Skip navigation

10.7.3 AD binding still an issue?

12429 Views 22 Replies Latest reply: May 9, 2012 8:41 AM by kenetic111 RSS
1 2 Previous Next
Sinerg1 Level 1 Level 1 (0 points)
Currently Being Moderated
Feb 7, 2012 3:51 AM

I was wondering how everyone is getting on since the new update has been released in termins of the on-going-saga of binding to AD?

 

So far it has been working grreat for us until this morning when two users could not login/authenticate!  I was able to login with the hidden admin, remove the Ad domain and re-attach it.  This worked fine but not ideal!  A few hours later the user calls back to sugget that they rebooted their machine and cannot login again...

 

Anyone else having a similar experience or anything out of the ordinary?

Configuration, Mac OS X (10.7.3)
  • Strontium90 Level 4 Level 4 (2,895 points)
    Currently Being Moderated
    Feb 7, 2012 5:48 AM (in response to Sinerg1)

    Does your AD domain end in .local?

  • Strontium90 Level 4 Level 4 (2,895 points)
    Currently Being Moderated
    Feb 7, 2012 4:55 PM (in response to Sinerg1)

    Are you using cached credentials?  Is the user waiting for the system to find the domain?  When the condition occurs, have you examined the DirectoryService debug log?  Are you synchronizing time to the DC?

  • Pope7 Level 1 Level 1 (10 points)
    Currently Being Moderated
    Feb 7, 2012 5:24 PM (in response to Sinerg1)

    Where I work we can tell no improvements in AD binding, and all previous issues we have encountered still exist.

  • Antonio Rocco Level 6 Level 6 (10,100 points)
    Currently Being Moderated
    Feb 8, 2012 5:03 AM (in response to Pope7)

    Hi

     

    Apple have been releasing updates that 'improve' integration into AD Domains that use .local for years now. I recall a 10.5 point update supposedly resolving similar issues as well as a 10.6 point update. Neither of them really 'fixed' anything TBH. You have to remember that Apple 'test' their updates with their test AD Domain which is never going to be the same as yours or anyone elses.

     

    Whether this 'helps' you or not is debatable but what I've noticed and depending on the AD Domain, the update only rarely 'fixes' things. There are further changes you can make which might help - altering the mdns value sometimes helps, there are others but ultimately the only real 'fix' is to change the domain. Yes I know this is not a trivial thing to do but it does make sense in the long run.

     

    FWIW and in my experience there are far more AD Domains that don't use .local and in all the years I've been doing this I've never seen any issues integrating into non .local domains and always issues integrating into .local ones.

     

    My 2p.

     

    HTH?

     

    Tony

  • Strontium90 Level 4 Level 4 (2,895 points)
    Currently Being Moderated
    Feb 8, 2012 5:55 PM (in response to Sinerg1)

    Good start in looking at the content.  As for how to look at the items, first cached credentials. 

     

    Check your AD bind configuration in Directory Utility.  Do you have this box checked?

     

    Screen Shot 2012-02-08 at 8.46.34 PM.png

     

    If so, then you are likely creating a cache account for offline use.  That is a good thing in most cases.

     

    Next, testing how long it takes to acquire the domain.  Do this.

     

    1:  From the admin account go in to System Preferences > Accounts > Login Options and set the "Display login window as:" to list of users.

    2:  Reboot the machine

    3:  Time how long it takes to see the "Other" option appear on the login window

     

    Now if it never appears, then we have another issue to worry about.

     

    Next, Directory Services on the system supports a number of levels of debugging.  Use the odutil command to change the level of logging. 

     

    sudo odutil set log info

     

    Hint, you will want to change this back to

     

    sudo odutil set log default

     

    When you are done.  Otherwise you will be making some huge log files.

     

    Next, some other things to try.  Use the id command while logged in as the local admin.  Have the system ID known domain users.  For example, say you have a user in the domain named jdoe.  Use this command to get truncated results of the user's account:

     

    id jdoe

     

    Next, use dscl to try and talk to the domain.  See if you can reach the users container and query the domain.

     

    Hey Tony, been a long time.  How's it going on the other side of the pond?  Hope all is well.

  • Antonio Rocco Level 6 Level 6 (10,100 points)
    Currently Being Moderated
    Feb 9, 2012 3:46 AM (in response to Sinerg1)

    Hi

     

    On affected clients and assuming these are wired workstations issue this command:

     

    networksetup -setV6off "Ethernet"

     

    If you have ARD you can send the command to multiple workstations simultaneously. How long does it take now for client workstations to read the GC List and 'discover' the AD Domain? This is an old fix but you could also try adding the DC's IP address and hostname to /etc/hosts on mac workstations.

     

    HTH?

     

    Tony

  • Antonio Rocco Level 6 Level 6 (10,100 points)
    Currently Being Moderated
    Feb 9, 2012 5:19 AM (in response to Sinerg1)

    Hi

     

    The symptoms you're describing are pretty much what I've seen to a greater or lesser degree with .local domains since 10.4 and this is regardless of however many updates Apple releases that supposedly 'fixes' the problem.

     

    However yours does seem particularly bad which - to me - indicates something fundamental with your AD? Beyond what I've already offered I don't think I'm of any real help to you.

     

    Perhaps Strontium90 may be able to help further?

     

    @Strontium90

     

    Hello Reid! I trust all is well with you too? My side of the pond is in a bit of a freeze at the moment - we English love discussing the weahter - but otherwise it's same old same old. What's the odds on your side of the water of 10.7 Server being the last recognisable 'server' Apple will ever make?

     

    Tony

  • Pope7 Level 1 Level 1 (10 points)
    Currently Being Moderated
    Feb 9, 2012 9:44 AM (in response to Sinerg1)

    I posted on this thread earlier, and it is pretty apparent that the issues I've encountered are pretty different from Sinerg1's. Instead of hijacking this, I've opened a new thread for our specific experiences at: https://discussions.apple.com/thread/3723558.

     

    There are some great minds in this thread, and I've love any feedback or suggestions.

1 2 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (3)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.