Hi folks.

I struggle so hard with AD binding these days. All of a sudden, all scripts and policies related to AD binding seem to have stopped working, from one day to another, and I cannot find a pattern in these errors and failures. Any help HIGHLY appreciated!

This script I used originally for binding a Mac. It used to work fine:

#!/bin/bash



apiurl="https://jss.mycompany.lan"

apistring=(API user credentials)

adstring=(Domain Admin credentials)



# get Mac's serial number

serial=$(system_profiler SPHardwareDataType | awk '/Serial/ {print $4}')

echo "This Mac has serial number: $serial"



# download some xml stuff from Jamf Pro and extract site name out of it

# echo curl -ku "$apistring" $apiurl/JSSResource/computers/serialnumber/$serial/subset/general -X GET -H "Accept: application/xml"

siteName=$( curl -sku "$apistring" $apiurl/JSSResource/computers/serialnumber/$serial/subset/general -X GET -H "Accept: application/xml"  | xpath '/computer/general/site/name/text()' )

#echo "$siteName"

# siteName=$( /usr/bin/curl --header "Accept: application/xml" --silent --user "$apistring" "$apiurl/JSSResource/computers/serialnumber/$serial/subset/general" --insecure | /usr/bin/xpath '/computer/general/site/name[1]/text()' 2>/dev/null )



echo "This Mac is assigned to Site: $siteName"



# adstatus=$(dsconfigad -show | awk '/Active Directory Domain/{print $NF}')

# echo $adstatus



#if [ "$adstatus" = "mycompany.lan" ]

#then

#   dsconfigad -remove -force $adstring

#   dscl /Search -delete / CSPSearchPath "/Active Directory/All Domains"

#   dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/All Domains"

#   echo "This Mac has been previously bound to AD and got unbound now."

#fi



# add to AD container matching to site



case $siteName in

        Site1)     

                    targetOU="OU=Site1,DC=mycompany,DC=lan"

                    ;;

        Site2)

                    targetOU="OU=Site2,DC=mycompany,DC=lan"

                    ;; 

(many more to come)

                    ;;

        *)

                    targetOU="OU=Macintosh,OU=Computer,DC=mycompany,DC=lan"

                    ;;

esac



dsconfigad -add "mycompany.lan" $adstring -force -computer $serial -mobile enable -mobileconfirm disable -localhome enable -useuncpath disable -shell /bin/bash -ou "$targetOU" -groups "" -passinterval 0 

        && echo "Mac added to AD $targetOU" 

        || echo "Error adding Mac to OU $targetOU: $?"

Now that brings up in the JSS logs an error like this:

dsconfigad[15938:276778] -[SFAuthorization obtainWithRights:::::] failed with error Error Domain=NSOSStatusErrorDomain Code=-60007...

Even if I keep the script simple as possible

#!/bin/sh

dsconfigad -add "mycompany.lan" (domain admin credentials) -force -computer $serial -mobile enable -mobileconfirm disable -localhome -shell /bin/bash -ou "(defined OU" -groups "" -passinterval 0

...it brings up the same error.

If I run the same dsconfig command in the Mac's terminal directly, at least binding works like a charm. It looks nice in System Preferences and Directory Utility, and even on the AD side it has been nicely added and put in the right OU.

However, if I log out and log in as AD user afterwards, it brings up a secure token prompt for secure token holder credentials (which is odd as well, as I disabled the Security and FileVault Config Profile for the sake of troubleshooting), and after that, it says:

!(

)

Now, I tried out the createmobileaccount on local admin account:

/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n (adusername)

...and this brought this result:

admin@admin'sMacBook ~ % sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n apple.dep
SecureToken admin user name [optional]: admin
SecureToken admin user password [optional]:
2020-04-21 15:52:39.041 createmobileaccount[14138:274286] ### authenticateUsingAuthorizationSync error:Error Domain=com.apple.systemadministration Code=-60007 "(null)"
2020-04-21 15:52:41.615 createmobileaccount[14138:274325] ### authenticateUsingAuthorizationSync error:Error Domain=com.apple.systemadministration Code=-60007 "(null)"
2020-04-21 15:52:41.642 createmobileaccount[14138:274285] AOSKit INFO: Disabling BTMM for user, no zone found for uid=1592850885, usersToZones: (null)
2020-04-21 15:52:46.646 createmobileaccount[14138:274285] ### Notify CFPreferences of impending user deletion timed out (5 seconds)
2020-04-21 15:52:47.687 createmobileaccount[14138:274503] ### Error: setMachineArray:(
{
date = "2020-04-21 13:52:47 +0000";
"dsAttrTypeStandard:RealName" = "Apple DEP";
"dsAttrTypeStandard:UniqueID" = 1592850885;
name = "apple.dep";
}
) forKey:deletedUsers inDomain:com.apple.preferences.accounts
* mobile account could not be created: -6304 (MCXCCreateMobileAccount(): [newUser createHomeDirectory] failed)

I tried to play around with the "Useuncpath disable" option in dsconfigad, but still no joy.

I also tried adding directory binding via configuration profile, nothing happening at all (at least no binding visible in System Preferences).

I did also try to use a policy with the directory binding payload, but this brings exactly the same error as at the very beginning when I tried it script based:

dsconfigad[15938:276778] -[SFAuthorization obtainWithRights:::::] failed with error Error Domain=NSOSStatusErrorDomain Code=-60007...

I am running out of ideas, as I have ruled out Endpoint Protection, FileVault (at least I thought like that) and I am not aware of any changes on our side that could have messed up the whole procedure.

Any ideas? It's driving me totally nuts!

Best regards
Christian