View Full Version : Cannot Bind To Active Directory

06-13-2006, 02:40 PM
I have tried everything.
-DNS and Active directory are running on windows 2003 server.
-all names resolve in both directions for my domain.
-I have disabled always sign communications in the appropriate group policy for the active directory domain controller.
I still cannot bind on any of my macs! It's driving me crazy. Any advice??

06-13-2006, 02:56 PM
Are you getting a particular error? "Cannot bind" doesn't tell us much.

Without binding, can you just use an SMB URL to connect to a share on the server?

06-13-2006, 03:00 PM
The first time i try i get an unknown error has occured. the second time i get user does not have access to add to domain or something along those lines. i am using the domain administrator account to authenticate
the strangest part is that it does add the computer to the organizational unit in active directory!

06-13-2006, 03:06 PM
Did you try connecting to a share, as I requested?

06-13-2006, 03:08 PM
yes, i can connect to a share. the problem is, i want the mac to be a fileshare authenticating against AD. also, i am running a mailserver on the mac that needs to be bound to AD to authenticate users.

06-13-2006, 03:11 PM
Check the console and system logs for messages immediately after a binding attempt. If you can connect to shares, that should mean that there aren't any issues with packet signing.

06-13-2006, 03:40 PM
here is the most recent log entry...I get the message:
Insufficient privileges
The administrator account you specified does not have teh appropriate privileges to perform the requested operation. (this is with the domain administrator of the AD) However, after I reboot the computer, and run Directory services again, it tells me that it sees a computer in the list with the same name and asks if i want to designate this machine. (If the machine does not exist in AD it will create it). It will then hang for a little while and then after maybe 5 minutes or so, it will give me an unknown error has occurred. If I try again I get the insufficient privileges error until the next time I reboot. Here is the log that I just recieved:

Jun 13 16:31:25 filestore01 DirectoryService[201]: reloading replica list from disk.
Jun 13 16:31:25 filestore01 DirectoryService[201]: saving replica list to file.
Jun 13 16:32:03 filestore01 /System/Library/Frameworks/Kerberos.framework/Servers/CCacheServer.app/Contents/MacOS/CCacheServer: Starting up.
Jun 13 16:32:07 filestore01 DirectoryService[201]: reloading replica list from disk.
Jun 13 16:32:07 filestore01 DirectoryService[201]: saving replica list to file.

That is all that seems to be there.

06-13-2006, 04:01 PM
Hmmm. We need to be sure there isn't a problem with the domain controller. Do you have a PC you can try binding (or unbinding and re-binding)?

06-13-2006, 04:02 PM
all the pcs work with no problems. about 100 of them

06-13-2006, 04:32 PM
I want to explicitly make sure that there's nothing wrong with the account being used for binding. I'm not an AD admin, but if you're getting errors about the admin account you're using you need to verify that this is a misinterpretation on the Mac's end. The way to do this is to try binding a PC, not just knowing that there are already PCs that have bound successfully.

Beyond that, try binding a clean install of OS X to see if the problem is all Macs, or just that one.

06-13-2006, 09:48 PM
What version of OS X, by the way? There were some issues in 10.3.x with AD. Is the DNS being used by your Mac the same as the AD DNS controller(s)? Is it on the same broadcast domain or across any routers?

Active Directory can be very picky. <Says the guy going on his 9th hour of a recovery job on a blown-up AD domain...>

06-13-2006, 10:18 PM
both 10.3 and 10.4 i have tried 4 macs with no luck binding all are using the AD's DNS

06-13-2006, 11:53 PM
Do a traceroute from the Mac to the domain controller. Do you get just one single return line or more than one?

06-14-2006, 10:13 AM
May sound silly, but at the login prompt when doing the binding, do you specify the exact path to the OU where the CO for the Mac is located ? eg OU=Users,OU=Mac,DC=...
I've had instances where I couldn't find why but unless I specified the proper OU the compute would not bind and get that unknown error.

06-14-2006, 10:19 AM
I tried the traceroute and it times out on the main domain controller, but finds the second domain controller. all traceroute tests on windows find both...any reason the mac would not find it?

another thought...my domaincontroller is called company-dc01...could the hyphen cause problems?

06-24-2006, 07:48 AM
Having spent weeks of mental torture attempting to bind our Tiger Macs to our massive global AD, I can sympathise with the OP.

Don't know whether my own experience is entirely relevant here, but it might be worth trying the following (potted version!):

Crucially, before you attempt the bind, first set up LDAP so that you can log in to the Mac at startup using a valid AD user account. You can get an LDAP login without the machine needing to be bound.

Once logged in thus, then attempt the bind to AD. If you're logged in to the Mac itself as Admin, Root, or any other local account when you attempt the bind, it will fail, with "unexpected error occurred" etc. (in my environment at least), even though you've been a good boy and entered a valid AD Domain Admin account when prompted by DA during the bind attempt!

In order to get that LDAP login working in the first place, remember to "Write to server" (in the LDAP Search & Mappings screen) when you've finished setting up the OUs in the search base, mappings, DC server setting etc. I've found I need to use the local Admin account when doing Write to Server, to get the settings to actually take effect. Initially, I was trying to 'Write to Server' with an AD Domain Admin account credentials. The screen seems to encourage you to do that because it includes a Domain box. Worse, there is no feedback whatsoever to tell you whether the settings were written or not (FFS Apple, shake a leg will yer!). Just use Admin and the password and leave the Domain empty.

EDIT> Map the User's UniqueID to uSNCreated in the Search & Mappings screen (i.e. with UniqueID highlighted on the left, replace the value on the right with uSNCreated). uSNCreated is an attribute with a numeric and unique value (which is what OS X wants) that exists in most AD schema in the user's AD account and will suffice for the purpose of getting that one-time LDAP login to work so you can in turn achieve the AD machine bind.

When you now reboot and try to log in as an AD user via LDAP, you'll either succeed (Hoorah!) or get 'the shakes' :( If the latter, log in as Admin and thoroughly check the LDAP settings - OU search paths, AD attributes, enter Distinguished name (CN=*****, OU= blah, DC=blah... ) and password of an authorised AD account in the Security tab ('Use authentication when connecting'). Remember to Write to Server in the search mappings screen after any of these settings are changed else they'll be ignored. And, of course, tell DA to use the LDAP settings (under the Authentication tab, Custom, Add)!

I can now effortlessly bind or unbind any Mac client or server machine properly to our AD. Once you've got the bind to AD working, you can change the DA Authentication to use the AD settings and remove the LDAP settings from the list, and uncheck (disable) LDAP on the main DA screen (ensure the Active Directory box is checked, if not already).

I hope the above helps in some way. Please let me know how you get on.

09-01-2006, 08:27 PM
Just something to try very quickly, on the domain controller(s) determine that all the addresses of the domain controllers are reachable from the Mac, i.e. nslookup mydomain.com
and then ping each and every address record.
I had VMWare installed on my AD server and when the vmnet interfaces were active I could not get past step 5 of binding, disable the vmnet interfaces and presto, all is good. I am guessing this would also happen with an active pppoe interface or any other kind of RRAS interface.

01-08-2008, 09:12 AM
I can't seem to get my os sx server to login with LDAP so that I can get an inital bind working. I think all of my settings are correct, does anyone have more info?

06-30-2008, 05:32 PM
Just ran into an unknown error event myself.

Open up Console (Apps > Utilities > Console) before you use Directory Access to configure the AD bind. With some luck you'll get a useful error message in the console when you get "Unknown Error" in the GUI.

I discovered that the Reverse DNS zone for my subnet was missing from DNS. So make sure you do a forward and reverse look up for your computer and that the results agree with each other.

nslookup osxserver.whatever.com
nslookup <ip address of OSX server>

07-09-2008, 12:57 PM
We are running a similar setup (2k3 server with AD authentication). When binding, place in the same group as the PC's just as a test, so if you have created a specific container for the macs, scrap it and add the machine to the same group as the windows machines. Also, make sure to remove any instance of the mac in AD to ensure you can bind without any issues. Next, in Directory Access/Utility change the search policy to "custom" for both "contacts" and "authentication". Next bind with an account that you know is able to bind the PC's. (I would manually bind a WIndows machine with this account before trying this to ensure that account is functioning correctly).

You may have tried these steps already, if not give it a try. By the way, have you ever been able to bind a mac to your system??


07-16-2008, 03:23 PM
This may be irrelevant but I had a problem binding to OD on a 10.5.4 machine. It had been bound to the OD before but now it would not bind. Always got the "unspecified error" even though the computer name was added to OD and such.

I know your question is about AD but in my case I simply re-installed OSX on the computer and then was able to bind to OD. My guess is that there was some plist file somewhere that was corrupt.

08-23-2008, 02:08 AM
I try to bind a 10.4.11 eMac to AD and I get an error that it can't find the container. It says it doesn't exist. IT DOES!! I'm using 10.5 server on the Apple side and Win 2003 for AD. I have a MacBook with 10.5 client and the bind works great.

Binding the 10.4.11 eMac works fine in my test environment. The difference I see (and I'm no AD expert) is that the test system has an AD created/configured in a Windows 2003 Mixed functional level and my production AD is in a native functional level. Can this be my problem?

Help please!!!
I need this fixed in a week for my school district.

08-25-2008, 12:52 PM
Problem solved . Permissions issue inAD.

03-24-2009, 03:22 PM
Hi Bob

What did you find in AD that resolved your issues?

Monkeys discription of the problem 8 threads ago is exactly what we are experiencing and currently do not use LDAP.


03-25-2009, 10:18 AM
We found that you needed to have an AD account with full rights ( a mirror of administrator). We discovered if your server is running in Enhanced mode (as compared to Mixed Mode), an ordinary AD Domain Admin account will not work.