.9.5 and 10.10.0, same thing. Multiple times. Reboots, the whole shebang.

asegura
Contributor

Hey @emilykausalik are you able to bind manually using that account?

emily
Valued Contributor III
Valued Contributor III

Manual binding isn't working either, I get "Authentication server encountered an error wile attempting the requested operation." Finally roped a Windows Software Architect into checking the domain controllers for me to see if something is up.

slapaglia
New Contributor

I think I was getting this error when all the ports weren't open. Try verifying that LDAP and Kerberos are still open and talking to AD.

asegura
Contributor

I'm sure you checked this already but thought I would mention this. Does the time and date on the MAC match the time and date on your domain controller. I have ran into issues like that before.

emily
Valued Contributor III
Valued Contributor III

I think you're onto something @asegura, I think our Firewall may be blocking the Apple time servers. Is there a way to find out what that IP address is?

slapaglia
New Contributor

http://www.somebits.com/weblog/tech/appleNTP.html Looks like this might have your answers.

stevewood
Honored Contributor II
Honored Contributor II

Using dig from the Terminal:

; <<>> DiG 9.8.3-P1 <<>> time.apple.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3851
;; flags: qr rd ra; QUERY: 1, ANSWER: 16, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;time.apple.com.            IN  A

;; ANSWER SECTION:
time.apple.com.     49  IN  A   17.151.16.34
time.apple.com.     49  IN  A   17.151.16.21
time.apple.com.     49  IN  A   17.151.16.23
time.apple.com.     49  IN  A   17.171.4.33
time.apple.com.     49  IN  A   17.171.4.34
time.apple.com.     49  IN  A   17.171.4.37
time.apple.com.     49  IN  A   17.171.4.35
time.apple.com.     49  IN  A   17.171.4.36
time.apple.com.     49  IN  A   17.151.16.38
time.apple.com.     49  IN  A   17.171.4.14
time.apple.com.     49  IN  A   17.151.16.14
time.apple.com.     49  IN  A   17.171.4.15
time.apple.com.     49  IN  A   17.151.16.12
time.apple.com.     49  IN  A   17.171.4.13
time.apple.com.     49  IN  A   17.151.16.22
time.apple.com.     49  IN  A   17.151.16.20

;; Query time: 3 msec

;; MSG SIZE  rcvd: 288

stevewood
Honored Contributor II
Honored Contributor II

Hate when I hit "Post It" too soon....

You can try setting the time server for the Mac to be your AD server. That way you know that you're getting the proper time for the domain.

asegura
Contributor

I use a script that uses our internal domain controller for setting the time on our MAC's. Our helpdesk was getting allot of calls due to the time being off a couple of minutes. Since adapting that process those issues have went away. Ask your Windows guys if they have an internal time server. For the purpose of testing can you manually set the time on that MAC to match your domain controller and then try to bind?

asegura
Contributor

Here is the script I use to add our internal time server to our MAC's. Hope this helps anyone that has this issue.

#!/bin/sh

#Primary Time server for Company Macs
TimeServer1=
#Secondary Time server for Company Macs
TimeServer2=time.apple.com

# Set the primary network server with systemsetup -setnetworktimeserver
# Using this command will clear /etc/ntp.conf of existing entries and
# add the primary time server as the first line.
/usr/sbin/systemsetup -setnetworktimeserver $TimeServer1

# Add the secondary time server as the second line in /etc/ntp.conf
echo "server $TimeServer2" >> /etc/ntp.conf

#flush all the network things
/usr/sbin/systemsetup -setusingnetworktime on
/sbin/SystemStarter restart "NetworkTime"
sudo killall SystemUIServer

emily
Valued Contributor III
Valued Contributor III

So! My sneaking suspicion was to blame my networking team. And I was right! One of our external routers was turning away traffic from time.apple.com. They didn't want to poke a whole in it so I'm testing it with our domain NTP.

Hooray…

asegura
Contributor

Awesome. BTW enjoyed your session at JNUC. To be honest with you that was one of the major selling points for my company to send me. Also I found the patch on a windows server that houses the images. I can work with you on providing the details to make those changes on a server running windows.

emily
Valued Contributor III
Valued Contributor III

I would be super happy to get with you on that, @asegura! I've been debating installing a test JSS on a Windows VM so I can see what that whole workflow is like.

bentoms
Release Candidate Programs Tester

Hi all,

I have a number of posts on NTP with Macs & AD.

Before changing your Macs NTP to, please verify that you're serving time from your DC's & what the source is. Usually a single DC will pull it's time from a external source, then all other DC's etc will sync with that DC.

You can find that out by following: https://macmule.com/2013/12/14/how-to-check-your-active-directory-domains-time/

Once you have the details of that external NTP, I would advise you see if your Macs can get time from that NTP & not your DC's. Why? Well that way they can sync their time when off-WAN & still have the correct time set. (Especially pertinent with MacBooks when battery dies).

That post also links to scripts that advise on how to set & sync Macs to an NTP.