Macs Lose Active Directory Binding

We run 10.5.8 and use Deploy Studio 1.0.rc12 for imaging. We run several Mac labs here all with basically the same image. Lately, they have been un-binding themselves from our Active Directory and we can't get them to stay reattached. We try manually and have flushed the DS Cache etc. Removed the Server Policy and so forth. Nothing has worked to date. I do see over the internet that there are many problems of this sort, but none of those fixes have worked for us. Any suggestions would be greatly appreciated.
Thanks
Chris

Hi
You don't have to do it if you don't want to but it would be helpful if you posted the solution. That way others looking to fix similar problems can find it more readily.
Tony

Similar Messages

Os x server loses active directory binding

I am running an open directory/active directory network. Authentication is from the Windows server 2003 active directory. It has worked fine until the last month. Now clients stop authenticating & when I check the AD plugin it says network accounts are not available. I can force the server to unbind, then renew the binding & everything works great.
Is there any work around or fix for this other than upgrading the windows server to 2008?
Thanks

Yes. You are likely experiencing one of two common issues. 1: You time skew is too large (although an unbind/bind will not solve this) or 2: you are failing to properly set the random machine password.
Try this command on the server:
sudo dsconfigad -passinterval 0
Then:
sudo dsconfigad -show
to confirm the setting. This will prevent the machine from refeshing its machine password with the domain every 14 days (default setting). The issue is that Apple's plugin does not properly catch an exception. What happens is the plugin detects that it should re-randomize the machine password so it creates a new one, records it to the config file, and THEN tries to write it to the domain. When the write to the domain fails, the system then sends the new password already recorded in the config file and now they mismatch. This is a common AD integration issue and is likely associated with your binding rights in AD.
As for time, make sure you are pointing all your Macs to the DC for time info or to a mutually agreed upon external server.
Hope this helps. Easy to fix.

Snow Leopard and Windows 2003 Active Directory Binding Issues

Ok I have a new imac 27" with snow leopard (completely patched).
I am attempting to join it to an active directory domain.
First the prequel:
* I have opened full traffic to and from the machine and our domain controllers
* I have enabled full logging on the firewall and there are no blocked packets
* I have used wireshark to watch the traffic on the mac and there appear to be no anomalies (packets being sent out but not getting a response, dns requests that aren't answered, etc)
* I have enabled full KDC logging on the domain controller in question and there are no errors in any of the event logs on either domain controller.
* The domain admin account in question has Enterprise, Schema and Domain Admin rights
* I have tried it both with and without an existing computer account and with every conceivable combination of caps and no caps on domain name, user and computer names.
I am getting the following error at the very end of the process:
"Unable to add server. Credential operation failed because an invalid parameter was provided (5102)"
I enabled debugging on Directory Services and will post a log in a reply.
Anyone have any ideas? I have been banging my head on this for a week with no luck.

Here is the log with the Active Directory: entries grepped... the full log is far too large to reply to here, if you think you need it let me know and I can email it to you it is 548kb
obviously machine names, usernames and ip addresses have been munged.
2011-02-09 12:13:32 EST - T\[0x0000000100404000\] - Active Directory: copyNodeInfo called for /Active Directory
2011-02-09 12:13:36 EST - T\[0x0000000100404000\] - Active Directory: copyNodeInfo called for /Active Directory
2011-02-09 12:13:41 EST - T\[0x0000000100404000\] - Active Directory: copyNodeInfo called for /Active Directory
2011-02-09 12:13:46 EST - T\[0x0000000100404000\] - Active Directory: copyNodeInfo called for /Active Directory
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 1 - Searching for Forest/Domain information
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Start checking servers for site "any"
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Total Servers "any" LDAP - 2, Kerberos - 2, kPasswd - 2
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc3.subdomain.domain.tld"
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc1.subdomain.domain.tld"
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Finished checking servers for domain
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: DomainConfiguration reachabilityNotification - Node: subdomain.domain.tld - resolves - enabled
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 2 - Finding nearest Domain controllers
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 3 - Verifying credentials
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Start checking servers for site "any"
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Total Servers "any" LDAP - 2, Kerberos - 2, kPasswd - 2
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc3.subdomain.domain.tld"
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc1.subdomain.domain.tld"
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Finished checking servers for domain
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: DomainConfiguration reachabilityNotification - Node: subdomain.domain.tld - resolves - enabled
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: EstablishConnectionUsingReplica - Node subdomain.domain.tld - New connection requested
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: FindSuitableReplica - Node subdomain.domain.tld - Attempting Replica connect to dc3.subdomain.domain.tld.
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: watchReachability watching socket = 21, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: VerifiedServerConnection - Verified server connectivity - dc3.subdomain.domain.tld.
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: CheckWithSelect - good socket to host dc3.subdomain.domain.tld. from poll and verified LDAP
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: FindSuitableReplica - Node subdomain.domain.tld - Established connection to dc3.subdomain.domain.tld.
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: kadmEntry port is nil, will use default 464
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: populateKerberosToDomain - Bailing no domain cache for
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Password verify for [email protected] succeeded - cache MEMORY:vyvyIt4
2011-02-09 12:13:47 EST - T\[0x0000000102481000\] - Active Directory: Switching active cache to MEMORY:vyvyIt4
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Secure BIND Session Success with server dc3.subdomain.domain.tld.:389 using cache MEMORY:vyvyIt4 user [email protected]
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Processing Site Search with found IP
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: No site name available
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Start checking servers for site "any"
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Total Servers "any" LDAP - 2, Kerberos - 2, kPasswd - 2
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc3.subdomain.domain.tld"
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Adding Server - "dc1.subdomain.domain.tld"
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: subdomain.domain.tld - Finished checking servers for domain
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Updating Mappings from inSchema.........
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Updated schema for node name subdomain.domain.tld
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Configuration naming context = cn=Partitions,CN=Configuration,DC=subdomain,DC=domain,DC=tld
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Top domain set as <cn=subdomain,cn=partitions,cn=configuration,dc=subdomain,dc=domain,dc=tld>
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Updating domain hierarchy cache
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Updating policies from domain subdomain.domain.tld
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Updated policies for node name subdomain.domain.tld
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 4 - Searching for existing computer
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: EstablishConnectionUsingReplica - Node subdomain.domain.tld - New connection requested
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: watchReachability watching socket = 18, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: VerifiedServerConnection - Verified server connectivity - dc3.subdomain.domain.tld.
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: establishConnectionUsingReplica - Node subdomain.domain.tld - Previous replica = dc3.subdomain.domain.tld. responded
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: kadmEntry port is nil, will use default 464
2011-02-09 12:13:48 EST - T\[0x0000000102481000\] - Active Directory: populateKerberosToDomain - Bailing no domain cache for
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Password verify for [email protected] succeeded - cache MEMORY:zXpbfEi
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Switching active cache to MEMORY:zXpbfEi
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Secure BIND Session Success with server dc3.subdomain.domain.tld.:389 using cache MEMORY:zXpbfEi user [email protected]
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Doing Computer search for Ethernet address - 10:9a:dd:56:1b:1d
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 4 - no mapping for Ethernet MAC address
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Doing DN search for account - machinename
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: stopWatching socket = 21, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: LDAP connection closed - dc3.subdomain.domain.tld.:389 - cache MEMORY:vyvyIt4 user [email protected]
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Destroying cache name MEMORY:vyvyIt4 user [email protected]
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Closing All Connections
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: stopWatching socket = 18, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: LDAP connection closed - dc3.subdomain.domain.tld.:389 - cache MEMORY:zXpbfEi user [email protected]
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Destroying cache name MEMORY:zXpbfEi user [email protected]
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Bind Step 5 - Bind/Join computer to domain
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: EstablishConnectionUsingReplica - Node subdomain.domain.tld - New connection requested
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: watchReachability watching socket = 18, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: VerifiedServerConnection - Verified server connectivity - dc3.subdomain.domain.tld.
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: establishConnectionUsingReplica - Node subdomain.domain.tld - Previous replica = dc3.subdomain.domain.tld. responded
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: kadmEntry port is nil, will use default 464
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: populateKerberosToDomain - Bailing no domain cache for
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Password verify for [email protected] succeeded - cache MEMORY:10xG6op
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Switching active cache to MEMORY:10xG6op
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Secure BIND Session Success with server dc3.subdomain.domain.tld.:389 using cache MEMORY:10xG6op user [email protected]
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Looking for existing Record of machinename
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Doing DN search for account - machinename
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: EstablishConnectionUsingReplica - Node subdomain.domain.tld - New connection requested
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: watchReachability watching socket = 21, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: VerifiedServerConnection - Verified server connectivity - dc3.subdomain.domain.tld.
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: establishConnectionUsingReplica - Node subdomain.domain.tld - Previous replica = dc3.subdomain.domain.tld. responded
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: kadmEntry port is nil, will use default 464
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: populateKerberosToDomain - Bailing no domain cache for
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Switching active cache to MEMORY:10xG6op
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Secure BIND Session Success with server dc3.subdomain.domain.tld.:389 using cache MEMORY:10xG6op user [email protected]
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: KerberosID Found for account CN=MACHINENAME,CN=Computers,DC=subdomain,DC=domain,DC=tld - MACHINENAME$
2011-02-09 12:13:49 EST - T\[0x0000000102481000\] - Active Directory: Existing record found @ CN=MACHINENAME,CN=Computers,DC=subdomain,DC=domain,DC=tld with [email protected].
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: Setting Computer Password FAILED for existing record......
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: Computer password change date is 2011-02-04 18:21:01 -0500
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: Schtldled computer password change every 1209600 seconds - starting 2011-02-09 12:13:50 -0500
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: Closing All Connections
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: stopWatching socket = 21, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: LDAP connection closed - dc3.subdomain.domain.tld.:389 - cache MEMORY:10xG6op user [email protected]
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: stopWatching socket = 18, xxx.xxx.164.71 -> xxx.xxx.174.77
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: LDAP connection closed - dc3.subdomain.domain.tld.:389 - cache MEMORY:10xG6op user [email protected]
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: Destroying cache name MEMORY:10xG6op user [email protected]
2011-02-09 12:13:50 EST - T\[0x00000001026AA000\] - Active Directory: Failed to changed computer password in Active Directory domain
2011-02-09 12:13:50 EST - T\[0x0000000102481000\] - Active Directory: copyNodeInfo called for /Active Directory
2011-02-09 12:13:51 EST - T\[0x0000000102481000\] - Active Directory: copyNodeInfo called for /Active Directory
Message was edited by: aelana

OS X Server loses Active Directory Credentials

I'm running Yosemite on a Mac Mini with OS X Server version 4.0.3. The server is bound to an Active Directory forest running Windows Server 2012 R2
In order for the iPad enrollments to work correctly (as well as other server services) I must have the login credentials from AD. However for no apparent reason the OS X Server loses ALL AD credentials. The only way I've found to get them back is to reboot the OS X Server, sometimes it takes several reboots, but eventually I get reconnected with the AD server.
There doesn't seem to be any particular pattern or time when I loose credentials, though I have suspicion it may be related to server load on the AD servers.
Is there anyone out there that can give me some help regarding this issue, a log file, a setting or maybe some setting on the AD servers I might be over looking?

Yes. You are likely experiencing one of two common issues. 1: You time skew is too large (although an unbind/bind will not solve this) or 2: you are failing to properly set the random machine password.
Try this command on the server:
sudo dsconfigad -passinterval 0
Then:
sudo dsconfigad -show
to confirm the setting. This will prevent the machine from refeshing its machine password with the domain every 14 days (default setting). The issue is that Apple's plugin does not properly catch an exception. What happens is the plugin detects that it should re-randomize the machine password so it creates a new one, records it to the config file, and THEN tries to write it to the domain. When the write to the domain fails, the system then sends the new password already recorded in the config file and now they mismatch. This is a common AD integration issue and is likely associated with your binding rights in AD.
As for time, make sure you are pointing all your Macs to the DC for time info or to a mutually agreed upon external server.
Hope this helps. Easy to fix.

Active Directory Binding Problems

Hi all,
I'm trying to bind to Active Directory but keep on getting the "unknown error occurred" at step 5.
I captured the adplugin debug log, the only error I can see is the following:
2006-03-30 15:53:48 BST - ADPlugin: Setting Computer Password FAILED Deleted Record......
Has anyone had the same problem? If so any ideas how to overcome it?
See Complete debug log below.
2006-03-30 15:33:07 BST - ADPlugin: PeriodicTask Called.......
2006-03-30 15:33:07 BST - ADPlugin: Calling OpenDirNode
2006-03-30 15:33:07 BST - ADPlugin: Calling CustomCall
2006-03-30 15:33:07 BST - ADPlugin: Calling CustomCall
2006-03-30 15:33:07 BST - ADPlugin: Calling CustomCall
2006-03-30 15:33:07 BST - ADPlugin: Calling CloseDirNode
2006-03-30 15:33:35 BST - ADPlugin: Calling OpenDirNode
2006-03-30 15:33:35 BST - ADPlugin: Calling CustomCall
2006-03-30 15:33:35 BST - ADPlugin: Doing CheckServerRecords......
2006-03-30 15:33:35 BST - ADPlugin: student.hastings.ac.uk - Start checking servers for site "any"
2006-03-30 15:33:35 BST - ADPlugin: Total Servers "any" LDAP - 2, Kerberos - 1, kPasswd - 1
2006-03-30 15:33:35 BST - ADPlugin: No matching _kerberos records for server - "napier.student.hastings.ac.uk"
2006-03-30 15:33:36 BST - ADPlugin: Server #1 picked - "rutherford.student.hastings.ac.uk"
2006-03-30 15:33:36 BST - ADPlugin: student.hastings.ac.uk - Finished checking servers for domain
2006-03-30 15:33:36 BST - ADPlugin: Got rootDSE for server rutherford.student.hastings.ac.uk to determine forest
2006-03-30 15:33:36 BST - ADPlugin: Determined Forest of hastings.ac.uk from Domain Controller rutherford.student.hastings.ac.uk
2006-03-30 15:33:36 BST - ADPlugin: Found Default Domain student.hastings.ac.uk
2006-03-30 15:33:36 BST - ADPlugin: Global Catalogs - Start checking servers for site "any"
2006-03-30 15:33:36 BST - ADPlugin: Total Servers "any" LDAP - 3, Kerberos - 2, kPasswd - 2
2006-03-30 15:33:36 BST - ADPlugin: Server #1 picked - "rutherford.student.hastings.ac.uk"
2006-03-30 15:33:36 BST - ADPlugin: Server #2 picked - "kepler.hastings.ac.uk"
2006-03-30 15:33:36 BST - ADPlugin: Found Forest Domain GC hastings.ac.uk
2006-03-30 15:33:36 BST - ADPlugin: hastings.ac.uk - Start checking servers for site "any"
2006-03-30 15:33:36 BST - ADPlugin: Total Servers "any" LDAP - 2, Kerberos - 2, kPasswd - 2
2006-03-30 15:33:36 BST - ADPlugin: Server #1 picked - "kepler.hastings.ac.uk"
2006-03-30 15:33:36 BST - ADPlugin: Server #2 picked - "galileo.hastings.ac.uk"
2006-03-30 15:33:36 BST - ADPlugin: Found Forest Domain hastings.ac.uk
2006-03-30 15:33:36 BST - ADPlugin: Something wrong, unable to determine domain information from Config container......
2006-03-30 15:33:36 BST - ADPlugin: Finished CheckServerRecords......
2006-03-30 15:33:36 BST - ADPlugin: Created KerberosClient record Generation ID 165422016
2006-03-30 15:33:36 BST - ADPlugin: Rebuilt Kerberos File
2006-03-30 15:33:36 BST - ADPlugin: Calling CloseDirNode
2006-03-30 15:33:36 BST - ADPlugin: Calling OpenDirNode
2006-03-30 15:33:36 BST - ADPlugin: Calling CustomCall
2006-03-30 15:33:36 BST - ADPlugin: Doing CheckServerRecords......
2006-03-30 15:33:37 BST - ADPlugin: PeriodicTask Called.......
2006-03-30 15:33:41 BST - ADPlugin: Good credentials for [email protected]
2006-03-30 15:33:41 BST - ADPlugin: No existing connection in connection mgr for [email protected]@student.hastings.ac.uk:389
2006-03-30 15:33:41 BST - ADPlugin: Secure BIND Session with server rutherford.student.hastings.ac.uk:389
2006-03-30 15:33:41 BST - ADPlugin: Read Context information from server for configurationNamingContext of CN=Configuration,DC=hastings,DC=ac,DC=uk
2006-03-30 15:33:41 BST - ADPlugin: Processing Site Search with found IP
2006-03-30 15:33:41 BST - ADPlugin: Returning connection to pool for domain student.hastings.ac.uk with dsStatus 0.
2006-03-30 15:33:41 BST - ADPlugin: student.hastings.ac.uk - Start checking servers for site "any"
2006-03-30 15:33:41 BST - ADPlugin: Total Servers "any" LDAP - 2, Kerberos - 1, kPasswd - 1
2006-03-30 15:33:41 BST - ADPlugin: No matching _kerberos records for server - "napier.student.hastings.ac.uk"
2006-03-30 15:33:41 BST - ADPlugin: Server #1 picked - "rutherford.student.hastings.ac.uk"
2006-03-30 15:33:41 BST - ADPlugin: student.hastings.ac.uk - Finished checking servers for domain
2006-03-30 15:33:42 BST - ADPlugin: Got rootDSE for server rutherford.student.hastings.ac.uk to determine forest
2006-03-30 15:33:42 BST - ADPlugin: Determined Forest of hastings.ac.uk from Domain Controller rutherford.student.hastings.ac.uk
2006-03-30 15:33:42 BST - ADPlugin: Found Default Domain student.hastings.ac.uk
2006-03-30 15:33:42 BST - ADPlugin: Global Catalogs - Start checking servers for site "any"
2006-03-30 15:33:42 BST - ADPlugin: Total Servers "any" LDAP - 3, Kerberos - 2, kPasswd - 2
2006-03-30 15:33:42 BST - ADPlugin: Server #1 picked - "rutherford.student.hastings.ac.uk"
2006-03-30 15:33:42 BST - ADPlugin: Server #2 picked - "kepler.hastings.ac.uk"
2006-03-30 15:33:42 BST - ADPlugin: Found Forest Domain GC hastings.ac.uk
2006-03-30 15:33:42 BST - ADPlugin: hastings.ac.uk - Start checking servers for site "any"
2006-03-30 15:33:42 BST - ADPlugin: Total Servers "any" LDAP - 2, Kerberos - 2, kPasswd - 2
2006-03-30 15:33:42 BST - ADPlugin: Server #1 picked - "kepler.hastings.ac.uk"
2006-03-30 15:33:42 BST - ADPlugin: Server #2 picked - "galileo.hastings.ac.uk"
2006-03-30 15:33:42 BST - ADPlugin: Found Forest Domain hastings.ac.uk
2006-03-30 15:33:42 BST - ADPlugin: Good credentials for [email protected]
2006-03-30 15:33:42 BST - ADPlugin: Retrieved existing connection from connection mgr [email protected]@student.hastings.ac.uk:389
2006-03-30 15:33:42 BST - ADPlugin: Read Context information from server for configurationNamingContext of CN=Configuration,DC=hastings,DC=ac,DC=uk
2006-03-30 15:33:42 BST - ADPlugin: Returning connection to pool for domain student.hastings.ac.uk with dsStatus 0.
2006-03-30 15:33:42 BST - ADPlugin: Finished CheckServerRecords......
2006-03-30 15:33:42 BST - ADPlugin: Created KerberosClient record Generation ID 165422022
2006-03-30 15:33:42 BST - ADPlugin: Rebuilt Kerberos File
2006-03-30 15:33:42 BST - ADPlugin: Closing All Connections - Connection Manager
2006-03-30 15:33:42 BST - ADPlugin: Closing Connection - [email protected]@student.hastings.ac.uk:389
2006-03-30 15:33:42 BST - ADPlugin: Closing All Connections - Connection Manager Completed
2006-03-30 15:33:42 BST - ADPlugin: Calling CloseDirNode
2006-03-30 15:33:42 BST - ADPlugin: Calling OpenDirNode
2006-03-30 15:33:42 BST - ADPlugin: Calling CustomCall
2006-03-30 15:33:42 BST - ADPlugin: Verify called for [email protected]
2006-03-30 15:33:43 BST - ADPlugin: Verify successful for [email protected]
2006-03-30 15:33:43 BST - ADPlugin: Calling CloseDirNode
2006-03-30 15:33:43 BST - ADPlugin: Calling OpenDirNode
2006-03-30 15:33:43 BST - ADPlugin: Calling CustomCall
2006-03-30 15:33:43 BST - ADPlugin: Good credentials for [email protected]
2006-03-30 15:33:43 BST - ADPlugin: No existing connection in connection mgr for [email protected]@student.hastings.ac.uk:389
2006-03-30 15:33:43 BST - ADPlugin: Secure BIND Session with server rutherford.student.hastings.ac.uk:389
2006-03-30 15:33:43 BST - ADPlugin: Read Context information from server for schemaNamingContext of CN=Schema,CN=Configuration,DC=hastings,DC=ac,DC=uk
2006-03-30 15:33:47 BST - ADPlugin: Returning connection to pool for domain student.hastings.ac.uk with dsStatus 0.
2006-03-30 15:33:47 BST - ADPlugin: Updating Mappings from Schema..........
2006-03-30 15:33:47 BST - ADPlugin: Doing Computer search for Ethernet address - 00:0a:95:e4:05:84
2006-03-30 15:33:47 BST - ADPlugin: Doing DN search for account - testibook
2006-03-30 15:33:47 BST - ADPlugin: Good credentials for [email protected]
2006-03-30 15:33:47 BST - ADPlugin: Retrieved existing connection from connection mgr [email protected]@student.hastings.ac.uk:389
2006-03-30 15:33:47 BST - ADPlugin: Returning connection to pool for domain student.hastings.ac.uk with dsStatus -14136.
2006-03-30 15:33:47 BST - ADPlugin: Calling CloseDirNode
2006-03-30 15:33:47 BST - ADPlugin: Calling OpenDirNode
2006-03-30 15:33:47 BST - ADPlugin: Calling CustomCall
2006-03-30 15:33:47 BST - ADPlugin: Looking for existing Record of testibook
2006-03-30 15:33:47 BST - ADPlugin: Doing DN search for account - testibook
2006-03-30 15:33:47 BST - ADPlugin: Good credentials for [email protected]
2006-03-30 15:33:47 BST - ADPlugin: Retrieved existing connection from connection mgr [email protected]@student.hastings.ac.uk:389
2006-03-30 15:33:47 BST - ADPlugin: Returning connection to pool for domain student.hastings.ac.uk with dsStatus -14136.
2006-03-30 15:33:47 BST - ADPlugin: Attempting Add Record......
2006-03-30 15:33:47 BST - ADPlugin: Adding in OU = CN=Computers,DC=student,DC=hastings,DC=ac,DC=uk
2006-03-30 15:33:47 BST - ADPlugin: Good credentials for [email protected]
2006-03-30 15:33:47 BST - ADPlugin: Retrieved existing connection from connection mgr [email protected]@student.hastings.ac.uk:389
2006-03-30 15:33:47 BST - ADPlugin: Returning connection to pool for domain student.hastings.ac.uk with dsStatus 0.
2006-03-30 15:33:47 BST - ADPlugin: Good credentials for [email protected]
2006-03-30 15:33:47 BST - ADPlugin: Retrieved existing connection from connection mgr [email protected]@student.hastings.ac.uk:389
2006-03-30 15:33:47 BST - ADPlugin: Added record CN=testibook,CN=Computers,DC=student,DC=hastings,DC=ac,DC=uk
2006-03-30 15:33:47 BST - ADPlugin: Returning connection to pool for domain student.hastings.ac.uk with dsStatus 0.
2006-03-30 15:33:47 BST - ADPlugin: Setting Computer Password......
2006-03-30 15:33:47 BST - ADPlugin: Changing Password for User [email protected] as [email protected]
2006-03-30 15:35:47 BST - ADPlugin: Changing Password for User [email protected] as [email protected]
2006-03-30 15:37:47 BST - ADPlugin: Changing Password for User [email protected] as [email protected]
2006-03-30 15:39:48 BST - ADPlugin: Changing Password for User [email protected] as [email protected]
2006-03-30 15:41:48 BST - ADPlugin: Changing Password for User [email protected] as [email protected]
2006-03-30 15:43:48 BST - ADPlugin: Changing Password for User [email protected] as [email protected]
2006-03-30 15:45:48 BST - ADPlugin: Changing Password for User [email protected] as [email protected]
2006-03-30 15:47:48 BST - ADPlugin: Changing Password for User [email protected] as [email protected]
2006-03-30 15:49:48 BST - ADPlugin: Changing Password for User [email protected] as [email protected]
2006-03-30 15:51:48 BST - ADPlugin: Changing Password for User [email protected] as [email protected]
2006-03-30 15:53:48 BST - ADPlugin: Good credentials for [email protected]
2006-03-30 15:53:48 BST - ADPlugin: Existing connection too old in connection mgr [email protected]@student.hastings.ac.uk:389
2006-03-30 15:53:48 BST - ADPlugin: Secure BIND Session with server rutherford.student.hastings.ac.uk:389
2006-03-30 15:53:48 BST - ADPlugin: Deleting Record CN=testibook,CN=Computers,DC=student,DC=hastings,DC=ac,DC=uk...
2006-03-30 15:53:48 BST - ADPlugin: Returning connection to pool for domain student.hastings.ac.uk with dsStatus 0.
2006-03-30 15:53:48 BST - ADPlugin: Setting Computer Password FAILED Deleted Record......
2006-03-30 15:53:48 BST - ADPlugin: Updating Local Admin Group
2006-03-30 15:53:49 BST - ADPlugin: Cleaning Previous Additions to Local Admin Group
2006-03-30 15:53:49 BST - ADPlugin: Sending lookupd flushcache at request!
2006-03-30 15:53:49 BST - ADPlugin: Resetting memberd cache also!
2006-03-30 15:53:49 BST - ADPlugin: Closing All Connections - Connection Manager
2006-03-30 15:53:49 BST - ADPlugin: Closing Connection - [email protected]@student.hastings.ac.uk:389
2006-03-30 15:53:49 BST - ADPlugin: Closing All Connections - Connection Manager Completed
2006-03-30 15:53:49 BST - ADPlugin: Bind/Join failed - Launching kerberosautoconfig -u
2006-03-30 15:53:49 BST - ADPlugin: Calling CloseDirNode
Many Thanks
Paul

Hi Paul!
I've personally never seen this error message, but a quick search on Google (which you may have already done as well) for "Setting Computer Password FAILED Deleted Record" found someone else who had the same problem. His issue was firewall related and was fixed by opening some ports for AD. He also provides a link to a Microsoft KB article about this.
Hope this helps and good luck! bill
1 GHz Powerbook G4 Mac OS X (10.4.5)

Active Directory Binding Issues

I am having difficulties trying to rejoin a Mac Pro back to the domain.
It is currently running Lion 10.7.4 - some reason it dropped out of the domain
and now I can not rejoin it to the domain.
Every time I go thru Directory Utility to join it I get "unable to connect to server" or
I get "invalid credentials supplied for binding to the server" - I've gone thru terminal and also tried to
force the bind. Still nothing.
I've also done repair permissions and then try to rebind and nothing.
It's odd cuz I can ping the server from the Mac Pro - and when I launch Safari it wants proxy authentication
so it seems like it's on the domain but it isn't.
I go into Active Directory on Windows Server and can not find it in any OU's.
Pretty much at my witt's end.
Is there a way to remove all previous Active Directory Bindings and computer names from the Mac Pro and
then restart from scratch.

I am having difficulties trying to rejoin a Mac Pro back to the domain.
It is currently running Lion 10.7.4 - some reason it dropped out of the domain
and now I can not rejoin it to the domain.
Every time I go thru Directory Utility to join it I get "unable to connect to server" or
I get "invalid credentials supplied for binding to the server" - I've gone thru terminal and also tried to
force the bind. Still nothing.
I've also done repair permissions and then try to rebind and nothing.
It's odd cuz I can ping the server from the Mac Pro - and when I launch Safari it wants proxy authentication
so it seems like it's on the domain but it isn't.
I go into Active Directory on Windows Server and can not find it in any OU's.
Pretty much at my witt's end.
Is there a way to remove all previous Active Directory Bindings and computer names from the Mac Pro and
then restart from scratch.

Active Directory Binding

When binding a computer to Active Directory the plug-in asks for the AD forest, AD domain and computer ID. My assumption is that the computer ID is the Active Directory user ID and it needs to be unique for every computer you bind to AD. Is this correct?

OK, here's the deal.
"After I click on bind, I have to enter a nettworkadministrator name and password"
Yes, your Windows admin, has to make your AD ID a "Domain Admin (adding machines into AD), if he will and knows how to. When you input your AD name and password, it will work.
Now, you could also do this with the Win Admin in front of you, when he is in front of his PC, controlling the Win 2003 / AD server, or in front of the actual server.
My guess is he has not created the "container / object name", just ask him to do it just as he would for a Win PC being added to the AD domain, what is he using to name the PC's, they should not be "User names", but Unique ID's, like Asset tag info, as long as they are unique.
Now I also suspect, the Fully Qualified Domain Name, FQDN. It must be used in the Active Directory (Directory Access) app. Don't worry about forest, it is automatic. The admin or someone, must know the FQDN, ours is something like, LA.AD.'companyname'.ORG
Once you know this and are sure it is correct, go to a PC and do Start, RUN, CMD, to get a dos / command line:
and do: ping 'your FQDN here'
if the DNS in AD is working properly, it will return an actual IP address, if this happens, then we know the FQDN is correct and the name is being resolved by DNS in AD and that it won't be an issue with OS X Directory Access.
Also, take anything out that you might have in OS X "Network" prefs pane on DNS, even if it is right , not needed to bind, but if it is wrong, won't find the AD server.
And the network time must be right, AD is picky about this, if your Mac is even minutes off, it will not Bind, but it will also give you a Message saying your Mac time is off.
In Sys Prefs, Date/Time, I input the internal AD server, FQDN, not the Apple's time server (since I think the Win Admins are blocking NTP outgoing), plus you want your time synced, internally anyhow.
Just some tips that got AD working for us.
E-mail me if you have any further questions, I am sure we can get you bound to your AD server, I can email you some screen shots if needed.
[email protected]
Power Mac G5 Dual 2.0 Mac OS X (10.4.7)
Power Mac G5 Dual 2.0 Mac OS X (10.4.7)
Power Mac G5 Dual 2.0 Mac OS X (10.4.7)
Power Mac G5 Dual 2.0 Mac OS X (10.4.7)
Power Mac G5 Dual 2.0 Mac OS X (10.4.7)

10.5.3 and Active Directory Binding

Hi gang!
Ever since I updated to 10.5.3, I am having all sorts of issues with AD binding to our domain now.
I'll try to keep it short...
It started with a Kerberos prompt from Entourage 2008. I was prompted with an update Kerberos window to enter my password. Entered my password but got an error that my password was invalid.
Navigated and opened the kerberos.app and noticed no ticket. Tried to create a new ticket. I was prompted with my account does not exist.
Opened directory utility and saw that my AD domain was red and my server was not responding.
Tried to unbind, got an error that the account and every other account I tried was invalid, again. Could not unbind even after restarting a few times.
So I decided to reset everything by deleting the DirectoryService directory from Library/Preferences and restarted.
Re-entered all my company information to now get an INVALID ERROR!
I cannot bind now no matter what information I enter.
And if it does pass all the steps and bind, the forest information and domain administration is not entered or received. Red dot server not responding.
I even reinstalled 10.5.3.
Still cannot bind.
Anyone know what gives?

Ok here is what I did to fix our AD/OD issues.
Login in as root.
Unbind both AD/OD and delete them.
On the Mac Server remove all three entries pertaining to machine in OD.
machine$, machine.local, LKDC......
from a terminal you can type with no quotes "dscl . -read /Users/Admin AuthenticationAuthority" to get the Hash value.
On AD delete the machine record for the computer your trying to bind (if it exists)
Delete contents of /Library/Preferences/DirectoryService (not the folder!)
Delete system keychain /Library/Keychain/System.keychain
Empty Trash
Open up Terminal Go > Utilities > Terminal
type with no quotes: "sudo rm -fr /var/db/krb5kdc"
Then type with no quotes: "sudo /usr/libexec/configureLocalKDC"
this will recreate the Hash value for the machine.
Reboot (Important)
Login as root.
Open directory Services.
Bind to OD, then to AD.
Under services make sure your "/Active Directory/All Domains" is higher than your OD record if you want authentication from AD.
Open up your Date & Time preferences and sync clock with your AD server.
Reboot.
Login. (It did take awhile before I could login, about 5-15 minutes)
I hope this helps.

Active Directory binding not working

Hi
I'm trying to bind to my active directory at work.
On tiger I used the following settings
serverdomain.ad
the servers name is machine
Which worked fine.
On leopard when I use either serverdomain.ad or machine.serverdomain.ad I get the following error message
(loosely translated from swedish)
An unknown combination of domain and treecollection was used. You should use a complete DNS-name for the domain and tree collection (i.e something.company.se)
Does anyone know what I should use..the FQDN is machine.serverdomain.ad - shouldnt that work?

The answer was dns.. my client was using the correct nameserver.
The binding worked after that..although I'm not sure its autenticating as it should

How to set permissions on a file for a Mac without active Directory

We don't have our Macs in the Active Directory, we are looking to share an external hard drive to only Macs and not the Windows PC's on the network with out using active directory. I have tested sharing the external hard drive from a PC to everyone and both the PC's and Macs can access this, but we only want the Macs to see this and access this and not everyone. There is no selection for sharing with the computer name in the Share permissions so the only way to do this is to share it to everyone. The Mac accounts are local to the Macs and the PC's are on Active Directory so what i need to do is have a way to share this folder with only Macs and not all the windows PC's. Any solutions, any ideas will help
Thanks

hi
good
go through these links
http://help.sap.com/saphelp_nw2004s/helpdata/en/b9/b4de3f68d48f15e10000000a155106/content.htm
http://help.sap.com/saphelp_nw04s/helpdata/en/be/0de03f41b9eb06e10000000a1550b0/content.htm
thanks
mrutyun

Failed JNDI - Active Directory binding

Hello everyone,
First off, forgive me if I'm posting to the wrong place and please let me know where I should post.
I have a very simple Java application (more or less copied from the Sun tutorial on JNDI) and am trying to connect to a Win 2003 R2 domain controller with active directory configured and populated.
No matter what I try I get
Problem searching directory: javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece]; remaining name 'RootDSE'
I can bind using any of the standard win32 programs including ldp.exe. I can also bind and browse using Softerra LDAP Administrator without problems. I'm obviously missing something, but I can't see what. Please help.
There is no authentication info in the code because I'm hoping that's not needed as long as I'm logged into the windows machine I'm running this on.
Here's the code:
package printerfinder00;
import java.util.Hashtable;
import java.util.jar.Attributes;
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NameClassPair;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.DirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.InitialLdapContext;
public class Main {
public static void main(String[] args) {
Hashtable env = new Hashtable();
String ldapURL = "ldap://dc01.hr.local:389/";
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, ldapURL);
try {
DirContext ctx = new InitialLdapContext(env, null);
SearchControls searchCtls = new SearchControls();
String returnedAtts[] = {"sn", "givenName", "mail"};
searchCtls.setReturningAttributes(returnedAtts);
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
String searchFilter = "(&(objectClass=user)(mail=*))";
String searchBase = "RootDSE";
int totalResults = 0;
NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);
while (answer.hasMoreElements()) {
SearchResult sr = (SearchResult) answer.next();
totalResults++;
System.out.println(">>>" + sr.getName());
Attributes attrs = (Attributes) sr.getAttributes();
if (attrs != null) {
try {
System.out.println(" surname: " + attrs.get("sn").get());
System.out.println(" firstname: " + attrs.get("givenName").get());
System.out.println(" mail: " + attrs.get("mail").get());
} catch (NullPointerException e) {
System.out.println("Errors listing attributes: " + e);
System.out.println("Total results: " + totalResults);
ctx.close();
} catch (NamingException e) {
System.err.println("Problem searching directory: " + e);
}

I think the error message is quite descriptive !
Problem searching directory: javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece]; remaining name 'RootDSE'
Firstly you have not supplied any credentials or configured an authentication mechanism, hence you cannot perfom a search.
For simple authentication, it would be something of the form: String adminName = "FOOBAR\\administrator";
String adminPassword = "xxxxxxx";
//set security credentials, note using simple cleartext authentication
env.put(Context.SECURITY_AUTHENTICATION,"simple");
env.put(Context.SECURITY_PRINCIPAL,adminName);
env.put(Context.SECURITY_CREDENTIALS,adminPassword);Secondly, your search base is incorrect (although you haven't got to the stage where this will generate an error)
BTW, The search base will be a distinguished name of the form:"dc=foobar,dc=com"If you are perfoming this from a Windows client, and want to utilise single sign-on, then you will want to refer to the post titled "JNDI, Active Directory and Authentication (Part 1) (Kerberos)" available at http://forum.java.sun.com/thread.jspa?threadID=579829&tstart=300
Good luck...

Active Directory Binding Post 10.5.2 (Domain authentication that works!)

Main points: Be sure your local time is being updated by a time server on your network, be sure that all devices are syncing with the same NTP server.
Pre add your computer you want to bind in your domain.
Key: in Directory Utility, choose to authenticate against a known server. So under the Administrative tab choose "prefer this domain server" and enter in the DNS name of a DC in your domain. Also uncheck authentication with any DC in the forest.
Now bind and click Ok.
Now in Directory Utility, click on Search Policy, and add servers in the Authentication tab by choosing Custom Path. Click the + and you should see your domain or multiple domains in your forrest listed. Add them appropriately. In some configurations, you may want to do this for "Contacts".
You can now go back into the Active Directory plugin, and choose to authenticate from any DC in the forest, and remove the selection that allows only authenticating against one server.
Sorry for the lack of deep explanation, but if you are at the point where the AD and DNS is working fine, then this should be pretty straightforward and to the point.

alex.est wrote:
miscategorized and inaccurate this post is from 2004 and has no relevance to 10.5.2
What? I wrote this the day that it says I did. And, yeah this solved issues with 10.5.2's AD binding issues.

Connecting Mac to Active Directory Domain

I understand there is an AD Plug-in available? Where can I find this and is there a good article or can somebody point me in the right direction to having my powerbook join our corporate active directory domain for authentication.
Thanks in advance
Mike

Mac OS 10.4 supports active directory out of the box. Open up /Applications/Utilities/Directory Access and click active directory and configure. Enter the name of the forest and domain you want to join and your computer id then click bind. You will be prompted for an admin password to join the domain. When you have joined click OK to go back to Directory Access and click on authentication. Make sure /Actuve Directory/All Domains is listed. If not add it. You should now be able to log onto your machine with your AD user account.

How do I create Local Network Home Folders for Users from an Active Directory binding?

My situation is this... I run an iMac lab at my school. I have a server set up to manage the network user accounts in the lab. Currently, I can sucessfully create Local Network Users and log in to them from any of the iMacs. My school has an Active Directory set up for all the students on campus. What I'd like to be able to do is configure the server to allow the students to use their user names and passwords from their school accounts to log in to the iMacs and have it automatically build a network user folder on the server for them to use during the lab.
So far, I have been able to configure access for the Active Directory accounts to use the services on the server, mainly File Sharing, but I cannot figure out how to allow them to log into a user account on the client's machines using their same Active Directory credentials. I have even attempted to allow the user accounts to create mobile accounts, but that's not working out either. Entering indivual network user accounts into the server for every student every semester will be a nightmare. I'm sure there's a way to do it automatically using the exisitng Active Directory structure.
The live server is running 10.8.5 Server still, but I've also got a clone running OS X Server in case it matters. Please help!

ok reinstalled everything dns seems to be working have done sudo changeip -checkhostname and it says that both names match but then i started open directory and can't seem to get Kerberos started, i've tried changing it to stand alone then back again but it does nothing. I'm wondering why this would happen? i've tried adding a kerberos record but it doesn't do it just does nothing so i don't know what i'm doing wrong. I wondered if it might be a problem with the two network cards and dns as on ethernet one it is getting the dns name xserve.xxxx.ac.uk (which matches what the college server wants to call us) but on ethernet 2 gets xserve-2.local because it tells me that it already exists on ethernet one and renames it to this. I need to set up NAT so have ethernet coming in on port one and out again on port two. I wonder if my dns is backwards as its got the 192. address the NAT uses but its linked to the ethernet port one dns maybe this is the problem. would this cause open directory not to start kerberos?

Lion 10.7.3 and Active Directory Bind

Hi Group!
I've searched high and low for this with no luck.
Hope someone can help.
After installing 10.7.3, we've noticed a new problem with joining the Macs to AD and creating mobile accounts now.
After the AD bind is successful, the check in 'Require confirmation before creating a mobile account' is there.
And we can't turn it off! It's almost like it's FORCED upon us.
Is there a way to turn this off permanently?!?
Beside just going into Directory Utility and unchecking it?
Because even when you do that, it comes right back on.
Half my folks here have no clue what to do with this prompt at login.

Whats up guys! Thanks for the response and sorry for the delay!
I tried that, Strontium90, no good! I was able to disable mobileconfirm using your command line, but we're still prompted with the same message when a new user logs in. See screenshots:
Thoughts?

Macs Lose Active Directory Binding

Similar Messages

Maybe you are looking for