Unable to login when uidNumber and gidNumber AD attributes are set

mark_mahabir
Valued Contributor

Not strictly Casper-related but posting here in the hope someone has seen this issue before….

We use the native AD plugin (bound via custom scripts) and have mapping to two AD attributes (uidNumber and gidNumber). After an initial image of Mavericks using Casper Imaging, I am able to log in to a test Mac just fine. However, since reimaging that test Mac, I’ve not been able to log in - entering my AD password has no effect. I get a spinny circle for a few seconds and am then prompted to re-enter it. If those attributes are not set, I can log in fine and a random 9-digit uid is generated.

Our AD runs on Windows Server 2008 R2, and I know those attributes are populated correctly in the AD user accounts. A computer account was generated in the correct OU for our test Mac, and we've tried removing and recreating it. We have a green orb alongside our Network Account Server in the Users & Groups pane of System Preferences.

I’m trying this over wired ethernet as we haven’t yet configured wireless provision.

Any ideas most welcome!

1 ACCEPTED SOLUTION

mark_mahabir
Valued Contributor

The issue turned out to be the Primary Group ID (gidNumber) field not being populated (as I thought it had) in AD. Yes, this should have been one of the first things I checked :-)

Thanks all for your suggestions!

View solution in original post

13 REPLIES 13

alexjdale
Valued Contributor III

We have the same setup, native AD bind and mapping those same two attributes. I have not seen this issue before. Can you share your dsconfigad command and arguments that you are using in your scripts?

mark_mahabir
Valued Contributor

Thanks for your reply - here's the bind script that I am currently using.

I'm currently imaging our test Mac with Yosemite to see whether the issue is Mavericks-specific, so will post some dsconfigad output next week if the issue is still present.

#!/bin/bash

# Created by Mark M, last edited 09/07/2015

set -o nounset

# Stuff for switching off IPV6 later
IFS=$'
'
net=`networksetup -listallnetworkservices | grep -v asterisk`

# 1) fully qualified DNS name of Active Directory Domain. 
domain="company.com"

# 2) username of a privileged network user.
udn="redacted"

# 3) password of a privileged network user.
password="redacted"

# 4) Distinguished name of container for the computer
ou="OU=osx10,ou=staffpcs,ou=workstations,dc=company,dc=com"

# 5) 'enable' or 'disable' automatic multi-domain authentication
alldomains="enable"

### End of configuration

# Set DNS Servers
/usr/sbin/networksetup -setdnsservers "Built-in Ethernet" 144.200.11.132 144.200.11.133
/usr/sbin/networksetup -setdnsservers "Ethernet" 144.200.11.132 144.200.11.133
/usr/sbin/networksetup -setdnsservers "USB Ethernet" 144.200.11.132 144.200.11.133
/usr/sbin/networksetup -setdnsservers "Thunderbolt Ethernet" 144.200.11.132 144.200.11.133 

# Set DNS Search Domains - set for anything with Ethernet in the name?
#networksetup -listallnetworkservices
/usr/sbin/networksetup -setsearchdomains "Ethernet" company.com
/usr/sbin/networksetup -setsearchdomains "Thunderbolt Ethernet" company.com
/usr/sbin/networksetup -setsearchdomains "USB Ethernet" company.com
/usr/sbin/networksetup -setsearchdomains "Built-in Ethernet" company.com

# Switch IPV6 off
for i in $net
do
    /usr/sbin/networksetup -setv6off "$i"
done

#echo $net | while read line
#do
#  /usr/sbin/networksetup -setv6off "$line"
#done

#exit 0

# Set Time Zone
/usr/sbin/systemsetup -settimezone Europe/London

if [ $? -ne 0 ] ; then
  echo "systemsetup failed" 1>&2
  exit 1
fi

# Set Time Server (UoL Time Servers get added later on with JSS policy)
/usr/sbin/systemsetup -setnetworktimeserver time.euro.apple.com
/usr/sbin/systemsetup -setusingnetworktime on

# Get the local computer's name.
computerid=`/usr/sbin/scutil --get LocalHostName`

# Activate the AD plugin, just to be sure
defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"
plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist

# Unbind from AD
dsconfigad -force -remove -username "$udn" -password "$password"

# Bind to AD
dsconfigad -force -add $domain -computer $computerid -username "$udn" -password "$password" -ou "$ou"
dsconfigad -mobile enable -mobileconfirm disable
dsconfigad -packetencrypt allow -packetsign allow -alldomains $alldomains
dsconfigad -useuncpath disable
dsconfigad -passinterval 0
dsconfigad -uid uidNumber -gid gidNumber

#Add the AD node to the search path
if [ "$alldomains" = "enable" ]; then
csp="/Active Directory/All Domains"
else
csp="/Active Directory/$domain"
fi

dscl /Search -append / CSPSearchPath "$csp"
dscl /Search -create / SearchPolicy dsAttrTypeStandard:CSPSearchPath
dscl /Search/Contacts -append / CSPSearchPath "$csp"
dscl /Search/Contacts -create / SearchPolicy dsAttrTypeStandard:CSPSearchPath

# Restart Directory Service
killall DirectoryService
sleep 2

exit 0

gachowski
Valued Contributor II

Hey Mark one think you can try is to use the Casper binary, to get the AD code then run it when you want... that is what we do... We configure the the AD binding in build and then during the 1st reboot we four the machine in to target mode and copy the code then we remove it from the build

...it's looks like this

Bind to AD from jamf

/usr/sbin/jamf bind -type ad -domain 'XXXX.net' -username "xusernamex" -passhash "XXXXXX" -ou "CN=Computers,DC=XXXX,DC=net" -mountStyle smb -uid "uidNumber" -cache -multipleDomains -localHomes -useUNCPath -shell none

C

alexjdale
Valued Contributor III

You have a heck of a lot going on there. Have you tried testing with an alternate script that simply binds the system without the other components to narrow things down? We also just run one dsconfigad command with all the arguments:

dsconfigad -add $targetDomain -computer $adName -ou $bindOU -username $inputUsername -password $inputPassword -force -uid uidNumber -gid gidNumber -mobile enable -mobileconfirm disable -useuncpath disable

mark_mahabir
Valued Contributor

The problem exists in 10.10.4 too. As you suggested, I also tried a minimal script containing just the relevant dsconfigad commands.

Here's the output of dsconfigad --show:

Active Directory Forest          = company.com
Active Directory Domain          = company.com
Computer Account                 = sa-ua-132$

Advanced Options - User Experience
  Create mobile account at login = Enabled
     Require confirmation        = Disabled
  Force home to startup disk     = Enabled
     Mount home as sharepoint    = Disabled
  Use Windows UNC path for home  = Disabled
     Network protocol to be used = smb
  Default user Shell             = /bin/bash

Advanced Options - Mappings
  Mapping UID to attribute       = uidNumber
  Mapping user GID to attribute  = gidNumber
  Mapping group GID to attribute = not set
  Generate Kerberos authority    = Enabled

Advanced Options - Administrative
  Preferred Domain controller    = not set
  Allowed admin groups           = not set
  Authentication from any domain = Enabled
  Packet signing                 = allow
  Packet encryption              = allow
  Password change interval       = 0
  Restrict Dynamic DNS updates   = not set
  Namespace mode                 = domain

We're unable to make use of the JAMF binary or the built-in AD Binding component of the JSS as we need to set packetencrypt and packetsign options.

bentoms
Release Candidate Programs Tester

@mark.mahabir The jamf binary does not seem too contain the needed switches:

mac:~ person$ sudo jamf -help bind Usage (Active Directory built into Mac OS X): jamf bind -type ad -domain <domain> [-computerID <computerID>] -username <username> -password <password> -ou <Computer OU> [-cache] [-requireConfirmation] [-localHomes] [-useUNCPath] [-mountStyle <afp | smb>] [-defaultShell <shell>] [-uid <user id>] [-userGID <user group id>] [-gid <group id>] [-preferredServer <server>] [-adminGroups <list of groups>] [-multipleDomains]

mark_mahabir
Valued Contributor

@bentoms Thanks, I did try binding using the jamf bind command with the intention of setting the packetsign and packetencrypt options later with dsconfigad, but got this output instead:

Binding -username to company.com...
An error occurred binding to Active Directory: dsconfigad: Container does not exist. (Attempt 1)
An error occurred binding to Active Directory: dsconfigad: Container does not exist. (Attempt 2)
An error occurred binding to Active Directory: dsconfigad: Container does not exist. (Attempt 3)
An error occurred binding to Active Directory: dsconfigad: Container does not exist. (Attempt 4)
An error occurred binding to Active Directory: dsconfigad: Container does not exist. (Attempt 5)
Error: Giving up on Active Directory binding after 5 attempts.

ZachB
New Contributor

@mark.mahabir Have you set the attributes that you are mapping to to replicate to the global catalog in your AD? I have found, in my own environment, that if these attributes (uidNumber, gidNumber) are not set to replicate to the global catalog it can cause issues when authenticating as the authentication payload returned to OS X by AD does not contain the attributes requested.

mark_mahabir
Valued Contributor

@ZachB Yes, we've verified that. The annoying thing is everything was fine on the first image - imaging on subsequent occasions means network users cannot log in :-(

ZachB
New Contributor

@mark.mahabir Just to verify, in order of sequence post imaging, you are setting your hostname first, DNS servers next and once all of your hostname/network attributes are set joining to AD is your last step, correct?

mark_mahabir
Valued Contributor

@ZachB That's correct, the actual bind commands (dsconfigad) are towards the bottom of the script. The AD search policy runs as the very last thing.

I've also tried binding using just the options in the System Preferences GUI, but I get the same result.

mark_mahabir
Valued Contributor

Here's the relevant portion of the system.log:

Jul 31 15:39:00 IT-Admin-133 SecurityAgent[1398]: User info context values set for rcn3 
Jul 31 15:39:04 IT-Admin-133 authorizationhost[1405]: Failed to authenticate user <rcn3> (error: 13).

Has anyone seen anything similar?

mark_mahabir
Valued Contributor

The issue turned out to be the Primary Group ID (gidNumber) field not being populated (as I thought it had) in AD. Yes, this should have been one of the first things I checked :-)

Thanks all for your suggestions!