Active Directory Issues 10.7.4 & 10.7.5

Question

Level 1

8 points

Active Directory Issues 10.7.4 & 10.7.5

Hi

I'm having problems with all my 10.7.4 & 10.7.5 mac's. They're losing their connection to AD. When I got to unbind I get the follwing error:

Unable to access domain controller

This computer is unable to access the domain controller for an unknown reason. Warning: If you click force unbind you will leave an unused computer account in the directory.

I then get an option to ok or force unbind. If I force unbind if I force unbind I get the following error:

An unknown error occurred

Helpful, I'm sure you'll agree! If I go in to Console I can see the following to errors:

02/10/2012 16:01:25.682 Directory Utility: An instance 0x7f8f02b30f30 of class ODCUnbindFromADAction was deallocated while key value observers were still registered with it. Observation info was leaked, and may even become mistakenly attached to some other object. Set a breakpoint on NSKVODeallocateBreak to stop here in the debugger. Here's the current observation info:

<NSKeyValueObservationInfo 0x7f8f02b56970> (

<NSKeyValueObservance 0x7f8f02b568c0: Observer: 0x7f8f01cea980, Key path: progressStatus, Options: <New: NO, Old: NO, Prior: NO> Context: 0x0, Property: 0x7f8f02b569a0>

)

and...

02/10/2012 16:03:32.463 Directory Utility: -[SFAuthorization obtainWithRights:::::] failed with error Error Domain=NSOSStatusErrorDomain Code=-60007 "The operation couldn’t be completed. (OSStatus error -60007.)" (The authorization was denied since no user interaction was possible. )

When users are curently logged in they lose access to SSH sessions, and network drives etc... they have had issues with saving work and subsiqently losing it!

When I go in to opendirectyd.log I see the following:

2012-10-02 15:37:42.208 BST - opendirectoryd (build 172.17) launched...

2012-10-02 15:37:42.265 BST - Logging level limit changed to 'error'

2012-10-02 15:37:42.902 BST - Initialize trigger support

2012-10-02 15:37:42.904 BST - Registered node with name '/Active Directory' as hidden

2012-10-02 15:37:42.904 BST - Registered node with name '/Configure' as hidden

2012-10-02 15:37:42.905 BST - Discovered configuration for node name '/Contacts' at path '/Library/Preferences/OpenDirectory/Configurations//Contacts.plist'

2012-10-02 15:37:42.905 BST - Registered node with name '/Contacts'

2012-10-02 15:37:42.906 BST - Registered node with name '/LDAPv3' as hidden

2012-10-02 15:37:42.939 BST - Registered node with name '/Local' as hidden

2012-10-02 15:37:42.964 BST - Registered node with name '/NIS' as hidden

2012-10-02 15:37:42.965 BST - Discovered configuration for node name '/Search' at path '/Library/Preferences/OpenDirectory/Configurations//Search.plist'

2012-10-02 15:37:42.965 BST - Registered node with name '/Search'

2012-10-02 15:37:43.024 BST - Discovered configuration for node name '/Active Directory/NUCA-AD' at path '/Library/Preferences/OpenDirectory/Configurations/Active Directory/NUCA-AD.plist'

2012-10-02 15:37:43.024 BST - Registered subnode with name '/Active Directory/NUCA-AD'

2012-10-02 15:37:43.024 BST - Registered placeholder subnode with name '/Active Directory/NUCA-AD/All Domains'

2012-10-02 15:37:43.040 BST - Discovered configuration for node name '/LDAPv3/nuca-mon1.nuca.ac.uk' at path '/Library/Preferences/OpenDirectory/Configurations/LDAPv3/nuca-mon1.nuca.ac.uk. plist'

2012-10-02 15:37:43.040 BST - Registered subnode with name '/LDAPv3/nuca-mon1.nuca.ac.uk'

2012-10-02 15:37:43.108 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/legacy.bundle'

2012-10-02 15:37:43.307 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/search.bundle'

2012-10-02 15:37:44.311 BST - '/Search' has registered, loading additional services

2012-10-02 15:37:44.311 BST - Initialize augmentation support

2012-10-02 15:37:44.352 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/SystemCache.bundle'

2012-10-02 15:37:44.423 BST - Successfully registered for Kernel identity service requests

2012-10-02 15:37:44.482 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/PlistFile.bundle'

2012-10-02 15:37:44.566 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/FDESupport.bundle'

2012-10-02 15:37:45.461 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/ConfigurationProfiles.bundle'

2012-10-02 15:37:45.463 BST - Registered subnode with name '/Local/Default'

2012-10-02 15:37:45.556 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/ldap.bundle'

2012-10-02 15:37:45.600 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/AppleODClient.bundle'

2012-10-02 15:37:45.645 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/ActiveDirectory.bundle'

2012-10-02 15:37:45.654 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/Kerberosv5.bundle'

2012-10-02 15:37:45.858 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/NetLogon.bundle'

2012-10-02 15:37:45.858 BST - Registered subnode with name '/Active Directory/NUCA-AD/nuca.ac.uk' as hidden

2012-10-02 15:37:45.859 BST - Unregistered placeholder node with name '/Active Directory/NUCA-AD/All Domains'

2012-10-02 15:37:45.860 BST - Registered subnode with name '/Active Directory/NUCA-AD/All Domains'

2012-10-02 15:37:45.861 BST - Registered subnode with name '/Active Directory/NUCA-AD/Global Catalog' as hidden

2012-10-02 15:37:57.468 BST - failed to retrieve password for credential

2012-10-02 15:37:59.051 BST - failed to retrieve password for credential

2012-10-02 15:38:04.052 BST - failed to retrieve password for credential

2012-10-02 15:38:14.054 BST - failed to retrieve password for credential

2012-10-02 15:38:29.056 BST - failed to retrieve password for credential

2012-10-02 15:38:49.076 BST - failed to retrieve password for credential

2012-10-02 15:39:11.505 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/configure.bundle'

2012-10-02 15:39:11.900 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/keychain.bundle'

Interestingly enough, the problem doesn't seem to effect users runing 10.6.8 or my iMac which is running 10.8.2. I've spoken to network manager and he can't see anything strange going on, on the network.

I've also spoekn to our AD guy and nothing has changed.

This is now the second time it's happend, I've managed to get everyone working (before it happened again) by deleting the AD plist in /Library/Preferences/OpenDirectory/Configurations/Active\ Directory/ then rebinding via a scipt pushed out via ARD

If anyone can offer any assitance I'd be most gratful as I'm about to be shot by our users! as it's the start of our new academic year!

Thanks!

Paul

iMac, Mac OS X (10.7.1)

Posted on Oct 2, 2012 8:19 AM

Reply

Answer 1

Paul_Cossey Author

Level 1

8 points

Oct 2, 2012 8:52 AM in response to Paul_Cossey

I should have added, that all the 10.7.x mac's seem to lose their connection to AD at pretty much the exact same time!

I can also ping our AD Domain and the Domain Controllers no problem.

I'm now going through the prcess of removing and readding the macs to AD so hopefully everyone can use them in the morning, but I have a horrible feeling this is just going to keep happening!

Thanks, Paul.

Reply

Answer 2

Paul_Cossey Author

Level 1

8 points

Oct 3, 2012 2:55 AM in response to Paul_Cossey

We've now also just found out that when the AD users are logged in and it loses connection to AD it also loses connection to the web. When we login as a local user though we can access the internet!

Reply

Answer 3

Oct 10, 2012 12:34 PM in response to Paul_Cossey

I am having this exact same issue. Have you found a resolution?

Reply

Answer 4

Oct 11, 2012 10:14 PM in response to Paul_Cossey

Just jumping in to see if I can help further define this...

So to clarify; users are able to log in using their AD credentials, which means at the login screen the network is available (would have to be to authenticate the login credentials). Then sometime after they have logged in their connection drops and they lose connection to the Domain Controller (and everything else).

Questions:

1. When this happens, can the users see if their Ethernet connection or Wi-Fi if they use that to connect, is yellow or red in the the Network preference pane?

2. What do you use for IP addresses for the machines; manual, DHCP, 802.1x?

Message was edited by: Bruce Stewart

Reply

Answer 5

Paul_Cossey Author

Level 1

8 points

Oct 12, 2012 8:08 AM in response to CougarNet ITS

No - not as yet although I think the problem could lie within our DNS...

Reply

Answer 6

Paul_Cossey Author

Level 1

8 points

Oct 12, 2012 8:24 AM in response to Bruce Stewart

Hi Bruce

Yes that's pretty much correct. Although a user doesn't have to be logged in for the problem to occur on the Mac.

On the few occasions a user has called us with out rebooting, I can ARD on to the Mac so there is network connections, I can ping our domain, servers and the outside world. I can preform NS Look ups, I can browes network shares (but I can't copy and data off). I can't connect to any websites from within a web browser.

All our IP address are dished out via a windows DHCP server (we do have a few mac's that "should" pick up static reservations from our DHCP server)

Our DNS is also a windows server

Strangley we've not had it happen on mass since last week. Although we have had a couple of isolated incidents.

I've also made sure all our Mac clients are fully up to date with the latest patches.

I have a sneaky suspicion that the problem lies with our DNS, we have a problem where by the mac's pick up random DNS names that the IP address has had before. I belive this is quite a common problem and we've had it ever since I've been working here.

Thanks Paul

Reply

Answer 7

Oct 14, 2012 2:27 PM in response to Paul_Cossey

So it sounds like the issue is not that there is no network, just something somewhere not configured correctly.

Okay, we have had similar DNS issues at the University I work at.

Try this if you get a chance:

Do an NSlookup on the domain name (not a particular DC). Does it list all of the DCs?

If so do a forward and then a reverse lookup for everything that the domain query lists.

Are there reverses for everything.

Macs hate names without reverses. Windows clients dont seem to care.

I have my network admins used to me now so they always put them in. If you DNS is configured properly, it will do it automatically, but I have seen our DNS's here fail to put in reverse addresses many times. One they put them in for the server in question data seems to magically flow.

🙂

That would explain why sometimes it works and sometimes it just stops. If you have one Domain Controller that has a bad DNS entry, then whenever a Mac gets pointed to it, it just stops talking to it. No authentication will happen and all the services provided in the domain just stop working, but the other network services would still work.

Hope that is of help.

Reply

Answer 8

Paul_Cossey Author

Level 1

8 points

Oct 29, 2012 2:44 AM in response to Bruce Stewart

It's been a few weeks now, and (touch wood) it's not happended again on mass. We have had a few individual ones, but nothing major.

We still don't quite know exactly what happened, but trouble shooting found the following:

Our time server wasn't working corrctly centrifys ADCheck tool showed it as having a firewall (even though it didn't) our AD guy fixed that problem (sorry not sure exactly what he did)
We checked the AD kerberos ticket from a machine that lost it's connection to AD, on another mac that worked and found that it couldn't connect as the password was wrong. It seems that by default Active Directory ticket wants to change it's password every 14, and when trying to it's failing so I set it to 0
We had tried to set the server the AD plugin see's to a specific DC but this wasnt happening due to subnets not being configured in AD sites and Services
Some of the Mac's did not like being set to GMT in the time zone and the time was an hour out, people where able to login though! So I've now set them to Eurpoe\London and they're now picking up the correct time and even picked up the daylight savings over the weekend.

Our DNS is still not great but we are in the process of sorting out our subnets and when we do the consolodation we'll also asign reservations for all the mac's in the hope that apeases DDNS

Thanks Paul

Reply

Answer 9

kdurrum

Level 1

0 points

Nov 8, 2012 4:33 AM in response to Paul_Cossey

Have you tried to ensure that clocks on the workstations match the clock on the server? Setup a timeserver and ensure that the times stay synced.

Reply

Answer 10

ManEmori

Level 1

4 points

May 4, 2016 3:04 AM in response to Paul_Cossey

thanks to @kdurrum

issue was time synchronization among others so:

-- set the time on your device to be correct with whatever your directory time is,

-- choose and appropriate time zone to sync with if you want the automatic time sync option (you may find you need to manually correct the wrong time if this is the case before you set the apporpriate time zone)

-- Set/add an appropriate dns suffix (you do this from system preferences/network/advanced...)

finally add an appropriate dns ip address if you are not using dhcp and hence you have manual ip configuration.

you may equally - depending on your situation move the active directory option to the top from the users and groups > network Account Server options pane.

Thats all you need and hopefully you will be working again.

Reply