9 Replies Latest reply: Nov 8, 2012 4:33 AM by kdurrum
Paul_Cossey Level 1 Level 1 (0 points)

Hi

 

I'm having problems with all my 10.7.4 & 10.7.5 mac's. They're losing their connection to AD. When I got to unbind I get the follwing error:

 

Unable to access domain controller

This computer is unable to access the domain controller for an unknown reason. Warning: If you click force unbind you will leave an unused computer account in the directory.

 

I then get an option to ok or force unbind. If I force unbind if I force unbind I get the following error:

 

An unknown error occurred

An unknown error occurred

 

Helpful, I'm sure you'll agree! If I go in to Console I can see the following to errors:

 

02/10/2012 16:01:25.682 Directory Utility: An instance 0x7f8f02b30f30 of class ODCUnbindFromADAction was deallocated while key value observers were still registered with it. Observation info was leaked, and may even become mistakenly attached to some other object. Set a breakpoint on NSKVODeallocateBreak to stop here in the debugger. Here's the current observation info:

<NSKeyValueObservationInfo 0x7f8f02b56970> (

<NSKeyValueObservance 0x7f8f02b568c0: Observer: 0x7f8f01cea980, Key path: progressStatus, Options: <New: NO, Old: NO, Prior: NO> Context: 0x0, Property: 0x7f8f02b569a0>

)

 

and...

 

02/10/2012 16:03:32.463 Directory Utility: -[SFAuthorization obtainWithRights:::::] failed with error Error Domain=NSOSStatusErrorDomain Code=-60007 "The operation couldn’t be completed. (OSStatus error -60007.)" (The authorization was denied since no user interaction was possible. )

 

When users are curently logged in they lose access to SSH sessions, and network drives etc... they have had issues with saving work and subsiqently losing it!

 

When I go in to opendirectyd.log I see the following:

 

2012-10-02 15:37:42.208 BST - opendirectoryd (build 172.17) launched...

2012-10-02 15:37:42.265 BST - Logging level limit changed to 'error'

2012-10-02 15:37:42.902 BST - Initialize trigger support

2012-10-02 15:37:42.904 BST - Registered node with name '/Active Directory' as hidden

2012-10-02 15:37:42.904 BST - Registered node with name '/Configure' as hidden

2012-10-02 15:37:42.905 BST - Discovered configuration for node name '/Contacts' at path '/Library/Preferences/OpenDirectory/Configurations//Contacts.plist'

2012-10-02 15:37:42.905 BST - Registered node with name '/Contacts'

2012-10-02 15:37:42.906 BST - Registered node with name '/LDAPv3' as hidden

2012-10-02 15:37:42.939 BST - Registered node with name '/Local' as hidden

2012-10-02 15:37:42.964 BST - Registered node with name '/NIS' as hidden

2012-10-02 15:37:42.965 BST - Discovered configuration for node name '/Search' at path '/Library/Preferences/OpenDirectory/Configurations//Search.plist'

2012-10-02 15:37:42.965 BST - Registered node with name '/Search'

2012-10-02 15:37:43.024 BST - Discovered configuration for node name '/Active Directory/NUCA-AD' at path '/Library/Preferences/OpenDirectory/Configurations/Active Directory/NUCA-AD.plist'

2012-10-02 15:37:43.024 BST - Registered subnode with name '/Active Directory/NUCA-AD'

2012-10-02 15:37:43.024 BST - Registered placeholder subnode with name '/Active Directory/NUCA-AD/All Domains'

2012-10-02 15:37:43.040 BST - Discovered configuration for node name '/LDAPv3/nuca-mon1.nuca.ac.uk' at path '/Library/Preferences/OpenDirectory/Configurations/LDAPv3/nuca-mon1.nuca.ac.uk. plist'

2012-10-02 15:37:43.040 BST - Registered subnode with name '/LDAPv3/nuca-mon1.nuca.ac.uk'

2012-10-02 15:37:43.108 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/legacy.bundle'

2012-10-02 15:37:43.307 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/search.bundle'

2012-10-02 15:37:44.311 BST - '/Search' has registered, loading additional services

2012-10-02 15:37:44.311 BST - Initialize augmentation support

2012-10-02 15:37:44.352 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/SystemCache.bundle'

2012-10-02 15:37:44.423 BST - Successfully registered for Kernel identity service requests

2012-10-02 15:37:44.482 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/PlistFile.bundle'

2012-10-02 15:37:44.566 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/FDESupport.bundle'

2012-10-02 15:37:45.461 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/ConfigurationProfiles.bundle'

2012-10-02 15:37:45.463 BST - Registered subnode with name '/Local/Default'

2012-10-02 15:37:45.556 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/ldap.bundle'

2012-10-02 15:37:45.600 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/AppleODClient.bundle'

2012-10-02 15:37:45.645 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/ActiveDirectory.bundle'

2012-10-02 15:37:45.654 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/Kerberosv5.bundle'

2012-10-02 15:37:45.858 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/NetLogon.bundle'

2012-10-02 15:37:45.858 BST - Registered subnode with name '/Active Directory/NUCA-AD/nuca.ac.uk' as hidden

2012-10-02 15:37:45.859 BST - Unregistered placeholder node with name '/Active Directory/NUCA-AD/All Domains'

2012-10-02 15:37:45.860 BST - Registered subnode with name '/Active Directory/NUCA-AD/All Domains'

2012-10-02 15:37:45.861 BST - Registered subnode with name '/Active Directory/NUCA-AD/Global Catalog' as hidden

2012-10-02 15:37:57.468 BST - failed to retrieve password for credential

2012-10-02 15:37:59.051 BST - failed to retrieve password for credential

2012-10-02 15:38:04.052 BST - failed to retrieve password for credential

2012-10-02 15:38:14.054 BST - failed to retrieve password for credential

2012-10-02 15:38:29.056 BST - failed to retrieve password for credential

2012-10-02 15:38:49.076 BST - failed to retrieve password for credential

2012-10-02 15:39:11.505 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/configure.bundle'

2012-10-02 15:39:11.900 BST - Loaded bundle at path '/System/Library/OpenDirectory/Modules/keychain.bundle'

 

Interestingly enough, the problem doesn't seem to effect users runing 10.6.8 or my iMac which is running 10.8.2. I've spoken to network manager and he can't see anything strange going on, on the network.

 

I've also spoekn to our AD guy and nothing has changed.

 

This is now the second time it's happend, I've managed to get everyone working (before it happened again) by deleting the AD plist in /Library/Preferences/OpenDirectory/Configurations/Active\ Directory/ then rebinding via a scipt pushed out via ARD

 

If anyone can offer any assitance I'd be most gratful as I'm about to be shot by our users! as it's the start of our new academic year!

 

Thanks!

Paul


iMac, Mac OS X (10.7.1)
  • Paul_Cossey Level 1 Level 1 (0 points)

    I should have added, that all the 10.7.x mac's seem to lose their connection to AD at pretty much the exact same time!

     

    I can also ping our AD Domain and the Domain Controllers no problem.

     

    I'm now going through the prcess of removing and readding the macs to AD so hopefully everyone can use them in the morning, but I have a horrible feeling this is just going to keep happening!

     

    Thanks, Paul.

  • Paul_Cossey Level 1 Level 1 (0 points)

    We've now also just found out that when the AD users are logged in and it loses connection to AD it also loses connection to the web. When we login as a local user though we can access the internet!

  • CougarNet ITS Level 1 Level 1 (0 points)

    I am having this exact same issue. Have you found a resolution?

  • Bruce Stewart Level 1 Level 1 (20 points)

    Just jumping in to see if I can help further define this...

     

    So to clarify; users are able to log in using their AD credentials, which means at the login screen the network is available (would have to be to authenticate the login credentials). Then sometime after they have logged in their connection drops and they lose connection to the Domain Controller (and everything else).

    Questions:

     

    1. When this happens, can the users see if their Ethernet connection or Wi-Fi if they use that to connect, is yellow or red in the the Network preference pane?

     

    2. What do you use for IP addresses for the machines; manual, DHCP, 802.1x?

     

    Message was edited by: Bruce Stewart

  • Paul_Cossey Level 1 Level 1 (0 points)

    No - not as yet although I think the problem could lie within our DNS...

  • Paul_Cossey Level 1 Level 1 (0 points)

    Hi Bruce

     

    Yes that's pretty much correct. Although a user doesn't have to be logged in for the problem to occur on the Mac.

     

    On the few occasions a user has called us with out rebooting, I can ARD on to the Mac so there is network connections, I can ping our domain, servers and the outside world. I can preform NS Look ups, I can browes network shares (but I can't copy and data off). I can't connect to any websites from within a web browser.

     

    All our IP address are dished out via a windows DHCP server (we do have a few mac's that "should" pick up static reservations from our DHCP server)

     

    Our DNS is also a windows server

     

    Strangley we've not had it happen on mass since last week. Although we have had a couple of isolated incidents.

     

    I've also made sure all our Mac clients are fully up to date with the latest patches.

     

    I have a sneaky suspicion that the problem lies with our DNS, we have a problem where by the mac's pick up random DNS names that the IP address has had before. I belive this is quite a common problem and we've had it ever since I've been working here.

     

    Thanks Paul

  • Bruce Stewart Level 1 Level 1 (20 points)

    So it sounds like the issue is not that there is no network, just something somewhere not configured correctly.

    Okay, we have had similar DNS issues at the University I work at.

    Try this if you get a chance:

    Do an NSlookup on the domain name (not a particular DC). Does it list all of the DCs?

    If so do a forward and then a reverse lookup for everything that the domain query lists.

    Are there reverses for everything.

    Macs hate names without reverses. Windows clients dont seem to care.

    I have my network admins used to me now so they always put them in. If you DNS is configured properly, it will do it automatically, but I have seen our DNS's here fail to put in reverse addresses many times. One they put them in for the server in question data seems to magically flow.

     

    That would explain why sometimes it works and sometimes it just stops. If you have one Domain Controller that has a bad DNS entry, then whenever a Mac gets pointed to it, it just stops talking to it. No authentication will happen and all the services provided in the domain just stop working, but the other network services would still work.

    Hope that is of help.

  • Paul_Cossey Level 1 Level 1 (0 points)

    It's been a few weeks now, and (touch wood) it's not happended again on mass. We have had a few individual ones, but nothing major.

     

    We still don't quite know exactly what happened, but trouble shooting found the following:

     

    • Our time server wasn't working corrctly centrifys ADCheck tool showed it as having a firewall (even though it didn't) our AD guy fixed that problem (sorry not sure exactly what he did)
    • We checked the AD kerberos ticket from a machine that lost it's connection to AD, on another mac that worked and found that it couldn't connect as the password was wrong. It seems that by default Active Directory ticket wants to change it's password every 14, and when trying to it's failing so I set it to 0
    • We had tried to set the server the AD plugin see's to a specific DC but this wasnt happening due to subnets not being configured in AD sites and Services
    • Some of the Mac's did not like being set to GMT in the time zone and the time was an hour out, people where able to login though! So I've now set them to Eurpoe\London and they're now picking up the correct time and even picked up the daylight savings over the weekend.

     

    Our DNS is still not great but we are in the process of sorting out our subnets and when we do the consolodation we'll also asign reservations for all the mac's in the hope that apeases DDNS

     

    Thanks Paul

  • kdurrum Level 1 Level 1 (0 points)

    Have you tried to ensure that clocks on the workstations match the clock on the server?  Setup a timeserver and ensure  that the times stay synced.