10.7.3 AD binding still an issue?

Question

Level 1

0 points

10.7.3 AD binding still an issue?

I was wondering how everyone is getting on since the new update has been released in termins of the on-going-saga of binding to AD?

So far it has been working grreat for us until this morning when two users could not login/authenticate! I was able to login with the hidden admin, remove the Ad domain and re-attach it. This worked fine but not ideal! A few hours later the user calls back to sugget that they rebooted their machine and cannot login again...

Anyone else having a similar experience or anything out of the ordinary?

Configuration-OTHER, Mac OS X (10.7.3)

Posted on Feb 7, 2012 3:51 AM

Reply

Answer 1

Feb 7, 2012 5:48 AM in response to Sinerg1

Does your AD domain end in .local?

Reply

Answer 2

Sinerg1 Author

Level 1

0 points

Feb 7, 2012 6:52 AM in response to Strontium90

Nope, the domain ends with ac.uk

Reply

Answer 3

Feb 7, 2012 4:55 PM in response to Sinerg1

Are you using cached credentials? Is the user waiting for the system to find the domain? When the condition occurs, have you examined the DirectoryService debug log? Are you synchronizing time to the DC?

Reply

Answer 4

Pope7

Level 1

10 points

Feb 7, 2012 5:24 PM in response to Sinerg1

Where I work we can tell no improvements in AD binding, and all previous issues we have encountered still exist.

Reply

Answer 5

Sinerg1 Author

Level 1

0 points

Feb 8, 2012 12:09 AM in response to Strontium90

I would never have known to check for these Strontium, thanks! Can I asked how I would checked for

all these?

Reply

Answer 6

Feb 8, 2012 5:03 AM in response to Pope7

Hi

Apple have been releasing updates that 'improve' integration into AD Domains that use .local for years now. I recall a 10.5 point update supposedly resolving similar issues as well as a 10.6 point update. Neither of them really 'fixed' anything TBH. You have to remember that Apple 'test' their updates with their test AD Domain which is never going to be the same as yours or anyone elses.

Whether this 'helps' you or not is debatable but what I've noticed and depending on the AD Domain, the update only rarely 'fixes' things. There are further changes you can make which might help - altering the mdns value sometimes helps, there are others but ultimately the only real 'fix' is to change the domain. Yes I know this is not a trivial thing to do but it does make sense in the long run.

FWIW and in my experience there are far more AD Domains that don't use .local and in all the years I've been doing this I've never seen any issues integrating into non .local domains and always issues integrating into .local ones.

My 2p.

HTH?

Tony

Reply

Answer 7

Sinerg1 Author

Level 1

0 points

Feb 8, 2012 8:45 AM in response to Antonio Rocco

After checking the console from one of the users machine I noticed the message;-

"Could not get user record from Open Directory"

I dont actually know why it is trying to search through this db when we don't use this?

Reply

Answer 8

Feb 8, 2012 5:55 PM in response to Sinerg1

Good start in looking at the content. As for how to look at the items, first cached credentials.

Check your AD bind configuration in Directory Utility. Do you have this box checked?

If so, then you are likely creating a cache account for offline use. That is a good thing in most cases.

Next, testing how long it takes to acquire the domain. Do this.

1: From the admin account go in to System Preferences > Accounts > Login Options and set the "Display login window as:" to list of users.

2: Reboot the machine

3: Time how long it takes to see the "Other" option appear on the login window

Now if it never appears, then we have another issue to worry about.

Next, Directory Services on the system supports a number of levels of debugging. Use the odutil command to change the level of logging.

sudo odutil set log info

Hint, you will want to change this back to

sudo odutil set log default

When you are done. Otherwise you will be making some huge log files.

Next, some other things to try. Use the id command while logged in as the local admin. Have the system ID known domain users. For example, say you have a user in the domain named jdoe. Use this command to get truncated results of the user's account:

id jdoe

Next, use dscl to try and talk to the domain. See if you can reach the users container and query the domain.

Hey Tony, been a long time. How's it going on the other side of the pond? Hope all is well.

Reply

Answer 9

Sinerg1 Author

Level 1

0 points

Feb 9, 2012 3:38 AM in response to Strontium90

Thanks for the help so far Strontium90!

When I bind to AD with the domain address and then click on User Experience in the advanced options, it somehow lists Multiple next to ‘Network Account Server’, as read here - http://support.apple.com/kb/TS4176

Currently I would use dsconfigad through terminal once I added the domain.

By default “Force local home directory on startup disk”. (dsconfigad –localhome disable) and “Create mobile account” is kept disabled/unchecked.

[Testing how long it takes to aquire the domain]

The 'Other' appeared eventually but took a long 2-3 minutes, although if you read below it did not appear for other machines until I re-attached the AD Domain.

I currently have 3 machines with 10.7.3 (testing) and the one I am using never gets shut down, if I do a restart, then I can log straight back in (except from the odd occasion that requries me to re-bind). It doesnt happen as frequent as the other two machines, possibly because this never gets shut down...

This morning I dropped by the two machines and tried logging in with no success
Logged in with local admin and reattached the AD domain
Logged in with AD account and it all worked fine
Logged out and tried with another AD account and this also worked fine
I left both machines at login window

An 30mins later when the users came into work, both could not login using their AD credentials, as well as the login’s I had previously used!

I checked the console logs and there was some difference between them;-

User 1

09/02/2012 09:20:08.119 SecurityAgent User info context values set for emsammler

09/02/2012 09:20:08.178 authorizationhost Failed to authenticate user <emsammler> (error: 9).

09/02/2012 09:20:12.242 SecurityAgent User info context values set for emsammler

09/02/2012 09:20:12.283 authorizationhost Failed to authenticate user <emsammler> (error: 9).

User 2

09/02/2012 09:17:02.891 SecurityAgent User info context values set for lsatriano

09/02/2012 09:17:02.892 SecurityAgent User info context values set for lsatriano

09/02/2012 09:17:02.949 authorizationhost Failed to authenticate user <lsatriano> (error: 9).

09/02/2012 09:17:44.663 SecurityAgent User info context values set for lsatriano

09/02/2012 09:17:44.746 rpcsvchost sandbox_init: com.apple.msrpc.netlogon.sb succeeded

09/02/2012 09:17:45.104 sandboxd ([448]) rpcsvchost(448) deny file-read-metadata /Library/Managed Preferences

09/02/2012 09:17:45.107 sandboxd ([448]) rpcsvchost(448) deny file-read-metadata /private/var/root

09/02/2012 09:17:45.108 sandboxd ([448]) rpcsvchost(448) deny file-read-metadata /private/var/root

09/02/2012 09:17:45.110 sandboxd ([448]) rpcsvchost(448) deny file-read-metadata /private/var/root

09/02/2012 09:17:45.112 sandboxd ([448]) rpcsvchost(448) deny file-read-metadata /private/var/root/Library/Preferences/ByHost/.GlobalPreferences.122CEF5A-E83D-5094-9456-30C89D628061.plist

09/02/2012 09:17:45.113 sandboxd ([448]) rpcsvchost(448) deny file-read-data /private/var/root/Library/Preferences/ByHost/.GlobalPreferences.122CEF5A-E83D-5094-9456-30C89D628061.plist

09/02/2012 09:17:45.114 sandboxd ([448]) rpcsvchost(448) deny file-read-metadata /private/var/root

09/02/2012 09:17:45.116 sandboxd ([448]) rpcsvchost(448) deny file-read-metadata /private/var/root/Library/Preferences/.GlobalPreferences.plist

09/02/2012 09:17:45.117 sandboxd ([448]) rpcsvchost(448) deny file-read-data /private/var/root/Library/Preferences/.GlobalPreferences.plist

09/02/2012 09:17:45.120 sandboxd ([448]) rpcsvchost(448) deny file-read-metadata /private/var/root/Library/Preferences/ByHost/.GlobalPreferences.122CEF5A-E83D-5094-9456-30C89D628061.plist

09/02/2012 09:17:45.121 sandboxd ([448]) rpcsvchost(448) deny file-read-data /private/var/root/Library/Preferences/ByHost/.GlobalPreferences.122CEF5A-E83D-5094-9456-30C89D628061.plist

09/02/2012 09:17:45.122 sandboxd ([448]) rpcsvchost(448) deny file-read-metadata /private/var/root/Library/Preferences/.GlobalPreferences.plist

09/02/2012 09:17:45.123 sandboxd ([448]) rpcsvchost(448) deny file-read-data /private/var/root/Library/Preferences/.GlobalPreferences.plist

09/02/2012 09:17:45.152 sandboxd ([448]) rpcsvchost(448) deny file-read-metadata /

09/02/2012 09:17:45.154 sandboxd ([448]) rpcsvchost(448) deny file-read-metadata /Library

09/02/2012 09:17:45.156 sandboxd ([448]) rpcsvchost(448) deny file-read-metadata /Library

09/02/2012 09:17:45.158 sandboxd ([448]) rpcsvchost(448) deny file-read-metadata /Library

09/02/2012 09:17:45.159 sandboxd ([448]) rpcsvchost(448) deny file-read-metadata /Library

09/02/2012 09:17:45.161 sandboxd ([448]) rpcsvchost(448) deny file-read-metadata /Library

09/02/2012 09:17:45.162 sandboxd ([448]) rpcsvchost(448) deny file-read-metadata /private/var/run/systemkeychaincheck.done

09/02/2012 09:17:45.164 sandboxd ([448]) rpcsvchost(448) deny network-outbound /private/var/run/systemkeychaincheck.socket

09/02/2012 09:17:45.164 rpcsvchost Can not connect to /var/run/systemkeychaincheck.socket: Operation not permitted

09/02/2012 09:17:45.181 rpcsvchost failed to create secure channel: STATUS_ACCESS_DENIED (0xC0000022)

09/02/2012 09:17:45.182 authorizationhost Failed to authenticate user <lsatriano> (error: 9).

09/02/2012 09:25:29.028 netbiosd name servers down?

Cheers,

Si

Reply

Answer 10

Feb 9, 2012 3:46 AM in response to Sinerg1

Hi

On affected clients and assuming these are wired workstations issue this command:

networksetup -setV6off "Ethernet"

If you have ARD you can send the command to multiple workstations simultaneously. How long does it take now for client workstations to read the GC List and 'discover' the AD Domain? This is an old fix but you could also try adding the DC's IP address and hostname to /etc/hosts on mac workstations.

HTH?

Tony

Reply

Answer 11

Sinerg1 Author

Level 1

0 points

Feb 9, 2012 4:13 AM in response to Antonio Rocco

In a sense I don't actually mind how long it takes to read and discover the domain (currently), the issue seems to be - once I attach the AD domain, it will read successfully and then suddenly, which so far happens randomly, it appears it can't read/discover?!

The unfortunately and tiresome scenario is completely random as well which sees me only being able to test first thing in the morning, once I bind a machine with AD -- it performing fine, I can restart the machine multiple times without an issue and then a random restart/log off may result in me having to rebind.

Si

Reply

Answer 12

Feb 9, 2012 5:19 AM in response to Sinerg1

Hi

The symptoms you're describing are pretty much what I've seen to a greater or lesser degree with .local domains since 10.4 and this is regardless of however many updates Apple releases that supposedly 'fixes' the problem.

However yours does seem particularly bad which - to me - indicates something fundamental with your AD? Beyond what I've already offered I don't think I'm of any real help to you.

Perhaps Strontium90 may be able to help further?

@Strontium90

Hello Reid! I trust all is well with you too? My side of the pond is in a bit of a freeze at the moment - we English love discussing the weahter - but otherwise it's same old same old. What's the odds on your side of the water of 10.7 Server being the last recognisable 'server' Apple will ever make?

Tony

Reply

Answer 13

Pope7

Level 1

10 points

Feb 9, 2012 9:44 AM in response to Sinerg1

I posted on this thread earlier, and it is pretty apparent that the issues I've encountered are pretty different from Sinerg1's. Instead of hijacking this, I've opened a new thread for our specific experiences at: https://discussions.apple.com/thread/3723558.

There are some great minds in this thread, and I've love any feedback or suggestions.

Reply

Answer 14

Sinerg1 Author

Level 1

0 points

Feb 9, 2012 1:27 PM in response to Antonio Rocco

No problem Tony and thanks for taking time out to respond. Am just out of ideas as to why AD proves it works but won't retain the connection, almost...

@Pope7 ya hijacker! :-P Good luck mate and ill keep an eye on your post to.

Si

Reply

Answer 15

Feb 9, 2012 3:02 PM in response to Antonio Rocco

So start with the basics. AD binds are all about DNS and time. If you don't have these guys in place, then everything falls apart.

In the log file you posted, there are a lot of permission denied issues also and the most interesting is the final one that suggests your name servers are down. About those permission issues. Have you run a diskutil repairPermissions? Worth a short. You should not be seeing all those events in the log.

09/02/2012 09:17:45.181 rpcsvchost failed to create secure channel: STATUS_ACCESS_DENIED (0xC0000022)

09/02/2012 09:17:45.182 authorizationhost Failed to authenticate user <lsatriano> (error: 9).

09/02/2012 09:25:29.028 netbiosd name servers down?

So, let's try this. On your Mac, run these commands and make sure you are getting results from your DNS server. Replace the domain with your actual domain.

# LDAP port 389

host -t SRV _ldap._tcp.domain.ac.uk

# Kerberos port 88 TCP

host -t SRV _kerberos._tcp.domain.ac.uk

# Kerberos port 88 UDP

host -t SRV _kerberos._udp.domain.ac.uk

# Kpasswd port 464 TCP

host -t SRV _kpasswd._tcp.domain.ac.uk

# Kpasswd port 464 UDP

host -t SRV _kpasswd._udp.domain.ac.uk

# gc (AD Global Catalog) port 3268

host -t SRV _gc._tcp.domain.ac.uk

If you do not get the DC as a result of any of these, contact your DNS admin to correct.

Next, are you using round robin DNS? I've seen issues where OS X will get really annoyed when multiple DNS servers keep responding.

@Tony, freezing over here also. Snow, ice, the usual NJ junk for Feb.

And yes, I am still crying in my beer over the OS X Server/Final Cut/Final Cut Server/Xsan/Xserve/etc announcments. Has changed our business dramatically and we've lost just about every pro video shop back to Avid on PCs. I've grown to accept Lion server since I was doing most everything command line anyway. But the anemic hardware choices have chased us out of corporate data centers. It is the worse part of my week (and it is happening each week) to tell a group of designers that their data is moving to Windows servers and we need to rename everything, cause everything to relink, and no longer be able to search reliably.

Ah, but Angry Birds now works on the desktop. I am so excited!

Reply