Unable to create mobile account, issues with AD binding

mucgyver-old
New Contributor III

Hi folks.

I struggle so hard with AD binding these days. All of a sudden, all scripts and policies related to AD binding seem to have stopped working, from one day to another, and I cannot find a pattern in these errors and failures. Any help HIGHLY appreciated!

This script I used originally for binding a Mac. It used to work fine:

#!/bin/bash

apiurl="https://jss.mycompany.lan"
apistring=(API user credentials)
adstring=(Domain Admin credentials)

# get Mac's serial number
serial=$(system_profiler SPHardwareDataType | awk '/Serial/ {print $4}')
echo "This Mac has serial number: $serial"

# download some xml stuff from Jamf Pro and extract site name out of it
# echo curl -ku "$apistring" $apiurl/JSSResource/computers/serialnumber/$serial/subset/general -X GET -H "Accept: application/xml"
siteName=$( curl -sku "$apistring" $apiurl/JSSResource/computers/serialnumber/$serial/subset/general -X GET -H "Accept: application/xml"  | xpath '/computer/general/site/name/text()' )
#echo "$siteName"
# siteName=$( /usr/bin/curl --header "Accept: application/xml" --silent --user "$apistring" "$apiurl/JSSResource/computers/serialnumber/$serial/subset/general" --insecure | /usr/bin/xpath '/computer/general/site/name[1]/text()' 2>/dev/null )

echo "This Mac is assigned to Site: $siteName"

# adstatus=$(dsconfigad -show | awk '/Active Directory Domain/{print $NF}')
# echo $adstatus

#if [ "$adstatus" = "mycompany.lan" ]
#then
#   dsconfigad -remove -force $adstring
#   dscl /Search -delete / CSPSearchPath "/Active Directory/All Domains"
#   dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/All Domains"
#   echo "This Mac has been previously bound to AD and got unbound now."
#fi

# add to AD container matching to site

case $siteName in
        Site1)     
                    targetOU="OU=Site1,DC=mycompany,DC=lan"
                    ;;
        Site2)
                    targetOU="OU=Site2,DC=mycompany,DC=lan"
                    ;; 
(many more to come)
                    ;;
        *)
                    targetOU="OU=Macintosh,OU=Computer,DC=mycompany,DC=lan"
                    ;;
esac

dsconfigad -add "mycompany.lan" $adstring -force -computer $serial -mobile enable -mobileconfirm disable -localhome enable -useuncpath disable -shell /bin/bash -ou "$targetOU" -groups "" -passinterval 0 
        && echo "Mac added to AD $targetOU" 
        || echo "Error adding Mac to OU $targetOU: $?"

Now that brings up in the JSS logs an error like this:

dsconfigad[15938:276778] -[SFAuthorization obtainWithRights:::::] failed with error Error Domain=NSOSStatusErrorDomain Code=-60007...

Even if I keep the script simple as possible

#!/bin/sh
dsconfigad -add "mycompany.lan" (domain admin credentials) -force -computer $serial -mobile enable -mobileconfirm disable -localhome -shell /bin/bash -ou "(defined OU" -groups "" -passinterval 0

...it brings up the same error.

If I run the same dsconfig command in the Mac's terminal directly, at least binding works like a charm. It looks nice in System Preferences and Directory Utility, and even on the AD side it has been nicely added and put in the right OU.

However, if I log out and log in as AD user afterwards, it brings up a secure token prompt for secure token holder credentials (which is odd as well, as I disabled the Security and FileVault Config Profile for the sake of troubleshooting), and after that, it says:

!(
b6d6c2cf04a44e6481f4215492f30e34
)

Now, I tried out the createmobileaccount on local admin account:

/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n (adusername)

...and this brought this result:

admin@admin'sMacBook ~ % sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n apple.dep SecureToken admin user name [optional]: admin SecureToken admin user password [optional]: 2020-04-21 15:52:39.041 createmobileaccount[14138:274286] ### authenticateUsingAuthorizationSync error:Error Domain=com.apple.systemadministration Code=-60007 "(null)" 2020-04-21 15:52:41.615 createmobileaccount[14138:274325] ### authenticateUsingAuthorizationSync error:Error Domain=com.apple.systemadministration Code=-60007 "(null)" 2020-04-21 15:52:41.642 createmobileaccount[14138:274285] AOSKit INFO: Disabling BTMM for user, no zone found for uid=1592850885, usersToZones: (null) 2020-04-21 15:52:46.646 createmobileaccount[14138:274285] ### Notify CFPreferences of impending user deletion timed out (5 seconds) 2020-04-21 15:52:47.687 createmobileaccount[14138:274503] ### Error: setMachineArray:( { date = "2020-04-21 13:52:47 +0000"; "dsAttrTypeStandard:RealName" = "Apple DEP"; "dsAttrTypeStandard:UniqueID" = 1592850885; name = "apple.dep"; } ) forKey:deletedUsers inDomain:com.apple.preferences.accounts * mobile account could not be created: -6304 (MCXCCreateMobileAccount(): [newUser createHomeDirectory] failed)

I tried to play around with the "Useuncpath disable" option in dsconfigad, but still no joy.

I also tried adding directory binding via configuration profile, nothing happening at all (at least no binding visible in System Preferences).

I did also try to use a policy with the directory binding payload, but this brings exactly the same error as at the very beginning when I tried it script based:

dsconfigad[15938:276778] -[SFAuthorization obtainWithRights:::::] failed with error Error Domain=NSOSStatusErrorDomain Code=-60007...

I am running out of ideas, as I have ruled out Endpoint Protection, FileVault (at least I thought like that) and I am not aware of any changes on our side that could have messed up the whole procedure.

Any ideas? It's driving me totally nuts!

Best regards
Christian

2 REPLIES 2

bcbackes
Contributor

@mucgyver I'm no expert at AD binding myself. In my JSS everything was setup before I took the reins. However, in our policy we are using the Directory Bindings payload for AD Binding - see screenshot 1. You just need to make sure you have Directory Binding setup in All Settings>Computer Management>Directory Bindings. There's an option in there to create a mobile account at login - see screenshot 2. Hopefully this helps!
788156420b4a4ce9b30e3c8025978ce2

2766b43c5278484499199eae2d1e74a9

mucgyver-old
New Contributor III

@bcbackes Thank you very much. πŸ™‚