10.7.2 & Active Directory

Question

Level 2

475 points

10.7.2 & Active Directory

I know that Lion first two releases has issues with Active directory.. but Im using 10.7.2 now and I was able to bind my Mac to the main domain but not with the child domain..

main domain: domain.com

child domain: test.domain.com

I'm able to bind 10.5 & 10.6 with the child domain just fine.. but not 10.7, and when i try to bind 10.7.2 it goes through the process and then dsplay an error message: Authentication server failed to complete the requested operation.

Any idea ?

Posted on Nov 16, 2011 9:58 AM

Reply

Answer 1

Nov 29, 2011 2:09 PM in response to ivaldiz

I have exacly the same problem. Its a clean mac install and when i trying to join the domain i get Authentication server failed to complete the requested operation.

Time is exact as the domain server.

No idea what this is jet.. also having problems with 10.7.2

Reply

Answer 2

ivaldiz Author

Level 2

475 points

Nov 30, 2011 6:37 AM in response to bogdanfromfraneker

I was able to fix this, when you bind to the active directory and when it asks you for username and password, for the username type this: administrator@ad-domain.com

HTH

Reply

Answer 3

Nov 30, 2011 8:30 AM in response to ivaldiz

That also didn't work for me 😟, anyone other suggestions?

Reply

Answer 4

ivaldiz Author

Level 2

475 points

Nov 30, 2011 8:38 AM in response to bogdanfromfraneker

another thing i tried, I used to authenticate the client macs with sub-admin not the main administrator.. try authenticating with the main AD administrator

Reply

Answer 5

Feb 6, 2012 8:15 AM in response to ivaldiz

I was having the same issue and it seemed to stem from a mis configuration in Kerberos. I nuked the local KDC and the bind worked as expected.

Destroy Local KDC:

sudo rm -rf /var/db/krb5kdc
sudo rm -rf /etc/krb5.keytab
sudo rm -rf /Library/Preferences/edu.mit.Kerberos
Bind the Server to Active Directory.

Also - and I'm not sure if this had any effect, but in our Domain our Admin accounts are in a different forest than the computer accounts and standard user accounts, this is usually not an issue, but just to be safe, instead of allowing the AD plugin to create the computer object I created it in the correct OU first and made sure that my standard user which lives in the same forest had permission to join that object.

Reply

Answer 6

Mar 13, 2012 2:13 PM in response to Jason Bracy

Thank you, thank you, thank you Jason!

I've been screwing around for a week now to get a new Mac Mini to join my domain, after the EXACT SAME image on a 21.5" iMac joined flawlessly. Resetting the Kerberos configs let it find the ADC and join right up.

Reply

Answer 7

Mar 13, 2012 2:45 PM in response to mmaskalans

Glad I could help

Reply

Answer 8

Apr 19, 2012 12:43 AM in response to ivaldiz

For those who have firewalls in place make sure that you have a rule in that allows port UDP&TCP 464 between the client mac and the DC.

Reply

Answer 9

TEWCO

Level 1

0 points

May 17, 2012 3:11 PM in response to Jason Bracy

This fixed my problem, after I removed these files I was able to correctly join the domain. Thank you Jason.

Reply

Answer 10

Jul 13, 2012 9:02 AM in response to ivaldiz

Another reason you might be seeing this error is if the name of the macine is over 15 characters long. NetBIOS doesn't support more chartacters and even though AD will allow you to create names with more characters when you try to bind to the AD domain you can end up with

"authentication server failed to complete the requested operation"

messages and a lot of frustration. 15 or less characters may well remove your problem.

Cameron,

xxx.

Reply

Answer 11

Aug 3, 2012 9:58 AM in response to ivaldiz

if you have a .local (abcCompany.local) domain, you need to make a hosts file entry with:

abcCompany.local x.x.x.x

dc01.abcCompany.local x.x.x.x

dc01 x.x.x.x

dc01.abcCompany x.x.x.x

This has worked for me every time, using dc01 or abcCompany in the quickjoin box.

Reply