Hi folks.
I struggle so hard with AD binding these days. All of a sudden, all scripts and policies related to AD binding seem to have stopped working, from one day to another, and I cannot find a pattern in these errors and failures. Any help HIGHLY appreciated!
This script I used originally for binding a Mac. It used to work fine:
#!/bin/bash
apiurl="https://jss.mycompany.lan"
apistring=(API user credentials)
adstring=(Domain Admin credentials)
# get Mac's serial number
serial=$(system_profiler SPHardwareDataType | awk '/Serial/ {print $4}')
echo "This Mac has serial number: $serial"
# download some xml stuff from Jamf Pro and extract site name out of it
# echo curl -ku "$apistring" $apiurl/JSSResource/computers/serialnumber/$serial/subset/general -X GET -H "Accept: application/xml"
siteName=$( curl -sku "$apistring" $apiurl/JSSResource/computers/serialnumber/$serial/subset/general -X GET -H "Accept: application/xml" | xpath '/computer/general/site/name/text()' )
#echo "$siteName"
# siteName=$( /usr/bin/curl --header "Accept: application/xml" --silent --user "$apistring" "$apiurl/JSSResource/computers/serialnumber/$serial/subset/general" --insecure | /usr/bin/xpath '/computer/general/site/name[1]/text()' 2>/dev/null )
echo "This Mac is assigned to Site: $siteName"
# adstatus=$(dsconfigad -show | awk '/Active Directory Domain/{print $NF}')
# echo $adstatus
#if [ "$adstatus" = "mycompany.lan" ]
#then
# dsconfigad -remove -force $adstring
# dscl /Search -delete / CSPSearchPath "/Active Directory/All Domains"
# dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/All Domains"
# echo "This Mac has been previously bound to AD and got unbound now."
#fi
# add to AD container matching to site
case $siteName in
Site1)
targetOU="OU=Site1,DC=mycompany,DC=lan"
;;
Site2)
targetOU="OU=Site2,DC=mycompany,DC=lan"
;;
(many more to come)
;;
*)
targetOU="OU=Macintosh,OU=Computer,DC=mycompany,DC=lan"
;;
esac
dsconfigad -add "mycompany.lan" $adstring -force -computer $serial -mobile enable -mobileconfirm disable -localhome enable -useuncpath disable -shell /bin/bash -ou "$targetOU" -groups "" -passinterval 0
&& echo "Mac added to AD $targetOU"
|| echo "Error adding Mac to OU $targetOU: $?"Now that brings up in the JSS logs an error like this:
dsconfigad[15938:276778] -[SFAuthorization obtainWithRights:::::] failed with error Error Domain=NSOSStatusErrorDomain Code=-60007...
Even if I keep the script simple as possible
#!/bin/sh
dsconfigad -add "mycompany.lan" (domain admin credentials) -force -computer $serial -mobile enable -mobileconfirm disable -localhome -shell /bin/bash -ou "(defined OU" -groups "" -passinterval 0...it brings up the same error.
If I run the same dsconfig command in the Mac's terminal directly, at least binding works like a charm. It looks nice in System Preferences and Directory Utility, and even on the AD side it has been nicely added and put in the right OU.
However, if I log out and log in as AD user afterwards, it brings up a secure token prompt for secure token holder credentials (which is odd as well, as I disabled the Security and FileVault Config Profile for the sake of troubleshooting), and after that, it says:
!(
)
Now, I tried out the createmobileaccount on local admin account:
/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n (adusername)...and this brought this result:
admin@admin'sMacBook ~ % sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n apple.dep SecureToken admin user name [optional]: admin SecureToken admin user password [optional]: 2020-04-21 15:52:39.041 createmobileaccount[14138:274286] ### authenticateUsingAuthorizationSync error:Error Domain=com.apple.systemadministration Code=-60007 "(null)" 2020-04-21 15:52:41.615 createmobileaccount[14138:274325] ### authenticateUsingAuthorizationSync error:Error Domain=com.apple.systemadministration Code=-60007 "(null)" 2020-04-21 15:52:41.642 createmobileaccount[14138:274285] AOSKit INFO: Disabling BTMM for user, no zone found for uid=1592850885, usersToZones: (null) 2020-04-21 15:52:46.646 createmobileaccount[14138:274285] ### Notify CFPreferences of impending user deletion timed out (5 seconds) 2020-04-21 15:52:47.687 createmobileaccount[14138:274503] ### Error: setMachineArray:( { date = "2020-04-21 13:52:47 +0000"; "dsAttrTypeStandard:RealName" = "Apple DEP"; "dsAttrTypeStandard:UniqueID" = 1592850885; name = "apple.dep"; } ) forKey:deletedUsers inDomain:com.apple.preferences.accounts * mobile account could not be created: -6304 (MCXCCreateMobileAccount(): [newUser createHomeDirectory] failed)
I tried to play around with the "Useuncpath disable" option in dsconfigad, but still no joy.
I also tried adding directory binding via configuration profile, nothing happening at all (at least no binding visible in System Preferences).
I did also try to use a policy with the directory binding payload, but this brings exactly the same error as at the very beginning when I tried it script based:
dsconfigad[15938:276778] -[SFAuthorization obtainWithRights:::::] failed with error Error Domain=NSOSStatusErrorDomain Code=-60007...
I am running out of ideas, as I have ruled out Endpoint Protection, FileVault (at least I thought like that) and I am not aware of any changes on our side that could have messed up the whole procedure.
Any ideas? It's driving me totally nuts!
Best regards
Christian
@mucgyver I'm no expert at AD binding myself. In my JSS everything was setup before I took the reins. However, in our policy we are using the Directory Bindings payload for AD Binding - see screenshot 1. You just need to make sure you have Directory Binding setup in All Settings>Computer Management>Directory Bindings. There's an option in there to create a mobile account at login - see screenshot 2. Hopefully this helps!
