Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: themonkman
themonkman Author
User level: Level 1
8 points

Binding to Active Directory Fails - Authentication Errors

I've done two clean installs of 10.5 on two separate 1st gen Macbooks, and Active Directory binding to a 2000 or 2003 Server fails with "Invalid Username/Password" when it asks you for the network administrators credentials. I am the network administrator, so I know that the username and password is correct. My system is seeing the correct DNS server and my system time is exactly the same as my domain controllers. Has anyone had this problem? AD binding worked fine with the AD 1.5.6 plugin that came with 10.4. The AD 1.6 plugin in Directory Services seems broken to me.

Macbook 2Ghz Core Duo, Mac OS X (10.5), 2GB RAM, 100GB HDD

Posted on Oct 31, 2007 5:39 PM

Reply
63 replies
User profile for user: xambrosi
xambrosi
User level: Level 1
0 points

Jan 19, 2009 12:22 PM in response to Bruce Carillon1

Hi,

I'm trying to bind my iMac 10.5.6 to an ActiveDirectory domain hosted by a linux server running samba + kerberos.
The bind failed at step 3 with an authentication error.
In the log file of my kerberos server I can find:

Jan 19 19:51:32 passrlsrv krb5kdc[6457](info): preauth (timestamp) verify failure: No matching key in entry
Jan 19 19:51:32 passrlsrv krb5kdc[6457](info): AS_REQ (3 etypes {23 1 3}) 172.16.0.2: PREAUTH_FAILED: xambrosi@PASSRL.LOCAL for krbtgt/PASSRL.LOCAL@PASSRL.LOCAL, Preauthentication failed

My edu.mit.Kerberos file contains:

# WARNING This file is automatically created by Active Directory
# do not make changes to this file;
# autogenerated from : /Active Directory/PASSRL.LOCAL
# generation_id : 0
[domain_realm]
.passrl.local = PASSRL.LOCAL

[libdefaults]
default_realm = "PASSRL.LOCAL"
dns_fallback = "yes"
dns lookupkdc = "true"
forwardable = "true"
noaddresses = "true"

When I use kinit from my iMac it works and I get the ticket. The kerberos serverl log file contains:

Jan 19 19:41:28 passrlsrv krb5kdc[6457](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.0.2: NEEDED_PREAUTH: xambrosi@PASSRL.LOCAL for krbtgt/PASSRL.LOCAL@PASSRL.LOCAL, Additional pre-authentication required
Jan 19 19:41:28 passrlsrv krb5kdc[6457](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 172.16.0.2: ISSUE: authtime 1232390488, etypes {rep=16 tkt=16 ses=16}, xambrosi@PASSRL.LOCAL for krbtgt/PASSRL.LOCAL@PASSRL.LOCAL


I don't understand why with the same edu.mit.Kerberos file it works with kinit and not with Directory Utility.

Any idea ?

Thank you in advance for your help
Xavier
Reply
User profile for user: pmj135
pmj135
User level: Level 1
0 points

Feb 6, 2009 12:03 PM in response to themonkman

Unfortunately all tips haven't work for me. The incorrect user/password error itself is ambiguous since my login works on any other machine. I've specified a DC ip, can ping it, added the computer account in ad making sure my account has permissions to add (Domain admins which I am in the group). I thought it might be worthwhile to re-install the AD client plug-in--does anyone know how to do this?

edit: also the directory folders mentioned do not exist on this workstation.

Thanks in advance
Paul

Message was edited by: pmj135
Reply
User profile for user: Erik Black
Erik Black
User level: Level 1
0 points

Feb 10, 2009 9:18 AM in response to PetarM

This was great! We've had probably 20-30 machines do this around our organization over the past six months. The only thing I hadn't tried was deleting the /var/db/dslocal/nodes/Default/config directory, so a file or files there must have been causing the problem. I'm hopeful that this will continue to fix the problems when they pop up.
Reply

Binding to Active Directory Fails - Authentication Errors

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up