Skip to main content
Question

Unable to bind via Casper Admin directory binding


Forum|alt.badge.img+6
  • Contributor
  • 26 replies

Any suggestions?
I can manually bind a MacBook to Active Directory using the Join... button in the Accounts Preferences. (Without any errors)
When I create a policy that calls the default directory binding from casper admin in JSS, I keep getting the error, even though I am using the Domain Administrator account:
Executing Policy Bind to AD... Binding  to domain.com... The username (Administrator) and password provided for the domain (domain.com) does not have the privileges to join a computer to the domain. (Attempt 1) The username (Administrator) and password provided for the domain (domain.com) does not have the privileges to join a computer to the domain. (Attempt 2) The username (Administrator) and password provided for the domain (domain.com) does not have the privileges to join a computer to the domain. (Attempt 3) The username (Administrator) and password provided for the domain (domain.com) does not have the privileges to join a computer to the domain. (Attempt 4) The username (Administrator) and password provided for the domain (domain.com) does not have the privileges to join a computer to the domain. (Attempt 5) Error: Giving up on Active Directory binding after 5 attempts.

23 replies

Forum|alt.badge.img+1
  • New Contributor
  • 6 replies
  • April 25, 2013

Is your domain admin account actually located within that domain? If not you may need to specify a domain before the username i.e. otherdomainadministrator


Forum|alt.badge.img+19
  • Valued Contributor
  • 184 replies
  • April 25, 2013

Do you have multiple DC's?
Saw this error a while ago when the service account for binding had not synced properly to some DC's.
Binding has been inconsistent at best so we use a script in first run similar to the following:

#!/bin/sh

sleep 60

HOSTNAME=`/bin/hostname | /usr/bin/cut -d "." -f 1`
USER='user'
PASS='password'
DOMAIN='your.domain.com'
OU='YOUR_OU'

/usr/sbin/dsconfigad -f -a "$HOSTNAME" -u "$USER" -p "$PASS" -ou "$OU" -domain "$DOMAIN"

/usr/sbin/dsconfigad -mobile enable
/usr/sbin/dsconfigad -mobileconfirm disable
/usr/sbin/dsconfigad -localhome enable
/usr/sbin/dsconfigad -useuncpath disable
/usr/sbin/dsconfigad -shell '/bin/bash'

/usr/sbin/dsconfigad -nopreferred
/usr/sbin/dsconfigad -groups "groups, you, want"
/usr/sbin/dsconfigad -alldomains disable

/usr/bin/dscl /Search -append / CSPSearchPath "/Active Directory/YOURDOMAIN/...."
/usr/bin/dscl /Search -delete / CSPSearchPath "/Active Directory/YOURDOMAIN/.…."
/bin/rm /var/log/secure.log

Forum|alt.badge.img+6
  • Author
  • Contributor
  • 26 replies
  • April 26, 2013

I have tried adding the domainadministrator and administrator@domain but neither seem to work, we don't have multiple domain names.
I am getting the same error if I use the jamf bind command from the command line. We are using Windows Server 2012, but I had it running perfectly before on a Windows 2012 test domain.
I will try to use a script, we still have a couple 10.6.8 clients, will there be a different script for 10.6. and 10.8?


Forum|alt.badge.img+19
  • Valued Contributor
  • 184 replies
  • April 26, 2013

You can check on the link below that the dsconfigad options you want to use are available for each OS version.

https://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man8/dsconfigad.8.html


Forum|alt.badge.img+19
  • Valued Contributor
  • 184 replies
  • April 26, 2013

I should provide some extra explanation for the script..

You may not need the following lines:

/usr/bin/dscl /Search -append / CSPSearchPath "/Active Directory/YOURDOMAIN/...."
/usr/bin/dscl /Search -delete / CSPSearchPath "/Active Directory/YOURDOMAIN/.…."

These lines were specific to this location to ensure the Authentication search path was not using "All Domains", and explicitly listed the required path.

The deletion of the secure.log file is so the service account password is not left behind in clear text.


emily
Forum|alt.badge.img+24
  • Employee
  • 871 replies
  • October 24, 2014

Sorry to bring up an old thread, but this randomly started happening in our environment this week (while I, the only Casper Admin at my org, was at the JNUC of course). Was there a fix for this?


emily
Forum|alt.badge.img+24
  • Employee
  • 871 replies
  • October 24, 2014

Well actually, it keeps telling me the password is wrong even though it's right, and the same AD account is able to let privileged users log into the JSS and Casper apps… so something weird is going on. I've tried it on multiple IP ranges at our building to make sure it wasn't a scoping issue, but that hasn't helped.


stevewood
Forum|alt.badge.img+35
  • Employee
  • 1797 replies
  • October 24, 2014

@emilykausalik I've had problems binding myself, and each time a restart of the machine has fixed it. Crazy, I know, but for some reason that's all it has taken for it to work. This is on 10.9 machines binding to a Win 2008 AD server, although we are still running a 2003 AD.


emily
Forum|alt.badge.img+24
  • Employee
  • 871 replies
  • October 24, 2014

We've tried imaging with 10.9.5 and 10.10.0, same thing. Multiple times. Reboots, the whole shebang.


Forum|alt.badge.img+8
  • Contributor
  • 56 replies
  • October 24, 2014

Hey @emilykausalik are you able to bind manually using that account?


emily
Forum|alt.badge.img+24
  • Employee
  • 871 replies
  • October 24, 2014

Manual binding isn't working either, I get "Authentication server encountered an error wile attempting the requested operation." Finally roped a Windows Software Architect into checking the domain controllers for me to see if something is up.


Forum|alt.badge.img+3
  • New Contributor
  • 9 replies
  • October 24, 2014

I think I was getting this error when all the ports weren't open. Try verifying that LDAP and Kerberos are still open and talking to AD.


Forum|alt.badge.img+8
  • Contributor
  • 56 replies
  • October 24, 2014

I'm sure you checked this already but thought I would mention this. Does the time and date on the MAC match the time and date on your domain controller. I have ran into issues like that before.


emily
Forum|alt.badge.img+24
  • Employee
  • 871 replies
  • October 24, 2014

I think you're onto something @asegura, I think our Firewall may be blocking the Apple time servers. Is there a way to find out what that IP address is?


Forum|alt.badge.img+3
  • New Contributor
  • 9 replies
  • October 24, 2014

http://www.somebits.com/weblog/tech/appleNTP.html Looks like this might have your answers.


stevewood
Forum|alt.badge.img+35
  • Employee
  • 1797 replies
  • October 24, 2014

Using dig from the Terminal:

; <<>> DiG 9.8.3-P1 <<>> time.apple.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3851
;; flags: qr rd ra; QUERY: 1, ANSWER: 16, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;time.apple.com.            IN  A

;; ANSWER SECTION:
time.apple.com.     49  IN  A   17.151.16.34
time.apple.com.     49  IN  A   17.151.16.21
time.apple.com.     49  IN  A   17.151.16.23
time.apple.com.     49  IN  A   17.171.4.33
time.apple.com.     49  IN  A   17.171.4.34
time.apple.com.     49  IN  A   17.171.4.37
time.apple.com.     49  IN  A   17.171.4.35
time.apple.com.     49  IN  A   17.171.4.36
time.apple.com.     49  IN  A   17.151.16.38
time.apple.com.     49  IN  A   17.171.4.14
time.apple.com.     49  IN  A   17.151.16.14
time.apple.com.     49  IN  A   17.171.4.15
time.apple.com.     49  IN  A   17.151.16.12
time.apple.com.     49  IN  A   17.171.4.13
time.apple.com.     49  IN  A   17.151.16.22
time.apple.com.     49  IN  A   17.151.16.20

;; Query time: 3 msec

;; MSG SIZE  rcvd: 288

stevewood
Forum|alt.badge.img+35
  • Employee
  • 1797 replies
  • October 24, 2014

Hate when I hit "Post It" too soon....

You can try setting the time server for the Mac to be your AD server. That way you know that you're getting the proper time for the domain.


Forum|alt.badge.img+8
  • Contributor
  • 56 replies
  • October 24, 2014

I use a script that uses our internal domain controller for setting the time on our MAC's. Our helpdesk was getting allot of calls due to the time being off a couple of minutes. Since adapting that process those issues have went away. Ask your Windows guys if they have an internal time server. For the purpose of testing can you manually set the time on that MAC to match your domain controller and then try to bind?


Forum|alt.badge.img+8
  • Contributor
  • 56 replies
  • October 24, 2014

Here is the script I use to add our internal time server to our MAC's. Hope this helps anyone that has this issue.

#!/bin/sh

#Primary Time server for Company Macs
TimeServer1=
#Secondary Time server for Company Macs
TimeServer2=time.apple.com

# Set the primary network server with systemsetup -setnetworktimeserver
# Using this command will clear /etc/ntp.conf of existing entries and
# add the primary time server as the first line.
/usr/sbin/systemsetup -setnetworktimeserver $TimeServer1

# Add the secondary time server as the second line in /etc/ntp.conf
echo "server $TimeServer2" >> /etc/ntp.conf

#flush all the network things
/usr/sbin/systemsetup -setusingnetworktime on
/sbin/SystemStarter restart "NetworkTime"
sudo killall SystemUIServer


emily
Forum|alt.badge.img+24
  • Employee
  • 871 replies
  • October 24, 2014

So! My sneaking suspicion was to blame my networking team. And I was right! One of our external routers was turning away traffic from time.apple.com. They didn't want to poke a whole in it so I'm testing it with our domain NTP.

Hooray…


Forum|alt.badge.img+8
  • Contributor
  • 56 replies
  • October 24, 2014

Awesome. BTW enjoyed your session at JNUC. To be honest with you that was one of the major selling points for my company to send me. Also I found the patch on a windows server that houses the images. I can work with you on providing the details to make those changes on a server running windows.


emily
Forum|alt.badge.img+24
  • Employee
  • 871 replies
  • October 24, 2014

I would be super happy to get with you on that, @asegura! I've been debating installing a test JSS on a Windows VM so I can see what that whole workflow is like.


bentoms
Forum|alt.badge.img+35
  • Legendary Contributor
  • 4331 replies
  • October 25, 2014

Hi all,

I have a number of posts on NTP with Macs & AD.

Before changing your Macs NTP to, please verify that you're serving time from your DC's & what the source is. Usually a single DC will pull it's time from a external source, then all other DC's etc will sync with that DC.

You can find that out by following: https://macmule.com/2013/12/14/how-to-check-your-active-directory-domains-time/

Once you have the details of that external NTP, I would advise you see if your Macs can get time from that NTP & not your DC's. Why? Well that way they can sync their time when off-WAN & still have the correct time set. (Especially pertinent with MacBooks when battery dies).

That post also links to scripts that advise on how to set & sync Macs to an NTP.


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings