I am trying to bind Lion mac using the Directory Utility. It never gets past "getting AD domain info" and eventually fails with "authentication server coud not be contacted." Anyone else having problems joining Lion mac to AD?
Intel Dual-Core, Mac OS X (10.7)
At the moment whatever I do I never get the "Allow network users to login at login window" checkbox back.
Much as I love Apple products I think I'm just going to have to tell our corporate customeres that it's not ready for deployment in the enterprise as yet 😟
Come on Apple, I'm not willing to format machines just to get the sodding things to log on...
Oh, and any more than an additional two second delay on bootup isn't acceptable. Two minutes? Jog on...
10.7.2 (11C73) only fix auth problem, but do not fix speed problem.
Stil very-very-very slow login as AD user and slooooooooooow connect to shares on other computers.
Incidentally the same thing happens in 10.6.8, but everything was working fast in 10.6.7
I am an apple systems engineer in so cal. (used to work at Apple as a QA engineer).
We have 200 macs, rest PCs in a 5000 user environment. Active Directory 2003 (upgrading to AD 2008 soon).
It's been long known that Apple's own AD plugin over the years has been shaky. All one has to do is use Centrify's own plug-in and AD bind / auth works just great. This has been true probably since 10.5 Leopard.
I have rolled out 10.4, 10.5, 10.6, and now 10.7 and AD binding / authentication functionality always comes up.
In beta testing of these GM version of these OS's, in every case, AD would not work on the shipping GM version. We have had to wait for the x.2 or x.3 release, etc.
And typically when a brand new OS X was coming, say 10.4 to 10.5, 10.5 to 10.6, etc. Previously functioning AD binding / authentication was now broken. This is once again the case going from 10.6 to 10.7
So needless to say we are not rolling out Lion until Apple fixes AD in 10.7.2, 10.7.3 etc. Of course there is nothing stopping anyone from using the now free Centrfiy Express, which works great.
I can say in our environment 10.7.2 Does Fix AD Binding (but the actual Binding part worked in 10.7 / 10.7.1), but now one can actually login (authenticate), and have OS X create a local user account (folder), using AD / Kerb authentication, and cache those credentials locally, meaning if you are off / away from your AD network, you can still login.
(Apple has yet to fix the red / green ball inidcators totall, kind of work, I see no green ball)
I can login in 2-5 seconds, and copyig to SMB volumes is pretty fast.
One has to take into account one's network topology and architecture. We have a brand new Foundry Gig E wired and Aruba wireless 802.11n network, brand new NetApp NAS's, Infoblox DNS, AD 2003 (going to 2008).
And as I say AD login and SMB is working and working fast in 10.7.2
I am not saying that the AD plugin in 10.7.2 is perfect or totally fixed, I am still testing. I am sure Apple has more work to do.
Apple can not know everyones unique network topology, impossible.
As someone did above, take a fresh 10.7 / 10.7.1 install and then update with 10.7.2, if after this AD bind / auth is still not working, there is something going on relative to your network topology and / or the 10.7.2 AD plugin.
As I say this 10.7.2 AD plugin is working fine in our rather extensive and sophistacted network, so Apple has done something correctly with regards to fixing the code in the 10.7.2 AD plugin (maybe not totally or fully).
A suggestion for AD would be to, once logged in (if taking a long time to log in), run tcpdump. There may even be an AD debug tool / log that can be run from the CL (dsconfigad or some other tool). Apple has a such a tool in Lion, for Open Directory, odutil (man odutil).
Since this happens at login, one might be able to grab a stackshot, when the issue occurs. (How to below).
Stackshot will be especially helpful and telling in the case of SMB slowness, spinning BB's, etc.
Point is yes of course it is frustrating, but in my experience Apple needs actual data from various user's network environments, in order to have any idea what may be the potiential or actual issue.
This is exactly what I did when Lion 10.7 shipped (bug was already filed in beta and GM versions).
Took a lot of back and forth, but I am pretty sure the data I captured was helpful in getting this fix (at least that I am seeing) in 10.7.2.
--------
Stackshot Instructions:
1. Enable stackshot by typing the following command at the prompt in the Terminal application (Terminal.app can be found in /Applications/Utilities):
sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.stackshot.plist
2. When the problem occurs, press the following keyboard keys simultaneously:
Control + Option + Command + Shift + . (Period)
3. Wait for a minute or two for the stackshot files to be written to disk.
4. Check /Library/Logs/stackshot.log and /Library/Logs/stackshot-syms.log files.
Apple Bug Reporting
https://bugreport.apple.com/cgi-bin/WebObjects/RadarWeb.woa/wa/signIn
I concur with several items posted by john above. For lack of a technical explanation, suffice to say that AD binding was tricky but functional in 10.4, totally broken in 10.5 (up until 10.5.3 I think?), worked fine in 10.6, and broke again in 10.7.
For my domain, 10.7.2 AD binding works the same way as 10.6. The binding process is almost the same as 10.6, with some slight modifications. I have a step-by-step "new user" checklist that I've created and my "How to Bind in 10.7.2" section is only slightly different than the same section in my 10.6 documents.
My Lion checklist is as follows, and again, this is specific to my domain, where I have both an AD domain and an Open Directory domain running on a OSX Leopard Server. Therefore, I need to join both, but I want authentication to happen by AD.
Create the computer account in AD FIRST. Do not assume that the AD binding process will create the computer account for you, like it does in the Windows world.
Open the actual directory utility for AD binding tasks. Don't use the initial prompt that appears when you click the Join.. button
AD Administrator and Password: <use an account with admin privs on the domain>
Accept whatever the next prompt is - usually empty fields.
Verify that Active Directory is above LDAP (it should be)
Again, the above steps may not work for your situation, it's what works for mine, and the above 10 steps have been more or less the same since 10.4. The above steps did NOT work with 10.7.0 or 10.7.1, and if I remember correctly, they didn't work in 10.5.0 - 10.5.3.
Yes, very good point.
I assumed users would already know some of the protocol for adding Objects to AD, and proper computer name, and time and date, etc. (AD loves to have the proper time and date and could cause issues if not correct).
- In Sys Prefs > Sharing, take that computer name, copy it
- In terminal run: scutil --set Hostname <paste name you just copied>
This will ensure the OS X client has the proper computer name, even after reboots, etc. In other words this name will stick, always.
- In ADUC (Active Directory Users and Comps), create the "Object" of the Mac you are going to be binding, the same exact name as in the step above, and in the proper OU that the AD admin has setup. We have a specific OU in AD called: "MAC". All Mac Objects (computers) go there.
- When one uses Directory Utility, when it is asking for info, I always delete the CN=Computers, and insert, OU=Mac, dc=x, dc=x, dc=x, etc. This ensures that OS X will see the "Existing Object" you just created, and you get the "Join Existing" message.
- We use Infoblox for our DNS, DHCP, and date and time server, so I just have a 10.6 / 10.7 image with that IP address of the server.
Also, we do not use an Open Directory server, nor rely on one, or use the "OD / AD Triangle setup" which is a long and deep discussion.
I have a few Xserver, but we do not use Open Directory at all, after much work on this. There is no need. I don't even have these servers in AD, although they are in the DNS.
So we are using the AD plugin in 10.7.2 entirely, there is no entry for LDAPv3/OD at all.
(On the topic of OD /AD, I'll chime in, after much work and research on OD in AD, to me there was little to no upside, all that one gets is "Managed Prefs", and to me Managed Prefs abilities are extremely limited and usually applied globally. Nothing like MS's Group Policy with a lot of granularity.
The other thing is you have to have dual binding one to AD and one to the OD server (in AD), if something goes whacky with either one of those bindings, no login).
I think someday we may use Centriy, if we want that power.
With regards to time in a corporate environment wouldn't it make sense to be able to configure an ntp time source in the Date & Time GUI?
If you can easily configure a local known time source it removes a potential Kerberos problem when it comes to authenticating.
This is getting silly now. I've flattened my MBP and reinstalled to 10.7.2 on a formatted drive. I can bind to my hearts content but at no point do I now get the option to allow network users to log on.
What could possibly cause this? I've enabled mobile services but whatever I do I don't get the checkbox to allow them to logon.
I'll be going back to Vista (spit) at this rate...
I've got the same problem, I've managed to bind to the Active Directory Server, Network Account Server: Green but can't login to AD on startup, only had the red dot until I clicked Allow Network User to Log on which made the red dot turm amber. I've gone back to the System Preferences > User & Groups but this option has now disappear and I can't work out how to get it back. Any ideas anyone?
I was able to add the OSX Lion 10.7.2 through CLI and it works perfectly fine.
dsconfigad -f -a COMPUTERNAME -domain <domainname>-u <username> -p ‘<password>’
dsconfigad -preferred <server.domain> -multidomain disable
dscl /Search -create / SearchPolicy CSPSearchPath
dscl /Search/Contacts -create / SearchPolicy CSPSearchPath
dscl /Search -append / CSPSearchPath "/Active Directory/<domain name>"
dscl /Search/Contacts -append / CSPSearchPath "/Active Directory/<domain name>"
the above two commands may not work. You may identify the Active directory path sing the below commands and put same in the <domain name> field for above two commands
root# dscl (used dscl to check the Active Directory path)
> cd Active\ Directory/
/Active Directory > ls
[ADS domain]
/Active Directory > cd [ADS domain]
[there's a few seconds of wait time here...]
/Active Directory/[ADS domain] > ls
CertificateAuthorities
Computers
FileMakerServers
Groups
Mounts
People
Printers
Users
/Active Directory/[ADS domain] > exit
then activate the create mobile user at logon from the Login Account configuration
Are there procedures/instructions anywhere on the web that will help an old Windows guy like me learn how to bind a new iMac sitting on our LAN w/Windows Server 2011 to Active Directory? I think this is the Mac terminology for what is referred to in the Windows world as "joining to a domain". This is unexplored territory for me and so it is a little disconcerting that I may be learning on the job with a flawed OS. But I have to start somewhere!
Marty
email me, I can guide you thru it.
Although as has been stated previously (binding a 10.7x Mac has been a bit troublesome) and I am not sure about 2011 AD Server, we are on 2008.
One important thing is MAKE SURE YOU ARE UPDATED TO 10.7.2. If you are not at 10.7.2 your best efforts will not work. AD only became useable once 10.7.2 was installed.
A definitive guide that works consistently would be very useful.
For Windows, any AD requirements and DNS server settings
For the MAC, not just from a clean boot but how to change the domain menbership etc.
I'd like to know what Apple produced in the lab and signed off so I can reproduce it in the field.
Hi folks
Centrify have managed to come up with a workaround. You don't need to use their plug-in, it also works with Lion's own AD plug-in. Also no need to mess around with search paths etc. I did this workaround on a suite of brand new Lion machines and it works a treat:
https://discussions.apple.com/thread/3198558?answerId=16688216022#16688216022
Apple have finally acknowledged the problem as a bug.
For my test results regarding NickWatt's posted workaround go here
https://discussions.apple.com/thread/3198558?answerId=16695095022#16695095022
It finally works folks!
I am trying to bind a Lion 10.7 mac to Active Directory
