Previous 1 2 3 4 5 Next 63 Replies Latest reply: Feb 10, 2009 9:18 AM by Erik Black Go to original post
  • Bruce Carillon1 Level 1 (105 points)
    Hi Joe, the problem for us now is that Macs randomly "un-bind" themselves from AD. This is a major pain as it creates a lot of extra work we don't need. I know this is straying from topic but have you any idea what would cause this?

  • xambrosi Level 1 (0 points)

    I'm trying to bind my iMac 10.5.6 to an ActiveDirectory domain hosted by a linux server running samba + kerberos.
    The bind failed at step 3 with an authentication error.
    In the log file of my kerberos server I can find:

    Jan 19 19:51:32 passrlsrv krb5kdc[6457](info): preauth (timestamp) verify failure: No matching key in entry
    Jan 19 19:51:32 passrlsrv krb5kdc[6457](info): AS_REQ (3 etypes {23 1 3}) PREAUTH_FAILED: xambrosi@PASSRL.LOCAL for krbtgt/PASSRL.LOCAL@PASSRL.LOCAL, Preauthentication failed

    My file contains:

    # WARNING This file is automatically created by Active Directory
    # do not make changes to this file;
    # autogenerated from : /Active Directory/PASSRL.LOCAL
    # generation_id : 0
    .passrl.local = PASSRL.LOCAL

    default_realm = "PASSRL.LOCAL"
    dns_fallback = "yes"
    dnslookupkdc = "true"
    forwardable = "true"
    noaddresses = "true"

    When I use kinit from my iMac it works and I get the ticket. The kerberos serverl log file contains:

    Jan 19 19:41:28 passrlsrv krb5kdc[6457](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) NEEDED_PREAUTH: xambrosi@PASSRL.LOCAL for krbtgt/PASSRL.LOCAL@PASSRL.LOCAL, Additional pre-authentication required
    Jan 19 19:41:28 passrlsrv krb5kdc[6457](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) ISSUE: authtime 1232390488, etypes {rep=16 tkt=16 ses=16}, xambrosi@PASSRL.LOCAL for krbtgt/PASSRL.LOCAL@PASSRL.LOCAL

    I don't understand why with the same file it works with kinit and not with Directory Utility.

    Any idea ?

    Thank you in advance for your help
  • pmj135 Level 1 (0 points)
    Unfortunately all tips haven't work for me. The incorrect user/password error itself is ambiguous since my login works on any other machine. I've specified a DC ip, can ping it, added the computer account in ad making sure my account has permissions to add (Domain admins which I am in the group). I thought it might be worthwhile to re-install the AD client plug-in--does anyone know how to do this?

    edit: also the directory folders mentioned do not exist on this workstation.

    Thanks in advance

    Message was edited by: pmj135
  • Erik Black Level 1 (0 points)
    This was great! We've had probably 20-30 machines do this around our organization over the past six months. The only thing I hadn't tried was deleting the /var/db/dslocal/nodes/Default/config directory, so a file or files there must have been causing the problem. I'm hopeful that this will continue to fix the problems when they pop up.
Previous 1 2 3 4 5 Next