Built-in AD Bind Losing its connection

DBrowning
Valued Contributor II

I have some laptops that bind to AD using the built-in AD bind that work fine to start. After an unknown amount of time (days? weeks?), If i run an id username the connection to the domain is not found as i get a "no such user" response. Has anyone else seen this or know of a way to stop this from happening? It will become a huge issue when users are up to change their AD password and the computer is "disconnected" from the domain.

30 REPLIES 30

nessts
Valued Contributor II

read this discussion it should help

TreviñoL
Contributor

We solved all the issues with Mac's bind to AD by purchasing a new application that Apple Professional Services has for the Enterprise. It is called Apple Enterprise Connect and can be customized to your AD environment. It requires a two day onsite Apple PS engagement.

TreviñoL
Contributor

2b01af33519243db9aa20106b15ace6e

jrserapio
Contributor

This cant be for real.

nessts
Valued Contributor II

why? I can do it on Linux

wdpickle
Contributor

You may also want to check in with your AD folks to see what the AD timeout is. I have a 60 day (edit) window to connect to the domain or the machine loses its binding (Windows or Mac). This was done by design and is a setting in AD. Some AD admins only want a week or two for machines to be "off the grid" before they are no longer trusted by the domain. Just a thought.

scottb
Honored Contributor

What @wdpickle said. We have an OU "archive" that drops Macs/PC's into it when they are not on the system for 60 days. Search Active Roles for those Macs and see if they're in the correct OU or even deleted.

I'd like to know more about this "Enterprise Connect" though...

alexjdale
Valued Contributor III

Enterprise Connect looks interesting. I wonder how we would provision certificates for those computers for wireless (handled via config profiles right now)?

mm2270
Legendary Contributor III

Is it just me or does the Apple Enterprise Connect screenshot posted above look a little fishy? The font spacing and formatting are a little weird and seem to be all over the map, and there are some typos in the document - not like Apple to put out something unpolished like that. Hopefully its the real deal, and I guess it is since I've seen more than one person mention it on the boards here. Just strange that they would publish something that looks like it was not reviewed by anyone.

CGundersen
Contributor III

Definitely looks iffy ... I'm asking around so hope to find out more. However, I've been hearing the labeling "Enterprise Connect" around as well as "Connected" which is likely just the Apple/Edu synergistic something. I did recently bring this generalized (AD service) theme up with Apple reps and was told it was for enterprise/corp and not edu. We'll see.

scottb
Honored Contributor

I sent an email to "consultingservices@apple.com" including that graphic to ask just that...
It looks off maybe because it's a png which may skew things, but I'm curious.

wdpickle
Contributor

From our Apple rep:
So, the Enterprise Connect solution is actually a real solution from our Enterprise Professional Service group. I have never seen that PDF before - but I agree, that totally doesn’t look like something we would produce. But, the email address (consultingservices@apple.com) is correct. I’ve not had any of my customers look into yet - so I don’t know a ton about it. Are you interested in looking in to it? From my understanding, it's a tool for enteprise sso. The tool handles a few different issues and allows local users to use AD credentials with Kerberos for network resources. If you decide to contact them - please keep me in the loop, so that I have a good feel for what it does, how it works, and the cost - and if you guys see it as something valuable that you could leverage.

gachowski
Valued Contributor II

I reached out to our Apple rep and they are working on setting up a call with their PS group.. so it's on the up and up...

C

jrserapio
Contributor

@nessts I meant the Apple Enterprise Connect cant be for real, not your post :)

nessts
Valued Contributor II

going to sit in on a webex presentation about it in a few minutes here, I am guessing its doing auth similar to sssd in Linux and configuring Kerberos for you without binding to AD. People that need AD certificates for WiFi and such are probably still going to need to bind would be my guess.

mpermann
Valued Contributor II

@nessts I'm interested in hearing your impressions of the product. If you don't mind posting them sometime after your presentation I would appreciate it.

nessts
Valued Contributor II

I think the Professional Services guys see a lot of the same problems we see, and they have written a tool that takes care of a lot of those issues. Stuff I have done and would like to get around to doing, like checking when the network changes and mounting drives if on the internal network and they are not already mounted, refreshing your kerberos ticket etc. The biggest difference is they do it in SWIFT or Obj-C and I do it in Perl.

You just have to buy a $5500 professional services contract and they will come out for 2 days and help you get it setup. Not a bad deal I think. Especially if they are contemplating adding anything else to it as time goes by and requests come in. I did not write all the things it does down, but I thought of a few more they could easily do to make it more robust. From a service provider standpoint, I would love to be able to deploy it, or get my tools to do a few of what they have and I do not have at this point, and I would like to use their tool since I would not have to maintain it :) And I am sure they can get access to better ways to do things than we can as we reverse engineer stuff. But, what I see as being really important for setup and management by the end of the year is that everybody who wants to configure Machines with the new SIP thing coming is really going to want to be on the MDM, DEP path or you are going to wind up beating your head against the wall.

donmontalvo
Esteemed Contributor III

We're just catching wind of Apple Enterprise Connect, and it would be great to have some info to peruse before sitting through a WebEx session with Apple. I trust our Apple SE(s) but still would like to come to a WebEx prepared. Anyone have a link to more info?

--
https://donmontalvo.com

nessts
Valued Contributor II

@donmontalvo Enterprise connect is a collection of tools and a consulting visit from Apple. Essentially what they are doing is configuring your machine to use kerberos, and authenticating with LDAP/AD without binding the machine.

I have a PDF explaining it, if you want to email me at todd.ness at hpe.com I will be happy to send it to you, or your SE could probably send you the same doc. I sat through the WebEx and thought it to be a useful tool.

corbinmharris
Contributor

We just renewed our support contract for Centrify, so may want to look into this in 2016.

Perhaps this will become an option with Casper next year.

Corbin

donmontalvo
Esteemed Contributor III

@nessts thanks, we have a WebEx with our Apple SE this week.

@corbin3ci we tested third party plugins (Quest, Likewise, Centrify, and Thursby) in the past at other large companies, but never moved on them because of concerns about support and patch turnaround time. Has it gotten better these past few years?

--
https://donmontalvo.com

corbinmharris
Contributor

@donmontalvo, we ongoing issues with Centrify. Mostly having to rebind and almost weekly someone is not able to login. This seems to be related to FileVault2, since I have to disable FV2, rebind and then reenable FV2.

It would be great to have the option for LDAP/AD authentication with out the hassle of binding. It would be even better if Apple would bake this option into 10.11/12, but I'm sure there needs to be config work on the AD side of the equation.

PeterClarke
Contributor II

Since no one has mentioned it already..

I would suggest checking the clock setting - to see if you are using the same "time-server" as your AD..

( ntp - if not then the two systems can progressively go out of sync.. )

As someone else said, a clock skew of more then 5 mins will stop your AD connections from working..

-- Hopefully the solution to your issue is that simple
-- Otherwise.. it gets more complicated..

nessts
Valued Contributor II

Another good practice I have started is to set your time server to your AD domain, so if your domain is ourad.awesomecompany.com set your time server to that, as all domain controllers also have time services running on them and then you are bound to get the proper time for authentication...

ramos1053
New Contributor

We've been using this for a little while now- it replaces other handy tools like ADPassmon which can have its problems. Nice thing about this for the end user is the visual cue with colors to show status of connections to the network. It allows Password changes and also allows the user to define mounts to connect when on the network. You could script that for shared folders but giving the end user some ability to define mounts is helpful.

There is also a statistics tab which will tell you about the policy you have, 30, 60, 90 days (whatever) and how many days are left.. Its fairly lightweight and easy to deploy. Its a nice tool to have from Apple but really this needs to be a part of the system in my opinion.

brock_walters
Contributor

Hello to all - I obviously don't speak for Apple in any way but Enterprise Connect is for real. I was given that same document by an Apple SE & was told by them that it was ok to distribute it & to tell our customers to contact their Apple SE if they had questions about it. Hope that clears this up a bit. Thanks.

brock_walters
Contributor

sorry - 1 last thing meant to post this link as well:

OS X: Verifying DNS consistency for Active Directory binding

https://support.apple.com/en-us/HT201885

easyedc
Valued Contributor II

I'll +1 the Enterprise Connect. We took delivery of this last week and I've been playing with it since. We purchased it for the ability to script out some drive mappings, and the EC's mount/remount upon network detection. It also does some kerberos management that could have been done other ways, but it was handy to wrap them into one app.

We do bind to AD, and Apple seems to be pushing to use this with local accounts and not bind (I guess as a nod to their issues with AD) but that wasn't an option for us. Another +1 is the fact that AppleCare Support does support this as best they can. We can't use the built in password manager in EC, due to an internal complication (we use a 3rd party password manager which then communicates to AD and every other system) but the notifications are a good, too.

For me, the EC took only a few hours, and to get 2 days of professional services for a nominal cost was a win.

CCNapier
Contributor

Can't see it mentioned already, maybe I have wrong end of the stick..

This will disable the password reset on Mac Computer Object in AD, which was causing an issue with us. There are potential security risks I suppose.

On client:

sudo dsconfigad -passinterval 0

tnielsen
Valued Contributor

Since when did the forums become a means to push 3rd party software and not solve the problem? AD bind dropping shouldn't be happening for OP. It doesn't happen for me and I don't use enterprise connect and we rely on the AD binding to work.