1 2 Previous Next 22 Replies Latest reply: May 9, 2012 8:41 AM by kenetic111
Sinerg1 Level 1 Level 1 (0 points)

I was wondering how everyone is getting on since the new update has been released in termins of the on-going-saga of binding to AD?

 

So far it has been working grreat for us until this morning when two users could not login/authenticate!  I was able to login with the hidden admin, remove the Ad domain and re-attach it.  This worked fine but not ideal!  A few hours later the user calls back to sugget that they rebooted their machine and cannot login again...

 

Anyone else having a similar experience or anything out of the ordinary?


Configuration, Mac OS X (10.7.3)
  • 1. Re: 10.7.3 AD binding still an issue?
    Strontium90 Level 4 Level 4 (3,140 points)

    Does your AD domain end in .local?

  • 2. Re: 10.7.3 AD binding still an issue?
    Sinerg1 Level 1 Level 1 (0 points)

    Nope, the domain ends with ac.uk

  • 3. Re: 10.7.3 AD binding still an issue?
    Strontium90 Level 4 Level 4 (3,140 points)

    Are you using cached credentials?  Is the user waiting for the system to find the domain?  When the condition occurs, have you examined the DirectoryService debug log?  Are you synchronizing time to the DC?

  • 4. Re: 10.7.3 AD binding still an issue?
    Pope7 Level 1 Level 1 (10 points)

    Where I work we can tell no improvements in AD binding, and all previous issues we have encountered still exist.

  • 5. Re: 10.7.3 AD binding still an issue?
    Sinerg1 Level 1 Level 1 (0 points)

    I would never have known to check for these Strontium, thanks!  Can I asked how I would checked for

    all these?

  • 6. Re: 10.7.3 AD binding still an issue?
    Antonio Rocco Level 6 Level 6 (10,180 points)

    Hi

     

    Apple have been releasing updates that 'improve' integration into AD Domains that use .local for years now. I recall a 10.5 point update supposedly resolving similar issues as well as a 10.6 point update. Neither of them really 'fixed' anything TBH. You have to remember that Apple 'test' their updates with their test AD Domain which is never going to be the same as yours or anyone elses.

     

    Whether this 'helps' you or not is debatable but what I've noticed and depending on the AD Domain, the update only rarely 'fixes' things. There are further changes you can make which might help - altering the mdns value sometimes helps, there are others but ultimately the only real 'fix' is to change the domain. Yes I know this is not a trivial thing to do but it does make sense in the long run.

     

    FWIW and in my experience there are far more AD Domains that don't use .local and in all the years I've been doing this I've never seen any issues integrating into non .local domains and always issues integrating into .local ones.

     

    My 2p.

     

    HTH?

     

    Tony

  • 7. Re: 10.7.3 AD binding still an issue?
    Sinerg1 Level 1 Level 1 (0 points)

    After checking the console from one of the users machine I noticed the message;-

     

    "Could not get user record from Open Directory"

     

    I dont actually know why it is trying to search through this db when we don't use this?

  • 8. Re: 10.7.3 AD binding still an issue?
    Strontium90 Level 4 Level 4 (3,140 points)

    Good start in looking at the content.  As for how to look at the items, first cached credentials. 

     

    Check your AD bind configuration in Directory Utility.  Do you have this box checked?

     

    Screen Shot 2012-02-08 at 8.46.34 PM.png

     

    If so, then you are likely creating a cache account for offline use.  That is a good thing in most cases.

     

    Next, testing how long it takes to acquire the domain.  Do this.

     

    1:  From the admin account go in to System Preferences > Accounts > Login Options and set the "Display login window as:" to list of users.

    2:  Reboot the machine

    3:  Time how long it takes to see the "Other" option appear on the login window

     

    Now if it never appears, then we have another issue to worry about.

     

    Next, Directory Services on the system supports a number of levels of debugging.  Use the odutil command to change the level of logging. 

     

    sudo odutil set log info

     

    Hint, you will want to change this back to

     

    sudo odutil set log default

     

    When you are done.  Otherwise you will be making some huge log files.

     

    Next, some other things to try.  Use the id command while logged in as the local admin.  Have the system ID known domain users.  For example, say you have a user in the domain named jdoe.  Use this command to get truncated results of the user's account:

     

    id jdoe

     

    Next, use dscl to try and talk to the domain.  See if you can reach the users container and query the domain.

     

    Hey Tony, been a long time.  How's it going on the other side of the pond?  Hope all is well.

  • 9. Re: 10.7.3 AD binding still an issue?
    Sinerg1 Level 1 Level 1 (0 points)

    Thanks for the help so far Strontium90!

     

    When I bind to AD with the domain address and then click on User Experience in the advanced options, it somehow lists Multiple next to ‘Network Account Server’, as read here - http://support.apple.com/kb/TS4176

     

    Currently I would use dsconfigad through terminal once I added the domain.

     

    By default  “Force local home directory on startup disk”. (dsconfigad –localhome disable) and “Create mobile account” is kept disabled/unchecked.

     

    [Testing how long it takes to aquire the domain]

    The 'Other' appeared eventually but took a long 2-3 minutes, although if you  read below it did not appear for other machines until I re-attached the AD Domain. 

     

    I currently have 3 machines with 10.7.3 (testing) and the one I am using never gets shut down, if I do a restart, then I can log straight back in (except from the odd occasion that requries me to re-bind).  It doesnt happen as frequent as the other two machines, possibly because this never gets shut down...

     

    • This morning I dropped by the two machines  and tried logging in with no success
    • Logged in with local admin and reattached the AD domain
    • Logged in with AD account and it all worked fine
    • Logged out and tried with another AD account and this also worked fine
    • I left both machines at login window

     

    An 30mins later when the users came into work,  both could not login using their AD credentials, as well as the login’s I had previously used!

     

    I checked the console logs and there was some difference between them;-

     

    User 1

    09/02/2012 09:20:08.119 SecurityAgent            User info context values set for emsammler

    09/02/2012 09:20:08.119 SecurityAgent            User info context values set for emsammler

    09/02/2012 09:20:08.178 authorizationhost      Failed to authenticate user <emsammler> (error: 9).

    09/02/2012 09:20:12.242 SecurityAgent            User info context values set for emsammler

    09/02/2012 09:20:12.242 SecurityAgent            User info context values set for emsammler

    09/02/2012 09:20:12.283 authorizationhost      Failed to authenticate user <emsammler> (error: 9).

    User 2

    09/02/2012 09:17:02.891 SecurityAgent            User info context values set for lsatriano

    09/02/2012 09:17:02.892 SecurityAgent            User info context values set for lsatriano

    09/02/2012 09:17:02.949 authorizationhost      Failed to authenticate user <lsatriano> (error: 9).

    09/02/2012 09:17:44.663 SecurityAgent            User info context values set for lsatriano

    09/02/2012 09:17:44.663 SecurityAgent            User info context values set for lsatriano

    09/02/2012 09:17:44.746 rpcsvchost      sandbox_init: com.apple.msrpc.netlogon.sb succeeded

    09/02/2012 09:17:45.104 sandboxd       ([448]) rpcsvchost(448) deny file-read-metadata /Library/Managed Preferences

    09/02/2012 09:17:45.107 sandboxd       ([448]) rpcsvchost(448) deny file-read-metadata /private/var/root

    09/02/2012 09:17:45.108 sandboxd       ([448]) rpcsvchost(448) deny file-read-metadata /private/var/root

    09/02/2012 09:17:45.110 sandboxd       ([448]) rpcsvchost(448) deny file-read-metadata /private/var/root

    09/02/2012 09:17:45.112 sandboxd       ([448]) rpcsvchost(448) deny file-read-metadata /private/var/root/Library/Preferences/ByHost/.GlobalPreferences.122CEF5A-E83D-5094-9456-30C89D628061.plist

    09/02/2012 09:17:45.113 sandboxd       ([448]) rpcsvchost(448) deny file-read-data /private/var/root/Library/Preferences/ByHost/.GlobalPreferences.122CEF5A-E83D-5094-9456-30C89D628061.plist

    09/02/2012 09:17:45.114 sandboxd       ([448]) rpcsvchost(448) deny file-read-metadata /private/var/root

    09/02/2012 09:17:45.116 sandboxd       ([448]) rpcsvchost(448) deny file-read-metadata /private/var/root/Library/Preferences/.GlobalPreferences.plist

    09/02/2012 09:17:45.117 sandboxd       ([448]) rpcsvchost(448) deny file-read-data /private/var/root/Library/Preferences/.GlobalPreferences.plist

    09/02/2012 09:17:45.120 sandboxd       ([448]) rpcsvchost(448) deny file-read-metadata /private/var/root/Library/Preferences/ByHost/.GlobalPreferences.122CEF5A-E83D-5094-9456-30C89D628061.plist

    09/02/2012 09:17:45.121 sandboxd       ([448]) rpcsvchost(448) deny file-read-data /private/var/root/Library/Preferences/ByHost/.GlobalPreferences.122CEF5A-E83D-5094-9456-30C89D628061.plist

    09/02/2012 09:17:45.122 sandboxd       ([448]) rpcsvchost(448) deny file-read-metadata /private/var/root/Library/Preferences/.GlobalPreferences.plist

    09/02/2012 09:17:45.123 sandboxd       ([448]) rpcsvchost(448) deny file-read-data /private/var/root/Library/Preferences/.GlobalPreferences.plist

    09/02/2012 09:17:45.152 sandboxd       ([448]) rpcsvchost(448) deny file-read-metadata /

    09/02/2012 09:17:45.154 sandboxd       ([448]) rpcsvchost(448) deny file-read-metadata /Library

    09/02/2012 09:17:45.156 sandboxd       ([448]) rpcsvchost(448) deny file-read-metadata /Library

    09/02/2012 09:17:45.158 sandboxd       ([448]) rpcsvchost(448) deny file-read-metadata /Library

    09/02/2012 09:17:45.159 sandboxd       ([448]) rpcsvchost(448) deny file-read-metadata /Library

    09/02/2012 09:17:45.161 sandboxd       ([448]) rpcsvchost(448) deny file-read-metadata /Library

    09/02/2012 09:17:45.162 sandboxd       ([448]) rpcsvchost(448) deny file-read-metadata /private/var/run/systemkeychaincheck.done

    09/02/2012 09:17:45.164 sandboxd       ([448]) rpcsvchost(448) deny network-outbound /private/var/run/systemkeychaincheck.socket

    09/02/2012 09:17:45.164 rpcsvchost      Can not connect to /var/run/systemkeychaincheck.socket: Operation not permitted

    09/02/2012 09:17:45.181 rpcsvchost      failed to create secure channel: STATUS_ACCESS_DENIED (0xC0000022)

    09/02/2012 09:17:45.182 authorizationhost      Failed to authenticate user <lsatriano> (error: 9).

    09/02/2012 09:25:29.028 netbiosd         name servers down?

     

    Cheers,

    Si

  • 10. Re: 10.7.3 AD binding still an issue?
    Antonio Rocco Level 6 Level 6 (10,180 points)

    Hi

     

    On affected clients and assuming these are wired workstations issue this command:

     

    networksetup -setV6off "Ethernet"

     

    If you have ARD you can send the command to multiple workstations simultaneously. How long does it take now for client workstations to read the GC List and 'discover' the AD Domain? This is an old fix but you could also try adding the DC's IP address and hostname to /etc/hosts on mac workstations.

     

    HTH?

     

    Tony

  • 11. Re: 10.7.3 AD binding still an issue?
    Sinerg1 Level 1 Level 1 (0 points)

    In a sense I don't actually mind how long it takes to read and discover the domain (currently), the issue seems to be - once I attach the AD domain, it will read successfully and then suddenly, which so far happens randomly, it appears it can't read/discover?!

     

    The unfortunately and tiresome scenario is completely random as well which sees me only being able to test first thing in the morning, once I bind a machine with AD -- it  performing fine, I can restart the machine multiple times without an issue and then a random restart/log off may result in me having to rebind.

     

    Si

  • 12. Re: 10.7.3 AD binding still an issue?
    Antonio Rocco Level 6 Level 6 (10,180 points)

    Hi

     

    The symptoms you're describing are pretty much what I've seen to a greater or lesser degree with .local domains since 10.4 and this is regardless of however many updates Apple releases that supposedly 'fixes' the problem.

     

    However yours does seem particularly bad which - to me - indicates something fundamental with your AD? Beyond what I've already offered I don't think I'm of any real help to you.

     

    Perhaps Strontium90 may be able to help further?

     

    @Strontium90

     

    Hello Reid! I trust all is well with you too? My side of the pond is in a bit of a freeze at the moment - we English love discussing the weahter - but otherwise it's same old same old. What's the odds on your side of the water of 10.7 Server being the last recognisable 'server' Apple will ever make?

     

    Tony

  • 13. Re: 10.7.3 AD binding still an issue?
    Pope7 Level 1 Level 1 (10 points)

    I posted on this thread earlier, and it is pretty apparent that the issues I've encountered are pretty different from Sinerg1's. Instead of hijacking this, I've opened a new thread for our specific experiences at: https://discussions.apple.com/thread/3723558.

     

    There are some great minds in this thread, and I've love any feedback or suggestions.

  • 14. Re: 10.7.3 AD binding still an issue?
    Sinerg1 Level 1 Level 1 (0 points)

    No problem Tony and  thanks for taking time out to respond.  Am just out of ideas as to why AD proves it works but won't retain the connection, almost...

     

    @Pope7 ya hijacker! :-P  Good luck mate and ill keep an eye on your post to.

     

    Si

1 2 Previous Next