1 2 3 Previous Next 34 Replies Latest reply: Jan 9, 2014 12:37 PM by atperseghin Go to original post
  • 30. Re: Directory Binding Script (Active and Open Directory)
    ptrondsen Level 1 Level 1 (0 points)

    I take that back, now nothing is working.

    I bind with the script above, make sure the Search Paths are set, and nothing.

    I need to get machines out the door, does anyone have a solution?

  • 31. Re: Directory Binding Script (Active and Open Directory)
    ptrondsen Level 1 Level 1 (0 points)

    Not sure, if you saw my last reply, but it's been extremely difficult, I am able to login once, but after reboot, I cannot. So, it made me think that maybe this is a Kerberos issue. I imaged the Mac with DeployStudio and apparently DeployStudio writes a duplicate LocalKDC. So, the following is what I did to allow me to consistently login.

    1) In the Utilities folder, open Keychain Access. In the System keychain, find and delete the three com.apple.kerberos.kdc entries - a certificate and a public/private key pair generated from that certificate.

    This worked, but now Kerberos was no longer working and I was getting Single Sign-ons.

    So, the next step is to:

    2) In Terminal, run 'sudo rm -fr /var/db/krb5kdc' - this will destroy the local KDC database.
    3) In Terminal, run 'sudo /usr/libexec/configureLocalKDC' - this will regenerate the local KDC database, including a new certificate and SHA1 hash.


    I have not tested 2, and 3, I will report back.

  • 32. Re: Directory Binding Script (Active and Open Directory)
    ptrondsen Level 1 Level 1 (0 points)

    Hi All, I figured out my issue.

    The issue was with the Lion Open Directory Server trying provide a Kerberos login at the same time as the AD Server. Once I deleted the Open Directory Server from Directory Utility, I was able to login with my AD Credentials. So, unlike Snow Leopard Server, in Lion Server, you have to completely remove Kerberos with the following command:


    sudo sso_util remove -k -a username -p password -r NAME.OF.KERBEROSREALM


    (use the OD diradmin and PW)




    This done after setting up the Lion Server as an Open Directory Master, and running the -enablesso, and kerberizing it in a standard way.

  • 33. Re: Directory Binding Script (Active and Open Directory)
    dmare Level 1 Level 1 (30 points)

    I see there hasn't been any activity on this thread for over two months.


    Just wondering what the latest is on this script?  Any newer versions?

  • 34. Re: Directory Binding Script (Active and Open Directory)
    atperseghin Level 1 Level 1 (0 points)

    I have a new simple version of a join to AD script.


    It's pretty simple. It prompts for a computer name, then applies that computer name and saves it as a string. Then it runs dsconfigad with the settings provided. This version prompts for the domain admin password but it can be put into the script for more automation. (Seehttps://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/ man8/dsconfigad.8.html for additional dsconfigad configuration settings)


    Join to AD Script


    #begin script


    echo “Enter Computer Name:”

    read computername

    echo The Computer Name is $computername

    scutil --set ComputerName $computername

    scutil --set LocalHostName $computername

    dsconfigad -add your.domain.com -username domainadmin [-computerid $computername] [-ou CN=Computers,DC=your,DC=domain,DC=com] [-mobile enable] [-mobileconfirm disable] [-useuncpath disable] [-shell /bin/bash]


    #end script


    I would run this (on 10.8 and 10.9) and it would give me an error saying "Invalid credentials supplied for binding to the server" (It worked fine on 10.7). After some research I found that I needed to run the script as root user. To automate this a little more I wrote a script to run the original script as root user.


    Run as Root Script


    #begin script


    sudo /Path/To/Your/Script/JoinAD.sh


    #end script


    I then made the root script executable by opening terminal and running:

    chmod 755 /Path/To/Your/Script/RunAsRoot.sh


    Then I changed the extension to .command. (RunAsRoot.command)


    Where I use this, we have a network drive that both of these are stored on. I can just mount the drive and double click the RunAsRoot.command and fill in the require info. After that my machine will be joined to AD!

1 2 3 Previous Next