Posted on 09-28-2017 09:52 AM
I've been working on a script that validates if a Mac's binding to AD is still active or not. This is an issue that seems to be caused when the computer is off the corporate network at the time of kerberos key cycling, typically set to 14 days (see dsconfigad -show; setting it to 0 will stop this cycling, which I am currently testing to see if it stops bindings from breaking).
This has been working fairly well, except for that we are getting some false failure reports when using the id command.
Has anyone had to do this and found a more consistent way to see if a device binding is working or broken using the id, dscl or other commands?
#!/bin/sh
adserver="directory.contoso.com"
testuser="_MacComputer"
pass="AD Binding OK"
fail="AD Binding Failed"
offline="Not in range of DC"
notbound="The Mac is not bound to contoso.com"
# Check if we can ping the AD Domain Controller, if ping was successful check if we can query a UPN
# If the ping was successful check if we can we query a UPN?
if ping -c 3 $adserver &> /dev/null; then
# Check the domain returned with dsconfigad
domain=$( dsconfigad -show | awk '/Active Directory Domain/{print $NF}' )
# If the domain is correct
if [[ "$domain" == "contoso.com" ]]; then
# Check for the id of a user
if id -u $testuser &> /dev/null; then
# If the check was successful...
echo "<result>$pass</result>"
else
# If the check failed
echo "<result>$fail</result>"
fi
else
# If the domain returned did not match our expectations
echo "<result>$notbound</result>"
fi
else
# We can't see the DCs, so no way to properly check
echo "<result>$offline</result>"
fi
Original source: https://www.jamf.com/jamf-nation/discussions/7039/how-to-check-if-a-computer-is-actually-bound-to-the-ad
Solved! Go to Solution.
Posted on 01-31-2018 10:43 AM
In case anyone stumbles on this, I was able to get some assistance back in October that has been running fairly well since then. There are still some false positives, but this appears to be due to the directory services hanging and are usually resolved by a restart. Thanks to @doggles for the assist on this one.
#!/bin/bash
SECURE_LDAP=TRUE
log="/private/tmp/$(date "+%F__%H-%M-%S")-adcheck.log"
domain="contoso.com"
dc="adserver.$domain"
ldap_user="_testaccount"
pass="AD Binding OK"
fail="AD Binding Failed"
offline="Not in range of DC"
notbound="The Mac is not bound to contoso.com"
if $SECURE_LDAP
then port=636
else port=389
fi
main()
{
if nc -z $dc $port; then
if [[ $domain = $(dsconfigad -show | awk 'NR==2{print $5}') ]]; then
if id -u $ldap_user; then
result=$pass
else
result=$fail
fi
else
result=$notbound
fi
else
result=$offline
fi
echo "<result>$result</result>"
}
main 2>&1 | tee -a $log
Posted on 09-28-2017 01:10 PM
https://www.jamf.com/jamf-nation/discussions/12776/apple-macs-losing-ad-binding#responseChild74510
The above thread has a post to @mm2270 with a great script to validate AD binding.
Posted on 09-28-2017 03:02 PM
Thanks @thoule - it looks like that's a slightly messier (more nested if's) version of the same thing, but uses the dscl binary instead of the id binary and breaks the <result> tag out into a single run. I wonder if they are also seeing false positives, but I will try a version that uses a single <result> call.
dscl hasn't been playing nice with me, but I'll keep poking.
Posted on 01-31-2018 10:43 AM
In case anyone stumbles on this, I was able to get some assistance back in October that has been running fairly well since then. There are still some false positives, but this appears to be due to the directory services hanging and are usually resolved by a restart. Thanks to @doggles for the assist on this one.
#!/bin/bash
SECURE_LDAP=TRUE
log="/private/tmp/$(date "+%F__%H-%M-%S")-adcheck.log"
domain="contoso.com"
dc="adserver.$domain"
ldap_user="_testaccount"
pass="AD Binding OK"
fail="AD Binding Failed"
offline="Not in range of DC"
notbound="The Mac is not bound to contoso.com"
if $SECURE_LDAP
then port=636
else port=389
fi
main()
{
if nc -z $dc $port; then
if [[ $domain = $(dsconfigad -show | awk 'NR==2{print $5}') ]]; then
if id -u $ldap_user; then
result=$pass
else
result=$fail
fi
else
result=$notbound
fi
else
result=$offline
fi
echo "<result>$result</result>"
}
main 2>&1 | tee -a $log
Posted on 01-31-2018 11:58 AM
We have a few different domains(4 to be exact) and wanted to see if anyone has run into where people switch different domains in AD. Example : User goes from the US to Europe, the mac would bind to the European Domain upon arrival.