Trying to 'Bind' in Active Directory
When I click BIND, it asks for a user name and password and the 'admin' password is not working:
It reads...
Leave the advanced options alone for now and enter the name of your Active Directory domain. The computer’s account in AD will reflect the Computer ID in this window—make sure it reads correctly before proceeding. Click Bind.
Enter the user name and password of a user who has permission to bind clients to the Computer OU that you specify. This does not need to be an “admin” user—you may assign the privilege to any user. Click OK. <<
What do they mean by the Computer OU and how do I assign the privilege to a user?
Thanks,
Steve
Ok.... I got past that and it gave me an alert to go here What is Kerberos?(MIT):
http://homepage.mac.com/enggass/Kerberos.jpg
What info is it looking for?
User
Pass
Realm?
DNS (does it want the DNS number here?)
I just want the Windows machines on our network to see and access the server.
Obviously this is all new to me.
Steve
Similar Messages
-
Ldap error when trying to bind with Active directory
Hi,
I'm using the oracle doc. to integrate AD with OID and getting the following error
Doc URL : http://www.oracle.com/technology/obe/obe_AS_10g/im/configssl/configssl.htm
Creating a Wallet for SSL Connectivity Between OID and AD : Wallet certificate status is ready & i have imported the user,admin & ms root certificate.
E:\Oracle\Product\Orainfra\BIN>ldapbind -p 636 -h AD_SERVER -U 2 -P password 1 -W file:E:\Oracle\Product\Orainfra\Wallet
sgslufread: Hard error on read, OS error = 10053
sgslufread: Hard error on read, OS error = 10053
UnKnown Error Encountered
best regards,Hi,
I resolved it and the solution is once we have install the MS certificate Authority on AD we need to reboot/start the domain controllers in order to propogate the changes and after the restart ldapbind was successful.
Thanks -
Binding to Active Directory Problem. I am a Newb! probably something stupid
Hey All,
Trying to get my apple xsever to join our windows domain. I got it to bind and the user accounts show up on the machine but then it askes me to join it to the Active Directory Kerberos realm. I am confused.
what i am trying to do is joint it to the windows domain for my admin account on the actual server and then set up local user accounts on the machine so when my mac users log in they authenticate using the local mac account and not the windows domain account. Does this make sense? From what i read macs authenticate using the local account before going to the windows account which is what i want. I am a total newb to this so forgive me for the stupid questions.
cheers all,
jessHi
set up the xserve as an Open directory Master
will it place nice on the network
with the rest of the windows servers that we have.
There should be no problem in doing this. All you need to do is decide whether you want your Mac Server to run its own DNS Service or to use the existing DNS service being provided by the AD Server. Open Directory Master requires DNS Services running somewhere.
i just want to have a mac studio of about 35 people be
kind of an island within a sea of windows users. If
there can be cross over there then fine.. but really
i want the mac to work well with the apple server and
if i can get the windows clients hooked up also then
fine.
There should be no problem with this.
When you say studio do you mean a graphics design studio? Or are you talking about a video production studio? If the answer is yes to either one or both then perhaps a simple file server would do. An Open Directory Master is OK in this environment but your network needs to be up to job. Ideally gigabit ethernet certainly for video production and also if your studio are heavy photoshop users. You could get away with 100Base-T but with 35 heavy users editing files stored on the server as well as Home folders it may be a bit too much. If this is the situation in your studio you would be better placed working locally and saving the files back to the server at the end of the day. You would set up your users with names and passwords in the OD directory node. Your studio can use those account details to log on to the server to access share points but still work locally if they need to. If you start windows services on the mac server then there should be no reason for windows clients to access share points on the mac server as well. Be careful how you configure windows services as you already have existing PC servers on the network.
As you have already stated your aim is to keep the macs completely separate from the PCs then consider connecting all your macs to a separate switch and have them running of a different IP address range and subnet mask. You could then use an intervening router to handle traffic between the two networks, this way you control cross platform access to shared resources. If you understand networks, routers etc then you should be able to accomplish this without too much trouble. Again searching the Server forums should give you plenty of ideas and advice on the best way to achieve what you want. As ever defining and deciding what you want you want the server to do is half the problem. -
Binding to Active Directory - strongauthrequired
I am trying to bind a 10.4.3 machine to a Windows 2000 Active Directory, but experiencing problems.
The Active Directory plugin hits step 5 then displays "Unable to access domain controller: This computer is unable to access the domain controller for an unknown reason".
A look at the contents of ./Library/Preferences/edu.mit.Kerberos shows that the machine has got the correct Domain Controllers for the domain (all be them rather odd choices, on sites that are some distance away).
I've captured the traffic using TCPDump and analysed on a WinXP box using Ethereal, and it seems that the Bind request is being answered by:
'Bind Result, StrongAuthRequired'
with further info in the packet:
'The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v893'
I've analysed the traffic of an XP machine binding as well, and it seems that at exactly the same point it receives a 'bind success' packet. The only obvious difference I can see is that the OS X box shows the SASL mechanism as GSSAPI, and the XP machine shows it as GSS-SPNEGO.
They are both using port 389 (which certainly doesn't imply the use of SSL).
I've investigated the frequently mentioned 'Digitally sign client communication' Domain Security Policy settings, and haev replicating them in my test network (which has been tested with default settings and the machine binds successfully), and that still results in a successful bind so I'm not convinced they are related.
If anyone else has any other suggests they'd be greatly appreciated!
iBook Mac OS X (10.4.3)We've now got to the bottom of this problem, it's due to a particular policy which demands all clients sign their LDAP communications.
This setting doesn't appear in the Windows Domain Policy unless you're using a 2003 MMC snap-in, which certainly added to the time it took me to diagnose the problem (Apple's phone support simply said "we don't support the AD module").
Incase anyone else has the same issue, the registry key in question is:
HKEYLOCALMACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity
When the key exists and is set to '2' (I'm unsure what '1' would do at present) OS X clients will received the following sequence of packets when binding:
Mac: Bind Request
Domain: SASLBindinprogress
Mac: ACK
Domain: SASLBindinprogress
Mac: ACK
Domain: Bind Result = Fail; StrongAuthRequired
I'd be interested to hear the official line on this, as it appears that we are now in a situation where we need to reduce our domain security level if we want Macs to be able to bind.
iBook Mac OS X (10.4.3) -
OS 10.5.4 will not bind to Active Directory.
Long story short, our macs (for the graphic designers) using Leopard that were able to login to the computer via active directory server without any problems for months, no longer can and we have no idea why. They worked in the morning yesterday, and suddenly their email (entourage) was disconnected, and when restarting, their domain user accounts no longer work when logging in on the macs. Only local admin account can log in. Can't even log in with network system user.
Nothing was changed on the local machines or the server either.
you can however log in to the server to the server using a local user account and Apple+K into the server and log in with the user names and passes that were previously used as domain login without a problem.
Any particular cause for this? The system clocks are not off, no settings have changed, I re-joined the macs to the domain and active directory and now it won't even allow me to do that anymore. I get this exact error - "Unable to add domain. Error Type -14910 (eServerError)"
Very odd, IMO.
However, our ONE mac that is still on 10.4 works perfectly.
Any insight?
Message was edited by: RudeMoodWe've stuck with 10.5.2 because of the bug in 10.5.3 that caused file corruption with CS3 documents saved over the network. 10.5.4 seems to have broken AD binding (maybe it was 10.5.3, wouldn't know since we passed on it). Apple is aware of the issue and is working on a fix. I wouldn't be surprised if it hasn't already been fixed in the 10.5.5 forthcoming release (just a guess).
Don -
Can't see Users after binding with Active Directory
Hi,
I have a clean install of Mountain Lion Server and I have bound it with Windows 2003 Servers Active Directory. All is working, but I can't see the Ad users in Server app so that I can't edit it.
I can see it only over Directory Utility.
Can anybody help me that I can see the AD Users in Server app so that I can edit it.
And knows anybody how to change the AD users home folder so that I can have it on my Mountain Lion server?Try the following user tip:
Troubleshooting issues with iTunes for Windows updates -
WGM error while trying to connect to Active Directory
Hello I'm trying to insert AD groups into OD groups so I can create automounts to a users specific network folder. When attempting to connect to AD from within WGM I get an unexpected error. It states:
Error of Type eDSOpenNodeFailed (-14002) on line 4125 of /SourceCache/WorkGroupManager/WorkGroupManager-361.3.1/PMMUGMainView.mm
I tried googling the whole error and parts of the wording but havent found anything relative. It used to work.
Same error using Macmini 10.6.4 and Xserve 10.6.4, recently the district office did change the way my domain sync's with theirs as I was having syn errors with groups. I have a 2000 domain structure and the D.O. has a 2003 structure. i will be migrating the DC roles over to my 2003 Server this Thanksgiving, but for now I have to deal with what I have.
Thanks in advance...ArtAll checked out fine from the Server except host -t SRV _gc....it relayed a host not found: 3(NXDomain) Is this a Global Catalog error relayed from the Windows domain?
Yes
... I wonder how this would effect the Xserve, all AD users can log into the machines my only problem is in pulling AD groups into OD. The Xserve OD DNS structure is seperate from AD, but I do have the Xserve bound to AD, I have unbound and rebound my macmini before I made the post to see if that would change anything but it did not, I think I will try the Xserve next.
Why is DNS independent? Not that it is related, but maintaining two DNS identities is going to lead to confusion at best and disaster at worst. If the primary domain is AD, you should be using only the AD DNS. In a normal AD promotion all the SRV records get created by default. While it is possible to create the service records for AD on OS X, it is usually not recommended. Too much management. My gut is to track down the absence of the GC service record. If you truly have independent DNS hosted on OS X and that is the primary resolver for the machine (assuming same domain), then try creating the svr record on OS X for the GC. Seems a bit odd but if you are at odds with the Windows admins, this might be your only way of proving that this is the issue.
You mention that users can log into machines. This is from the workstation. Have you tried dscl from the server or the workstation to see if you are able to browse the groups? -
Binding to Active Directory with Leopard 10.5
I'm not in the process of testing Leopard and so far I have it installed and have it bound to Windows AD and with the Directory Utility it gives me the green light that "This Server is responding normally" but as soon as I head to the login screen it does not work for logging in. I have un-bound, changed setting, restarted and have had no luck. I have been work ing with OS X & AD for about 3-4 years now and it's always worked for me. So far it seems like something in Leopard is not working right with Windows AD.
Any idea.
ThanksOk, not sure what has changed now, but after installing on a second computer, running the same setup, still did not work, then after running around the building for a bit with other tasks, cam back and now it works.
I must say, works well for connecting to a AD user home mapping. Actually works for the home drive mapping over Tiger.
Thanks,
Carter -
Active Directory Binding Problems
Hi all,
I'm trying to bind to Active Directory but keep on getting the "unknown error occurred" at step 5.
I captured the adplugin debug log, the only error I can see is the following:
2006-03-30 15:53:48 BST - ADPlugin: Setting Computer Password FAILED Deleted Record......
Has anyone had the same problem? If so any ideas how to overcome it?
See Complete debug log below.
2006-03-30 15:33:07 BST - ADPlugin: PeriodicTask Called.......
2006-03-30 15:33:07 BST - ADPlugin: Calling OpenDirNode
2006-03-30 15:33:07 BST - ADPlugin: Calling CustomCall
2006-03-30 15:33:07 BST - ADPlugin: Calling CustomCall
2006-03-30 15:33:07 BST - ADPlugin: Calling CustomCall
2006-03-30 15:33:07 BST - ADPlugin: Calling CloseDirNode
2006-03-30 15:33:35 BST - ADPlugin: Calling OpenDirNode
2006-03-30 15:33:35 BST - ADPlugin: Calling CustomCall
2006-03-30 15:33:35 BST - ADPlugin: Doing CheckServerRecords......
2006-03-30 15:33:35 BST - ADPlugin: student.hastings.ac.uk - Start checking servers for site "any"
2006-03-30 15:33:35 BST - ADPlugin: Total Servers "any" LDAP - 2, Kerberos - 1, kPasswd - 1
2006-03-30 15:33:35 BST - ADPlugin: No matching _kerberos records for server - "napier.student.hastings.ac.uk"
2006-03-30 15:33:36 BST - ADPlugin: Server #1 picked - "rutherford.student.hastings.ac.uk"
2006-03-30 15:33:36 BST - ADPlugin: student.hastings.ac.uk - Finished checking servers for domain
2006-03-30 15:33:36 BST - ADPlugin: Got rootDSE for server rutherford.student.hastings.ac.uk to determine forest
2006-03-30 15:33:36 BST - ADPlugin: Determined Forest of hastings.ac.uk from Domain Controller rutherford.student.hastings.ac.uk
2006-03-30 15:33:36 BST - ADPlugin: Found Default Domain student.hastings.ac.uk
2006-03-30 15:33:36 BST - ADPlugin: Global Catalogs - Start checking servers for site "any"
2006-03-30 15:33:36 BST - ADPlugin: Total Servers "any" LDAP - 3, Kerberos - 2, kPasswd - 2
2006-03-30 15:33:36 BST - ADPlugin: Server #1 picked - "rutherford.student.hastings.ac.uk"
2006-03-30 15:33:36 BST - ADPlugin: Server #2 picked - "kepler.hastings.ac.uk"
2006-03-30 15:33:36 BST - ADPlugin: Found Forest Domain GC hastings.ac.uk
2006-03-30 15:33:36 BST - ADPlugin: hastings.ac.uk - Start checking servers for site "any"
2006-03-30 15:33:36 BST - ADPlugin: Total Servers "any" LDAP - 2, Kerberos - 2, kPasswd - 2
2006-03-30 15:33:36 BST - ADPlugin: Server #1 picked - "kepler.hastings.ac.uk"
2006-03-30 15:33:36 BST - ADPlugin: Server #2 picked - "galileo.hastings.ac.uk"
2006-03-30 15:33:36 BST - ADPlugin: Found Forest Domain hastings.ac.uk
2006-03-30 15:33:36 BST - ADPlugin: Something wrong, unable to determine domain information from Config container......
2006-03-30 15:33:36 BST - ADPlugin: Finished CheckServerRecords......
2006-03-30 15:33:36 BST - ADPlugin: Created KerberosClient record Generation ID 165422016
2006-03-30 15:33:36 BST - ADPlugin: Rebuilt Kerberos File
2006-03-30 15:33:36 BST - ADPlugin: Calling CloseDirNode
2006-03-30 15:33:36 BST - ADPlugin: Calling OpenDirNode
2006-03-30 15:33:36 BST - ADPlugin: Calling CustomCall
2006-03-30 15:33:36 BST - ADPlugin: Doing CheckServerRecords......
2006-03-30 15:33:37 BST - ADPlugin: PeriodicTask Called.......
2006-03-30 15:33:41 BST - ADPlugin: Good credentials for [email protected]
2006-03-30 15:33:41 BST - ADPlugin: No existing connection in connection mgr for [email protected]@student.hastings.ac.uk:389
2006-03-30 15:33:41 BST - ADPlugin: Secure BIND Session with server rutherford.student.hastings.ac.uk:389
2006-03-30 15:33:41 BST - ADPlugin: Read Context information from server for configurationNamingContext of CN=Configuration,DC=hastings,DC=ac,DC=uk
2006-03-30 15:33:41 BST - ADPlugin: Processing Site Search with found IP
2006-03-30 15:33:41 BST - ADPlugin: Returning connection to pool for domain student.hastings.ac.uk with dsStatus 0.
2006-03-30 15:33:41 BST - ADPlugin: student.hastings.ac.uk - Start checking servers for site "any"
2006-03-30 15:33:41 BST - ADPlugin: Total Servers "any" LDAP - 2, Kerberos - 1, kPasswd - 1
2006-03-30 15:33:41 BST - ADPlugin: No matching _kerberos records for server - "napier.student.hastings.ac.uk"
2006-03-30 15:33:41 BST - ADPlugin: Server #1 picked - "rutherford.student.hastings.ac.uk"
2006-03-30 15:33:41 BST - ADPlugin: student.hastings.ac.uk - Finished checking servers for domain
2006-03-30 15:33:42 BST - ADPlugin: Got rootDSE for server rutherford.student.hastings.ac.uk to determine forest
2006-03-30 15:33:42 BST - ADPlugin: Determined Forest of hastings.ac.uk from Domain Controller rutherford.student.hastings.ac.uk
2006-03-30 15:33:42 BST - ADPlugin: Found Default Domain student.hastings.ac.uk
2006-03-30 15:33:42 BST - ADPlugin: Global Catalogs - Start checking servers for site "any"
2006-03-30 15:33:42 BST - ADPlugin: Total Servers "any" LDAP - 3, Kerberos - 2, kPasswd - 2
2006-03-30 15:33:42 BST - ADPlugin: Server #1 picked - "rutherford.student.hastings.ac.uk"
2006-03-30 15:33:42 BST - ADPlugin: Server #2 picked - "kepler.hastings.ac.uk"
2006-03-30 15:33:42 BST - ADPlugin: Found Forest Domain GC hastings.ac.uk
2006-03-30 15:33:42 BST - ADPlugin: hastings.ac.uk - Start checking servers for site "any"
2006-03-30 15:33:42 BST - ADPlugin: Total Servers "any" LDAP - 2, Kerberos - 2, kPasswd - 2
2006-03-30 15:33:42 BST - ADPlugin: Server #1 picked - "kepler.hastings.ac.uk"
2006-03-30 15:33:42 BST - ADPlugin: Server #2 picked - "galileo.hastings.ac.uk"
2006-03-30 15:33:42 BST - ADPlugin: Found Forest Domain hastings.ac.uk
2006-03-30 15:33:42 BST - ADPlugin: Good credentials for [email protected]
2006-03-30 15:33:42 BST - ADPlugin: Retrieved existing connection from connection mgr [email protected]@student.hastings.ac.uk:389
2006-03-30 15:33:42 BST - ADPlugin: Read Context information from server for configurationNamingContext of CN=Configuration,DC=hastings,DC=ac,DC=uk
2006-03-30 15:33:42 BST - ADPlugin: Returning connection to pool for domain student.hastings.ac.uk with dsStatus 0.
2006-03-30 15:33:42 BST - ADPlugin: Finished CheckServerRecords......
2006-03-30 15:33:42 BST - ADPlugin: Created KerberosClient record Generation ID 165422022
2006-03-30 15:33:42 BST - ADPlugin: Rebuilt Kerberos File
2006-03-30 15:33:42 BST - ADPlugin: Closing All Connections - Connection Manager
2006-03-30 15:33:42 BST - ADPlugin: Closing Connection - [email protected]@student.hastings.ac.uk:389
2006-03-30 15:33:42 BST - ADPlugin: Closing All Connections - Connection Manager Completed
2006-03-30 15:33:42 BST - ADPlugin: Calling CloseDirNode
2006-03-30 15:33:42 BST - ADPlugin: Calling OpenDirNode
2006-03-30 15:33:42 BST - ADPlugin: Calling CustomCall
2006-03-30 15:33:42 BST - ADPlugin: Verify called for [email protected]
2006-03-30 15:33:43 BST - ADPlugin: Verify successful for [email protected]
2006-03-30 15:33:43 BST - ADPlugin: Calling CloseDirNode
2006-03-30 15:33:43 BST - ADPlugin: Calling OpenDirNode
2006-03-30 15:33:43 BST - ADPlugin: Calling CustomCall
2006-03-30 15:33:43 BST - ADPlugin: Good credentials for [email protected]
2006-03-30 15:33:43 BST - ADPlugin: No existing connection in connection mgr for [email protected]@student.hastings.ac.uk:389
2006-03-30 15:33:43 BST - ADPlugin: Secure BIND Session with server rutherford.student.hastings.ac.uk:389
2006-03-30 15:33:43 BST - ADPlugin: Read Context information from server for schemaNamingContext of CN=Schema,CN=Configuration,DC=hastings,DC=ac,DC=uk
2006-03-30 15:33:47 BST - ADPlugin: Returning connection to pool for domain student.hastings.ac.uk with dsStatus 0.
2006-03-30 15:33:47 BST - ADPlugin: Updating Mappings from Schema..........
2006-03-30 15:33:47 BST - ADPlugin: Doing Computer search for Ethernet address - 00:0a:95:e4:05:84
2006-03-30 15:33:47 BST - ADPlugin: Doing DN search for account - testibook
2006-03-30 15:33:47 BST - ADPlugin: Good credentials for [email protected]
2006-03-30 15:33:47 BST - ADPlugin: Retrieved existing connection from connection mgr [email protected]@student.hastings.ac.uk:389
2006-03-30 15:33:47 BST - ADPlugin: Returning connection to pool for domain student.hastings.ac.uk with dsStatus -14136.
2006-03-30 15:33:47 BST - ADPlugin: Calling CloseDirNode
2006-03-30 15:33:47 BST - ADPlugin: Calling OpenDirNode
2006-03-30 15:33:47 BST - ADPlugin: Calling CustomCall
2006-03-30 15:33:47 BST - ADPlugin: Looking for existing Record of testibook
2006-03-30 15:33:47 BST - ADPlugin: Doing DN search for account - testibook
2006-03-30 15:33:47 BST - ADPlugin: Good credentials for [email protected]
2006-03-30 15:33:47 BST - ADPlugin: Retrieved existing connection from connection mgr [email protected]@student.hastings.ac.uk:389
2006-03-30 15:33:47 BST - ADPlugin: Returning connection to pool for domain student.hastings.ac.uk with dsStatus -14136.
2006-03-30 15:33:47 BST - ADPlugin: Attempting Add Record......
2006-03-30 15:33:47 BST - ADPlugin: Adding in OU = CN=Computers,DC=student,DC=hastings,DC=ac,DC=uk
2006-03-30 15:33:47 BST - ADPlugin: Good credentials for [email protected]
2006-03-30 15:33:47 BST - ADPlugin: Retrieved existing connection from connection mgr [email protected]@student.hastings.ac.uk:389
2006-03-30 15:33:47 BST - ADPlugin: Returning connection to pool for domain student.hastings.ac.uk with dsStatus 0.
2006-03-30 15:33:47 BST - ADPlugin: Good credentials for [email protected]
2006-03-30 15:33:47 BST - ADPlugin: Retrieved existing connection from connection mgr [email protected]@student.hastings.ac.uk:389
2006-03-30 15:33:47 BST - ADPlugin: Added record CN=testibook,CN=Computers,DC=student,DC=hastings,DC=ac,DC=uk
2006-03-30 15:33:47 BST - ADPlugin: Returning connection to pool for domain student.hastings.ac.uk with dsStatus 0.
2006-03-30 15:33:47 BST - ADPlugin: Setting Computer Password......
2006-03-30 15:33:47 BST - ADPlugin: Changing Password for User [email protected] as [email protected]
2006-03-30 15:35:47 BST - ADPlugin: Changing Password for User [email protected] as [email protected]
2006-03-30 15:37:47 BST - ADPlugin: Changing Password for User [email protected] as [email protected]
2006-03-30 15:39:48 BST - ADPlugin: Changing Password for User [email protected] as [email protected]
2006-03-30 15:41:48 BST - ADPlugin: Changing Password for User [email protected] as [email protected]
2006-03-30 15:43:48 BST - ADPlugin: Changing Password for User [email protected] as [email protected]
2006-03-30 15:45:48 BST - ADPlugin: Changing Password for User [email protected] as [email protected]
2006-03-30 15:47:48 BST - ADPlugin: Changing Password for User [email protected] as [email protected]
2006-03-30 15:49:48 BST - ADPlugin: Changing Password for User [email protected] as [email protected]
2006-03-30 15:51:48 BST - ADPlugin: Changing Password for User [email protected] as [email protected]
2006-03-30 15:53:48 BST - ADPlugin: Good credentials for [email protected]
2006-03-30 15:53:48 BST - ADPlugin: Existing connection too old in connection mgr [email protected]@student.hastings.ac.uk:389
2006-03-30 15:53:48 BST - ADPlugin: Secure BIND Session with server rutherford.student.hastings.ac.uk:389
2006-03-30 15:53:48 BST - ADPlugin: Deleting Record CN=testibook,CN=Computers,DC=student,DC=hastings,DC=ac,DC=uk...
2006-03-30 15:53:48 BST - ADPlugin: Returning connection to pool for domain student.hastings.ac.uk with dsStatus 0.
2006-03-30 15:53:48 BST - ADPlugin: Setting Computer Password FAILED Deleted Record......
2006-03-30 15:53:48 BST - ADPlugin: Updating Local Admin Group
2006-03-30 15:53:49 BST - ADPlugin: Cleaning Previous Additions to Local Admin Group
2006-03-30 15:53:49 BST - ADPlugin: Sending lookupd flushcache at request!
2006-03-30 15:53:49 BST - ADPlugin: Resetting memberd cache also!
2006-03-30 15:53:49 BST - ADPlugin: Closing All Connections - Connection Manager
2006-03-30 15:53:49 BST - ADPlugin: Closing Connection - [email protected]@student.hastings.ac.uk:389
2006-03-30 15:53:49 BST - ADPlugin: Closing All Connections - Connection Manager Completed
2006-03-30 15:53:49 BST - ADPlugin: Bind/Join failed - Launching kerberosautoconfig -u
2006-03-30 15:53:49 BST - ADPlugin: Calling CloseDirNode
Many Thanks
PaulHi Paul!
I've personally never seen this error message, but a quick search on Google (which you may have already done as well) for "Setting Computer Password FAILED Deleted Record" found someone else who had the same problem. His issue was firewall related and was fixed by opening some ports for AD. He also provides a link to a Microsoft KB article about this.
Hope this helps and good luck! bill
1 GHz Powerbook G4 Mac OS X (10.4.5) -
Trying to delete Active Directory but getting error's
Hi There,
I am trying to delete an Active Directory that I have. I have removed all subscriptions from this Active Directory but now I get the message:
Directory contains one or more applications that were added by a user or administrator.
Under the Active Directory, I have no applications (it used to have applications and I have since removed them).
I don't have any other subscriptions tied to this Active Directory. It could have been used for an Office 365 trial quite a few years ago.
How can I remove this? Tried almost everything.
ThanksHello,
A Global Administrator can delete an Azure AD directory from the Azure Management Portal. When a directory is deleted, all resources contained in the directory are also deleted; so you should be sure you don’t need the directory before you delete it.
ERROR: Directory has one or more applications
If you get this error message you may have applications associated with the directory, in order to proceed with the deletion of the directory you must ensure these are removed.
If you select the Applications pane within Azure Active Directory check the applications, and if they are not required then proceed with deleting them. If no applications are visible then you may find that you have ‘hidden’ applications that are not yet
exposed via the UI.
In order to delete this, you will need to use Azure Active Directory PowerShell module. You can download this (Manage Azure AD using Windows PowerShell)
Once you have downloaded the required components and successfully installed them go ahead and launch a Powershell Console
Connect -MsolService
Enter your global admin credentials {example:
[email protected]}
It is important to note here that you wont be able to login using a Microsoft Account aka Live ID and so if this is the only identity you have. create a work account aka organizational account in the directory first to perform this action which you can
delete once finished.
Get -MsolServicePrincipal | Select DisplayName
This will then show you what applications you have listed, some of which are require and won’t be able to be removed. if you don’t need any of the applications listed you can go ahead and remove them
Get -MsolServicePrincipal | Remove-MsolServicePrincipal
NOTE:
You will find that some error (red text will be displayed) ignore that, those ones are service side service principals but they are white-listed and the deletion will work with them present.
If this then fails, take a look at the PowerShell MSONLINE Log Files and if you still need further guidance, ensure to attach that to the support incident as it is super helpful to the support engineering teams when investigating the problem your having.
These files can be found “C:\Users\%username%\AppData\Local\Microsoft\Office365\Powershell\”
Regards,
Neelesh. -
Binding MAC 9.X workstations to Windows 2003 Active Directory
Hello all,
Has anyone achieved sucess with adding/binding Mac 9.X workstations to Microsoft 2003 Active Directory? We have 25 iMAC 9.2.2 workstations (we cannot upgrade to MAC OS 10.X because of hardware limitations) on a Windows 2003 SP2 network. I know that it can work with MAC OS 10.X but looking for a OS 9.X solution.
I want to be able to apply security, printer scripts for the MAC computers using the 2003 Active Directory.
Thanks
17" Powerbook G4 Mac OS X (10.4.4) 2 gb ramYou don't need to do anything in AD other than create the user you want to log onto your Mac.
http://www.makemacwork.com/bind-to-active-directory.htm -
Active directory copnnection problem
Hi all,
I try to connect to an Active Directory using JNDI but I'm not successfull. I always get the same error saying that my credentials are not valid. It seems that I have to use an UPN to connect, but I don't know how to use it. The usual parameter don't work. The UPN should be [email protected] where xxx is the domain. I'm going crazy, I've tried several stuff but unsuccessfully.
Here is my initial config file:
<config-file>
<ldap>
<initialContextFactory>com.sun.jndi.ldap.LdapCtxFactory</initialContextFactory>
<providerUrl>ldap://luinternal.xxxxx.xxxxx:389/</providerUrl>
<securityAuthentication>simple</securityAuthentication>
<securityPrincipal>
<user>webtemp</user>
</securityPrincipal>
<securityCredentials>Password0123456789</securityCredentials>
<ldapVersion>3</ldapVersion>
</ldap>
</config-file>Thiss does not work, I get an error 49.
I've tried to change webtemp to webtemp@[email protected] but this does not work as well.
I'm also using ldap browser v2.8.2, a Java client, to test my connections.
Hope you can help me.
Cheers :)I have no idea what application is using this configuration, nor how it uses the credentials to bind to Active Directory.
However from a pure LDAP perspective, you can use three forms of user name to perform a simple bind.
1. Distinguished Name
cn=John Smith, OU=Scientists,DC=Antgipodes,DC=Com
2. NT style domain name
ANTIPODES\jsmith
3. User Principal Name
[email protected]
In your example, if you wanted to use the userPrincipalName, I can only guess that it will be [email protected] -
Need Help creating new user in Active Directory
I am trying to create a new user in active directory via a java application. I have included the code that I am using. I am able to successfully bind to Active Directory. I have been able to change passwords, and delete users, but I have not been able to create a user.
ldapHost : "mta101.DOM101.CEL.ACC.AF.MIL"
domainName: "dc=dom101,dc=cel,dc=acc,dc=af,dc=mil"
existing account: CN=Brett K. Humpherys,OU=Users,OU=CEL
I get the following error on the createSubcontext statement:
javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 21 - 00000057: LdapErr: DSID-0C09098B, comment: Error in attribute conversion operation, data 0, v893 ; remaining name 'CN=test1,OU=Users,OU=CEL'
I have commented out the password portion and change the ObjectCategory to a 32 and get the same error.
public GblStatus createAccount7(DbaDb dbConn,
String jsrcName,
String personName,
String username,
String password)
Hashtable ldapEnv = new Hashtable(11);
ldapEnv.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
ldapEnv.put(Context.PROVIDER_URL, "ldap://" + this.ldapHost + ":636");
ldapEnv.put(Context.SECURITY_AUTHENTICATION, "simple");
ldapEnv.put(Context.SECURITY_PROTOCOL, "ssl");
ldapEnv.put(Context.REFERRAL, "ignore");
ldapEnv.put(Context.SECURITY_PRINCIPAL,"cn=" + this.adminAcct + ",cn=users," + this.domainName);
ldapEnv.put(Context.SECURITY_CREDENTIALS, this.adminPwd);
try
// Create the initial context
DirContext ctx = new InitialDirContext(ldapEnv);
BasicAttributes attrs = new BasicAttributes();
BasicAttribute ocs = new BasicAttribute("objectclass");
ocs.add("top");
ocs.add("person");
ocs.add("organizationalPerson");
ocs.add("user");
attrs.put(ocs);
BasicAttribute gn = new BasicAttribute("givenName", "test1");
attrs.put(gn);
BasicAttribute sn = new BasicAttribute("sn", "");
attrs.put(sn);
BasicAttribute cn = new BasicAttribute("cn", "test1");
attrs.put(cn);
BasicAttribute uac = new BasicAttribute("userAccountControl", "66048");
attrs.put(uac);
BasicAttribute sam = new BasicAttribute("sAMAccountName", "test1");
attrs.put(sam);
BasicAttribute disName = new BasicAttribute("displayName", "test1");
attrs.put(disName);
BasicAttribute userPrincipalName = new BasicAttribute
("userPrincipalName", "[email protected]");
attrs.put(userPrincipalName);
BasicAttribute instanceType = new BasicAttribute("instanceType", "4");
attrs.put(instanceType);
BasicAttribute objectCategory = new BasicAttribute
("objectCategory","CN=User,CN=Schema,CN=Configuration," + domainName);
attrs.put(objectCategory);
String newVal = new String("\"password\"");
byte _bytes[] = newVal.getBytes("Unicode");
byte bytes[] = new byte[_bytes.length - 2];
System.arraycopy(_bytes, 2, bytes, 0, _bytes.length - 2);
BasicAttribute attribute = new BasicAttribute("unicodePwd");
attribute.add((byte[]) bytes);
attrs.put(attribute);
ctx.createSubcontext("CN=test1,OU=Users,OU=CEL", attrs);
ctx.close();
catch (NameAlreadyBoundException nex)
System.out.println("User ID is already in use, please select a different user ID ...");
catch (Exception ex)
System.out.println("Failed to create user account... Please verify the user information...");
ex.printStackTrace();
return new GblStatus();
Any help would be much appreciated.Hi .,
me too got up with same problem., can anyone help me.??
Someone help me to create attributes in AD using LDAP
package LDAPpack;
import javax.naming.*;
import javax.naming.directory.*;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import java.util.Hashtable;
class CreateAttrs {
public static void main(String[] args) {
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://10.242.6.166:389/");
env.put(Context.SECURITY_AUTHENTICATION,"simple");
env.put(Context.SECURITY_PRINCIPAL, "CN=cname,OU=Users,OU=Dealer,OU=Community,DC=test2,DC=org");
env.put(Context.SECURITY_CREDENTIALS, "password-1");
LdapContext ctx =null;
try {
//ctx = new InitialLdapContext(env,null);
try {
ctx = new InitialLdapContext(env,null);
catch(NamingException e) {
System.out.println("Login failed");
System.exit(0);
if(ctx!=null){
System.out.println("Login Successful");
byte[] buf = new byte[] {0, 1, 2, 3, 4, 5, 6, 7}; // same data
// Create a multivalued attribute with 4 String values
BasicAttribute oc = new BasicAttribute("objectClassNew", "topNew");
oc.add("personNew");
oc.add("organizationalPersonNew");
// Create an attribute with a byte array
BasicAttribute photo = new BasicAttribute("jpegPhotoNew", buf);
// Create attribute set
BasicAttributes attrs = new BasicAttributes(true);
attrs.put(oc);
attrs.put(photo);
Attributes attrs1 = ctx.getAttributes("CN=cname,OU=Users,OU=Dealer,OU=Community,DC=test2,DC=org");
System.out.println(attrs1);
Context result = ctx.createSubcontext("CN=cname,OU=Users,OU=Dealer,OU=Community,DC=test2,DC=org", attrs);
//i got error here; i attach the error below.
ctx.close();
System.out.println("close");
catch(NamingException e){
e.printStackTrace();
ERROR:
Login Successful
javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090B38, comment: Error in attribute conversion operation, data 0, vece
ANYONE HELP ME PLS.
Edited by: vencer on Jun 19, 2008 12:38 AM -
Active Directory account lockout from OS X Server
I'm looking for assistance in tracking down why our 10.9 Mac server is constantly trying to use my Active Directory account. I changed my password a week ago and have been getting locked out constantly, and it appears the lockouts are coming from invalid password attempts from this OS X server. However, I don't know why the server would be using my AD credentials since I login to the Mac with an admin account and not my own. The only thing I can think of that may have used my AD credentials is connecting to a network file share at some point in the past, but I wouldn't have saved the credentials and it shouldn't be auto-mapping the share. The Mac itself is bound to Active Directory too.
I checked the Login Items and there is nothing there. I also reset the keychain to defaults and that didn't help. Does anyone else have any ideas for me to try to narrow down what the OS X server may be trying to use my credentials for?So I'm going to guess I'm the only one that's ever had this issue...
Further digging with Wireshark shows that the OS X server is indeed issuing bind requests using my old AD account credentials multiple times per minute. I tried unbinding and rebinding, but that didn't help. The requests also start right away after a reboot, so whatever is using my credentials is doing so prior to any user logins on the server. Now I'm trying to track down what is actually issuing these requests on the server
In a span of a few seconds the machine issues three bind requests. The first is
bindRequest (1) "[email protected]" simple
Followed by
bindRequest (1) "<ROOT>" sasl
then
bindRequest (2) "<ROOT>" sasl
Anyone have an idea for me as to how to track down where my user account comes into play? It wasn't used to bind the machine to AD, I didn't see it anywhere in the keychain, and I only have a few apps running on the server, none of which use AD authentication or would request binding. -
Accessing ACTIVE DIRECTORY FROM JAVA CODE
I am trying to access the Active DIrectory user through a java code.
Kindly let me know the steps apart from creating the user in ADS to be followed so that the following java code may work.
presently it is giving the following error.
problem serching the directory
//package com.axa;
import java.util.Hashtable;
import javax.naming.ldap.*;
import javax.naming.directory.*;
import javax.naming.*;
public class AdHelper
public static void main(String args[])
System.out.println("1");
Hashtable env = new Hashtable();
String adminName = "CN=user,CN=Users,DC=BDC4AXA.CO.IN";
String adminPassword = "user";
String ldapURL = "ldap://10.1.242.51:636";
System.out.println("2");
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.SECURITY_AUTHENTICATION,"simple");
env.put(Context.SECURITY_PRINCIPAL,adminName);
env.put(Context.SECURITY_CREDENTIALS,adminPassword);
env.put(Context.PROVIDER_URL,ldapURL);
System.out.println("3");
try {
// Create the initial directory context
DirContext ctx = new InitialLdapContext(env,null);
System.out.println("4");
SearchControls searchCtls = new SearchControls();
System.out.println("5");
//Specify the attributes to return
String returnedAtts[]={"sn","givenName","mail"};
searchCtls.setReturningAttributes(returnedAtts);
//Specify the search scope
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
//specify the LDAP search filter
String searchFilter = "(&(objectClass=user)(mail=*))";
System.out.println("6");
//Specify the Base for the search
String searchBase = "DC=ANTIPODES,DC=COM";
System.out.println("7");
//initialize counter to total the results
int totalResults = 0;
// Search for objects using the filter
NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);
System.out.println("8"); //Loop through the search results
while (answer.hasMoreElements()) {
SearchResult sr = (SearchResult)answer.next();
totalResults++;
System.out.println("9");
System.out.println(">>>" + sr.getName());
Attributes attrs = sr.getAttributes();
if (attrs != null) {
try {
System.out.println(" surname: " + attrs.get("sn").get());
System.out.println(" firstname: " + attrs.get("givenName").get());
System.out.println(" mail: " + attrs.get("mail").get());
catch (NullPointerException e) {
System.out.println("Errors listing attributes: " + e);
System.out.println("Total results: " + totalResults);
ctx.close();
catch (NamingException e) {
System.err.println("Problem searching directory: " + e);
catch(Exception e)
System.out.println("Unhandled Exception: " + e);
}This is what I have for my LDAP connection.
public Hashtable<String, String> env = null;
public LdapContext ldapContext = null;
public Control[] connCtls = null;
Context ctx;
DirContext dirContext;
public LDAPAuth(String ldapurl) {
ldapurl = "ldap://" + serverIP + ":389";
try {
env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.PROVIDER_URL, ldapurl);
env.put(Context.SECURITY_PRINCIPAL, "cn=username,cn=users" + baseName);
env.put(Context.SECURITY_CREDENTIALS, "password" + baseName);
env.put(Context.SECURITY_PROTOCOL, "ssl");
ctx = new InitialContext(env);
} catch (Exception e) {
System.out.println(" bind error: " + e);
e.printStackTrace();
try {
ldapContext = new InitialLdapContext(env, connCtls);
} catch (AuthenticationException e) {
System.out.println("Authentication exception " + e);
} catch (NamingException e) {
System.out.println("Naming exception " + e);
public Attributes fetch(String username) throws NamingException {
DirContext ctx = new InitialDirContext(env);
Attributes attributes = ctx.getAttributes(username);
try {
System.out.println("fetching: " + username);
Object obj = ctx.lookup("cn=" + username
+ baseName);
System.out.println("cn=" + username + baseName + "is bound to: " + obj);
//attributes = obj.getAttributes("");
for (NamingEnumeration<?> ae = attributes.getAll(); ae
.hasMoreElements();) {
Attribute attr = (Attribute) ae.next();
String attrId = attr.getID();
for (NamingEnumeration<?> vals = attr.getAll(); vals.hasMore();) {
String value = vals.next().toString();
System.out.println(attrId + ": " + value);
} catch (NamingException e) {
System.out.println(" Problem looking up " + username + baseName + ". " + e);
return attributes;
Now, I'm sure it has something to do with how I'm passing in the username and the groups. But I want to have ANY user log in, not just this test. I may be a little confused on how this works, but if anyone could explain to me why what I am trying to do doesn't work, I would greatly appreciate it.
Thanks in advance,
Tetsuya.
Edited by: tetsuyamasamune on Sep 8, 2008 3:55 PM
Maybe you are looking for
-
Why do I get "invalid drive E:/" when trying to update my itunes software
Why do I get the message "invalid drive E:/" while trying to upgrade itunes? It causes the update to fail.
-
Lumia won't start after dropping it in water
Hello! I have accidentally dropped my Lumia 520 into the toilet this morning, and it didn't stay there for more than 3 seconds as I was quick to take it out. I didn't know what to do, so I turned it off and I put it in a towel for a couple of minutes
-
Subscribe to RSS Feed - Bing Wallpaper
Hi - I just downloaded iPhoto from the app store for Mac OS X Lion and I would like to subscribe to the bing rss wallpaper feed. I found the link http://themeserver.microsoft.com/default.aspx?p=Bing&c=Desktop&m=en-US and when I put that into the sub
-
I upgraded to ios6 yesterday, and thought Siri would work now. I don't see it in the settings, and am now wondering if it is only for phones?
-
Presenting Dashboards to users
Hello Gurus, Can you please share your knowledge.. how you are presenting your dashboards to the users? are you using Infoview or Enterprise Portal or saving html file ( generated from swf) in a shared drive? if on Infoview or EP, how you are control