Skip navigation
This discussion is archived

Binding to Active Directory Fails - Authentication Errors

49581 Views 63 Replies Latest reply: Feb 10, 2009 9:18 AM by Erik Black RSS
  • Bruce Carillon1 Level 1 Level 1 (105 points)
    Hi Joe, the problem for us now is that Macs randomly "un-bind" themselves from AD. This is a major pain as it creates a lot of extra work we don't need. I know this is straying from topic but have you any idea what would cause this?

    Thanks
    iMac 2 GHZ Intel Core Duo, Mac OS X (10.5.5)
  • xambrosi Calculating status...
    Hi,

    I'm trying to bind my iMac 10.5.6 to an ActiveDirectory domain hosted by a linux server running samba + kerberos.
    The bind failed at step 3 with an authentication error.
    In the log file of my kerberos server I can find:

    Jan 19 19:51:32 passrlsrv krb5kdc[6457](info): preauth (timestamp) verify failure: No matching key in entry
    Jan 19 19:51:32 passrlsrv krb5kdc[6457](info): AS_REQ (3 etypes {23 1 3}) 172.16.0.2: PREAUTH_FAILED: xambrosi@PASSRL.LOCAL for krbtgt/PASSRL.LOCAL@PASSRL.LOCAL, Preauthentication failed

    My edu.mit.Kerberos file contains:

    # WARNING This file is automatically created by Active Directory
    # do not make changes to this file;
    # autogenerated from : /Active Directory/PASSRL.LOCAL
    # generation_id : 0
    [domain_realm]
    .passrl.local = PASSRL.LOCAL

    [libdefaults]
    default_realm = "PASSRL.LOCAL"
    dns_fallback = "yes"
    dnslookupkdc = "true"
    forwardable = "true"
    noaddresses = "true"

    When I use kinit from my iMac it works and I get the ticket. The kerberos serverl log file contains:

    Jan 19 19:41:28 passrlsrv krb5kdc[6457](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.0.2: NEEDED_PREAUTH: xambrosi@PASSRL.LOCAL for krbtgt/PASSRL.LOCAL@PASSRL.LOCAL, Additional pre-authentication required
    Jan 19 19:41:28 passrlsrv krb5kdc[6457](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.0.2: ISSUE: authtime 1232390488, etypes {rep=16 tkt=16 ses=16}, xambrosi@PASSRL.LOCAL for krbtgt/PASSRL.LOCAL@PASSRL.LOCAL


    I don't understand why with the same edu.mit.Kerberos file it works with kinit and not with Directory Utility.

    Any idea ?

    Thank you in advance for your help
    Xavier
    iMac Intel, Mac OS X (10.5.6)
  • pmj135 Level 1 Level 1 (0 points)
    Unfortunately all tips haven't work for me. The incorrect user/password error itself is ambiguous since my login works on any other machine. I've specified a DC ip, can ping it, added the computer account in ad making sure my account has permissions to add (Domain admins which I am in the group). I thought it might be worthwhile to re-install the AD client plug-in--does anyone know how to do this?

    edit: also the directory folders mentioned do not exist on this workstation.

    Thanks in advance
    Paul

    Message was edited by: pmj135
    eMac, Mac OS X (10.5.6)
  • Erik Black Calculating status...
    This was great! We've had probably 20-30 machines do this around our organization over the past six months. The only thing I hadn't tried was deleting the /var/db/dslocal/nodes/Default/config directory, so a file or files there must have been causing the problem. I'm hopeful that this will continue to fix the problems when they pop up.
1 2 3 4 5 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.