Posted on 06-23-2015 05:39 AM
I have some laptops that bind to AD using the built-in AD bind that work fine to start. After an unknown amount of time (days? weeks?), If i run an id username the connection to the domain is not found as i get a "no such user" response. Has anyone else seen this or know of a way to stop this from happening? It will become a huge issue when users are up to change their AD password and the computer is "disconnected" from the domain.
Posted on 06-23-2015 05:47 AM
Posted on 06-23-2015 10:13 AM
We solved all the issues with Mac's bind to AD by purchasing a new application that Apple Professional Services has for the Enterprise. It is called Apple Enterprise Connect and can be customized to your AD environment. It requires a two day onsite Apple PS engagement.
Posted on 06-23-2015 10:23 AM
Posted on 06-23-2015 04:03 PM
This cant be for real.
Posted on 06-23-2015 04:19 PM
why? I can do it on Linux
Posted on 06-23-2015 04:54 PM
You may also want to check in with your AD folks to see what the AD timeout is. I have a 60 day (edit) window to connect to the domain or the machine loses its binding (Windows or Mac). This was done by design and is a setting in AD. Some AD admins only want a week or two for machines to be "off the grid" before they are no longer trusted by the domain. Just a thought.
Posted on 06-23-2015 05:01 PM
What @wdpickle said. We have an OU "archive" that drops Macs/PC's into it when they are not on the system for 60 days. Search Active Roles for those Macs and see if they're in the correct OU or even deleted.
I'd like to know more about this "Enterprise Connect" though...
Posted on 06-24-2015 08:06 AM
Enterprise Connect looks interesting. I wonder how we would provision certificates for those computers for wireless (handled via config profiles right now)?
Posted on 06-24-2015 08:17 AM
Is it just me or does the Apple Enterprise Connect screenshot posted above look a little fishy? The font spacing and formatting are a little weird and seem to be all over the map, and there are some typos in the document - not like Apple to put out something unpolished like that. Hopefully its the real deal, and I guess it is since I've seen more than one person mention it on the boards here. Just strange that they would publish something that looks like it was not reviewed by anyone.
Posted on 06-24-2015 08:27 AM
Definitely looks iffy ... I'm asking around so hope to find out more. However, I've been hearing the labeling "Enterprise Connect" around as well as "Connected" which is likely just the Apple/Edu synergistic something. I did recently bring this generalized (AD service) theme up with Apple reps and was told it was for enterprise/corp and not edu. We'll see.
Posted on 06-24-2015 08:44 AM
I sent an email to "email@example.com" including that graphic to ask just that...
It looks off maybe because it's a png which may skew things, but I'm curious.
Posted on 06-24-2015 08:53 AM
From our Apple rep:
So, the Enterprise Connect solution is actually a real solution from our Enterprise Professional Service group. I have never seen that PDF before - but I agree, that totally doesn’t look like something we would produce. But, the email address (firstname.lastname@example.org) is correct. I’ve not had any of my customers look into yet - so I don’t know a ton about it. Are you interested in looking in to it? From my understanding, it's a tool for enteprise sso. The tool handles a few different issues and allows local users to use AD credentials with Kerberos for network resources. If you decide to contact them - please keep me in the loop, so that I have a good feel for what it does, how it works, and the cost - and if you guys see it as something valuable that you could leverage.
Posted on 06-24-2015 08:54 AM
I reached out to our Apple rep and they are working on setting up a call with their PS group.. so it's on the up and up...
Posted on 06-24-2015 10:51 AM
Posted on 06-24-2015 10:53 AM
going to sit in on a webex presentation about it in a few minutes here, I am guessing its doing auth similar to sssd in Linux and configuring Kerberos for you without binding to AD. People that need AD certificates for WiFi and such are probably still going to need to bind would be my guess.
Posted on 06-24-2015 12:04 PM
@nessts I'm interested in hearing your impressions of the product. If you don't mind posting them sometime after your presentation I would appreciate it.
Posted on 06-24-2015 12:42 PM
I think the Professional Services guys see a lot of the same problems we see, and they have written a tool that takes care of a lot of those issues. Stuff I have done and would like to get around to doing, like checking when the network changes and mounting drives if on the internal network and they are not already mounted, refreshing your kerberos ticket etc. The biggest difference is they do it in SWIFT or Obj-C and I do it in Perl.
You just have to buy a $5500 professional services contract and they will come out for 2 days and help you get it setup. Not a bad deal I think. Especially if they are contemplating adding anything else to it as time goes by and requests come in. I did not write all the things it does down, but I thought of a few more they could easily do to make it more robust. From a service provider standpoint, I would love to be able to deploy it, or get my tools to do a few of what they have and I do not have at this point, and I would like to use their tool since I would not have to maintain it :) And I am sure they can get access to better ways to do things than we can as we reverse engineer stuff. But, what I see as being really important for setup and management by the end of the year is that everybody who wants to configure Machines with the new SIP thing coming is really going to want to be on the MDM, DEP path or you are going to wind up beating your head against the wall.
Posted on 09-08-2015 07:49 PM
We're just catching wind of Apple Enterprise Connect, and it would be great to have some info to peruse before sitting through a WebEx session with Apple. I trust our Apple SE(s) but still would like to come to a WebEx prepared. Anyone have a link to more info?
Posted on 09-09-2015 07:55 AM
@donmontalvo Enterprise connect is a collection of tools and a consulting visit from Apple. Essentially what they are doing is configuring your machine to use kerberos, and authenticating with LDAP/AD without binding the machine.
I have a PDF explaining it, if you want to email me at todd.ness at hpe.com I will be happy to send it to you, or your SE could probably send you the same doc. I sat through the WebEx and thought it to be a useful tool.
Posted on 09-09-2015 08:21 AM
We just renewed our support contract for Centrify, so may want to look into this in 2016.
Perhaps this will become an option with Casper next year.
Posted on 09-09-2015 09:21 AM
@nessts thanks, we have a WebEx with our Apple SE this week.
@corbin3ci we tested third party plugins (Quest, Likewise, Centrify, and Thursby) in the past at other large companies, but never moved on them because of concerns about support and patch turnaround time. Has it gotten better these past few years?
Posted on 09-09-2015 01:38 PM
@donmontalvo, we ongoing issues with Centrify. Mostly having to rebind and almost weekly someone is not able to login. This seems to be related to FileVault2, since I have to disable FV2, rebind and then reenable FV2.
It would be great to have the option for LDAP/AD authentication with out the hassle of binding. It would be even better if Apple would bake this option into 10.11/12, but I'm sure there needs to be config work on the AD side of the equation.
Posted on 09-09-2015 02:05 PM
Since no one has mentioned it already..
I would suggest checking the clock setting - to see if you are using the same "time-server" as your AD..
( ntp - if not then the two systems can progressively go out of sync.. )
As someone else said, a clock skew of more then 5 mins will stop your AD connections from working..
-- Hopefully the solution to your issue is that simple
-- Otherwise.. it gets more complicated..
Posted on 09-09-2015 07:17 PM
Another good practice I have started is to set your time server to your AD domain, so if your domain is ourad.awesomecompany.com set your time server to that, as all domain controllers also have time services running on them and then you are bound to get the proper time for authentication...
Posted on 09-17-2015 07:44 AM
We've been using this for a little while now- it replaces other handy tools like ADPassmon which can have its problems. Nice thing about this for the end user is the visual cue with colors to show status of connections to the network. It allows Password changes and also allows the user to define mounts to connect when on the network. You could script that for shared folders but giving the end user some ability to define mounts is helpful.
There is also a statistics tab which will tell you about the policy you have, 30, 60, 90 days (whatever) and how many days are left.. Its fairly lightweight and easy to deploy. Its a nice tool to have from Apple but really this needs to be a part of the system in my opinion.
Posted on 09-17-2015 09:57 AM
Hello to all - I obviously don't speak for Apple in any way but Enterprise Connect is for real. I was given that same document by an Apple SE & was told by them that it was ok to distribute it & to tell our customers to contact their Apple SE if they had questions about it. Hope that clears this up a bit. Thanks.
Posted on 09-17-2015 10:00 AM
sorry - 1 last thing meant to post this link as well:
OS X: Verifying DNS consistency for Active Directory binding
Posted on 11-10-2015 08:51 AM
I'll +1 the Enterprise Connect. We took delivery of this last week and I've been playing with it since. We purchased it for the ability to script out some drive mappings, and the EC's mount/remount upon network detection. It also does some kerberos management that could have been done other ways, but it was handy to wrap them into one app.
We do bind to AD, and Apple seems to be pushing to use this with local accounts and not bind (I guess as a nod to their issues with AD) but that wasn't an option for us. Another +1 is the fact that AppleCare Support does support this as best they can. We can't use the built in password manager in EC, due to an internal complication (we use a 3rd party password manager which then communicates to AD and every other system) but the notifications are a good, too.
For me, the EC took only a few hours, and to get 2 days of professional services for a nominal cost was a win.
Posted on 11-10-2015 09:02 AM
Can't see it mentioned already, maybe I have wrong end of the stick..
This will disable the password reset on Mac Computer Object in AD, which was causing an issue with us. There are potential security risks I suppose.
sudo dsconfigad -passinterval 0
Posted on 11-10-2015 10:03 AM
Since when did the forums become a means to push 3rd party software and not solve the problem? AD bind dropping shouldn't be happening for OP. It doesn't happen for me and I don't use enterprise connect and we rely on the AD binding to work.