Currently Being ModeratedFeb 9, 2012 3:02 PM (in response to Antonio Rocco)
So start with the basics. AD binds are all about DNS and time. If you don't have these guys in place, then everything falls apart.
In the log file you posted, there are a lot of permission denied issues also and the most interesting is the final one that suggests your name servers are down. About those permission issues. Have you run a diskutil repairPermissions? Worth a short. You should not be seeing all those events in the log.
09/02/2012 09:17:45.181 rpcsvchost failed to create secure channel: STATUS_ACCESS_DENIED (0xC0000022)
09/02/2012 09:17:45.182 authorizationhost Failed to authenticate user <lsatriano> (error: 9).
09/02/2012 09:25:29.028 netbiosd name servers down?
So, let's try this. On your Mac, run these commands and make sure you are getting results from your DNS server. Replace the domain with your actual domain.
# LDAP port 389
host -t SRV _ldap._tcp.domain.ac.uk
# Kerberos port 88 TCP
host -t SRV _kerberos._tcp.domain.ac.uk
# Kerberos port 88 UDP
host -t SRV _kerberos._udp.domain.ac.uk
# Kpasswd port 464 TCP
host -t SRV _kpasswd._tcp.domain.ac.uk
# Kpasswd port 464 UDP
host -t SRV _kpasswd._udp.domain.ac.uk
# gc (AD Global Catalog) port 3268
host -t SRV _gc._tcp.domain.ac.uk
If you do not get the DC as a result of any of these, contact your DNS admin to correct.
Next, are you using round robin DNS? I've seen issues where OS X will get really annoyed when multiple DNS servers keep responding.
@Tony, freezing over here also. Snow, ice, the usual NJ junk for Feb.
And yes, I am still crying in my beer over the OS X Server/Final Cut/Final Cut Server/Xsan/Xserve/etc announcments. Has changed our business dramatically and we've lost just about every pro video shop back to Avid on PCs. I've grown to accept Lion server since I was doing most everything command line anyway. But the anemic hardware choices have chased us out of corporate data centers. It is the worse part of my week (and it is happening each week) to tell a group of designers that their data is moving to Windows servers and we need to rename everything, cause everything to relink, and no longer be able to search reliably.
Ah, but Angry Birds now works on the desktop. I am so excited!
Currently Being ModeratedFeb 10, 2012 1:59 AM (in response to Strontium90)
Same issue this morning although 2/3 of the machines logged straight into AD (all machine settings are the same!).
I checked the dates on the machines and all are configured ‘Set date and time automatically – ntp.domain.ac.uk’
On all the machines I ran repairPermissions although all of these machines are brand new except of our Image that we have used.
I ran the commands you suggested on all of the machines – I had to login with the local admin account to run on the machine that would not bind to AD;-
computer:~ sinerg1$ host -t SRV _ldap._tcp. ad.domain.ac.uk _ldap._tcp.domain.ac.uk has SRV record 0 100 389 dc1.ad. domain.ac.uk. _ldap._tcp.ad. domain.ac.uk has SRV record 0 100 389 dc2.ad. domain.ac.uk. _ldap._tcp.ad.domain.ac.uk has SRV record 0 100 389 dc0.ad. domain.ac.uk. computer:~ sinerg1$ host -t SRV _kerberos._tcp.ad.domain.ac.uk _kerberos._tcp.ad.domain.ac.uk has SRV record 0 100 88 dc0.ad.domain.ac.uk. _kerberos._tcp.ad.domain.ac.uk has SRV record 0 100 88 dc1.ad.domain.ac.uk. _kerberos._tcp.ad.domain.ac.uk has SRV record 0 100 88 dc2.ad.domain.ac.uk. computer:~ sinerg1$ host -t SRV _kerberos._udp.ad.domain.ac.uk _kerberos._udp.ad.domain.ac.uk has SRV record 0 100 88 dc0.ad.domain.ac.uk. _kerberos._udp.ad.domain.ac.uk has SRV record 0 100 88 dc1.ad.domain.ac.uk. _kerberos._udp.ad.domain.ac.uk has SRV record 0 100 88 dc2.ad.domain.ac.uk. computer:~ sinerg1$ host -t SRV _kpasswd._tcp.ad.domain.ac.uk _kpasswd._tcp.ad.domain.ac.uk has SRV record 0 100 464 dc0.ad.domain.ac.uk. _kpasswd._tcp.ad.domain.ac.uk has SRV record 0 100 464 dc1.ad.domain.ac.uk. _kpasswd._tcp.ad.domain.ac.uk has SRV record 0 100 464 dc2.ad.domain.ac.uk. computer:~ sinerg1$ host -t SRV _kpasswd._udp.ad.domain.ac.uk _kpasswd._udp.ad.domain.ac.uk has SRV record 0 100 464 dc0.ad.domain.ac.uk. _kpasswd._udp.ad.domain.ac.uk has SRV record 0 100 464 dc1.ad.domain.ac.uk. _kpasswd._udp.ad.domain.ac.uk has SRV record 0 100 464 dc2.ad.domain.ac.uk. computer:~ sinerg1$ host -t SRV _gc._tcp.ad.domain.ac.uk _gc._tcp.ad.domain.ac.uk has SRV record 0 100 3268 dc0.ad.domain.ac.uk. _gc._tcp.ad.domain.ac.uk has SRV record 0 100 3268 dc1.ad.domain.ac.uk. _gc._tcp.ad.domain.ac.uk has SRV record 0 100 3268 dc2.ad.domain.ac.uk.
The other machines run the same DNS except the order of which comes first is different.
Currently Being ModeratedFeb 11, 2012 6:28 AM (in response to Strontium90)
Also I forgot to mention that the UID appears to have a different/extended digits to what my actual UID should be.
When I type ID into terminal it appears as uid=428013780 when it should be 5 digits - we tried mapping the uid, gid and ggid but on login it could not find the group gid.
Although this is another issue and had no problems compared to the main authentication issues we are having, am wondering if there combined?
Currently Being ModeratedApr 9, 2012 6:50 AM (in response to Sinerg1)
I'm having the exact same issue. I'm testing a 10.7.3 machine in one of our labs. I can bind it to AD without an issue and logins are working fine. But when I come in the next day, network users can't login without restarting the machine.
Any movement on this? If this isn't fixed by Summer, I'm leaving all of our multi-user, lab machines, on 10.6.8.
Currently Being ModeratedMay 2, 2012 9:21 AM (in response to Sinerg1)
I am having trouble binding my Lion 10.7.3 to the AD, everytime that I try to contact the AD I have either :
"Authentication server could not be contacted" or "The daemon encountered an error processing request." and it appears that in the logs you can see :
com.apple.launchd (com.apple.opendirectoryd): Job appears to have crashed: Segmentation fault: 11
Everytime I am trying to bind.
I check all the DNS requests that you wrote and everything is answering perfectly.
Anyone having the same issue and solved it ?
More Like This
- Retrieving data ...
- This solved my question - 10 points
- This helped me - 5 points