PrairieHeart

Q: Can't bind 10.9 clients to OSX Server 3.0.1

I recently updated my Apple Server (10.8 running Server 2.2.2) to Mavericks (10.9 with Server 3.0.1).

 

After updating, I was unable to join clients. No big deal, I knew after the update that some of the settings wouldn't match from my previous configuration. I rebuilt my DNS settings and verified them through sudo changeip -checkhostname. I even had to recreate my Open Directory (not a big deal, I only had a couple of clients attached).

 

After performing those steps, I started to rebind clients to my server. The problem that I am experiencing relates specifically to Mavericks (10.9) clients. For some reason, they never bind. The communicate, they pull the certificate and they request credentials (I require authorization to bind to my server), after I pass the proper credentials I ALWAYS get an error from 10.9 clients. "Unable to add server. Authentication server refused operation because the current credentials are not authorized for the requested operation. (5101)" The credentials that I am using are the same as I use to bind every other client (diradmin account).

 

When I do not require authentication for binding, the 10.9 clients will bind, but then don't show up in Workgroup Manager. Either way, I want to require binding for all clients. Anyone else experience issues similar to this?

 

Any help is appreciated.

Mac mini, OS X Mavericks (10.9), Server 3.0.1

Posted on Dec 13, 2013 9:18 AM

Close

Q: Can't bind 10.9 clients to OSX Server 3.0.1

  • All replies
  • Helpful answers

  • by LEn_NL,Solvedanswer

    LEn_NL LEn_NL Dec 16, 2013 10:19 AM in response to PrairieHeart
    Level 1 (10 points)
    Dec 16, 2013 10:19 AM in response to PrairieHeart

    Did you find a solution yet?


    Here's what to do.

    On the local machine change the DNS to the servers IP if DNS is enabled.

    Then try to bind again.


    Or refer to this article.

    https://discussions.apple.com/message/23849911#23849911

     

    I had the same problem but this did the trick for me!

  • by PrairieHeart,

    PrairieHeart PrairieHeart Dec 16, 2013 10:30 AM in response to PrairieHeart
    Level 1 (0 points)
    Dec 16, 2013 10:30 AM in response to PrairieHeart

    Thank you LEn_NL, that solved my binding issue. Seems there is a problem with my DNS or something. All of my pre-Mavericks clients can see my Apple Server (which only runs DNS locally) without having to specify the Apple Server as a DNS server (using my infrastructure's DNS). However, my Mavericks clients seem to need the Apple Server's DNS entry in order to stay connected.

  • by PrairieHeart,Helpful

    PrairieHeart PrairieHeart Dec 18, 2013 12:43 PM in response to PrairieHeart
    Level 1 (0 points)
    Dec 18, 2013 12:43 PM in response to PrairieHeart

    An update just in case some of this might help anyone else.

     

    While LEn_NL's answer proved helpful and allowed me to bind 10.9 clients. After a reboot, those clients found the Apple server to be unresponsive (while the server running AD was just fine). This would prevent network logins from occuring. I found in my Apple server's console that the 10.9 clients were sending ticket granting tickets to /LOCAL@appleserver.mydomain as opposed to utilizing ldap. I performed the steps located here:

     

    http://support.apple.com/kb/TS5289

     

    And was able to stay connected to the apple server from then on without having to resort to explicitly pointing clients to the Apple Server's DNS.

  • by b-avery,

    b-avery b-avery Jan 15, 2014 4:14 PM in response to PrairieHeart
    Level 1 (0 points)
    Jan 15, 2014 4:14 PM in response to PrairieHeart

    Well this was great advice but mine wad resolved by checking the certificate and a like it was stating a different name then the machine's. So I ensured that all DNS, Certs lined up to the correct machine's name and presto...