The macosxhints Forums - Re-bind to AD Fail

The macosxhints Forums (http://hintsforums.macworld.com/index.php)

- Networking (http://hintsforums.macworld.com/forumdisplay.php?f=14)

- - Re-bind to AD Fail (http://hintsforums.macworld.com/showthread.php?t=113977)

Tested removing DS Prefs, tested Timeout extension

Deleted the Preferences folder for Directory Services, restarted, created a brand new object in AD (Dir Util discovers it and that way I don't have to tweak the default OU structure) and...
Still was told that I was using a name/password combination that was invalid.
I tried binding using a name that was not yet in AD and same result.

Worked the timeout solution, tried 5 seconds and even 10 seconds for mdns_timeout, no change, and it did not seem to take any longer to time out.
Even changed the pdns_timeout and that didn't help either.

I tried authenticating with DOMAIN\MyAdminName (as opposed to just MyAdminName which is usually what works) and it was no better.

schwartze, not sure what you are referring to with 'cached credentials' - if you mean the local home, that was not affected and my client's keychains are intact. I turned off AD authentication and she logs in to her local user home and the servers authenticate her as she invokes them.
But our setup may be different. Here we can't use guest accounts and must show blank name and password fields.

Rick

Hi,
I'd like to know if you ever solved this problem?
I am experiencing the same problems throughout my workplace where sometimes it just won't let me rebind to a network.

I'm also having the issue that some users log on and almost instantly get a message saying 'unable to log you on at the moment'. Sometimes restarting helps, sometimes it needs rebinding. What I don't understand is that if a user uses Mac1, can't log on, moves to Mac2, can't log on. I come up, unbind and rebind Mac2, and the user can use both Mac2 and Mac1. Make any sense?

If you can help, I'd be hugely grateful!
Thanks
LCM Technician

The unable to log you on at the moment can be fixed by editing the auto_master file in the /etc folder.
It is caused by the Mac remembering the last user's credentials for their AD "H" drive so when someone else logs on, the logon fails.
Simply put a # in front of the /Network/Servers line so the file looks like this:-

----------------------------------------------------------------------------
#
# Automounter master map
#
+auto_master # Use directory service
/net -hosts -nobrowse,nosuid
/home auto_home -nobrowse
# /Network/Servers -fstab
/- -static

----------------------------------------------------------------------------

Note, you must restart the Macs to make the change effective.

I just realized I was wrong, dsconfigldap is for OD only, dsconfigad is for AD. You can use it to script unbinds, binds, whatever

Code:

bash-3.2# dsconfigad

Usage: dsconfigad -h

Usage: dsconfigad [-f] [-a computerid] -domain fqdn -u username [-p password]

                   [-lu username] [-lp password] [-ou dn] [-status]

Usage: dsconfigad [-f] -r -u username [-p password] [-lu username]

                  [-lp password]

Usage: dsconfigad -show [-lu username] [-lp password]

Usage: dsconfigad [-lu username] [-lp password] [advoptions]



Usage: dsconfigad -staticmap attribute-type attribute-value [-lu username]

                  [-lp password]

  -a computerid      name of computer to add to domain

  -f                 force the process (i.e., join/remove the existing account)

  -r                 remove computer from domain

  -lu username       username of a privileged local user

  -lp password       password of a privileged local user

  -u username        username of a privileged network user

  -p password        password of a privileged network user

  -ou dn             fully qualified LDAP DN of container for the computer

                        (defaults to CN=Computers)

  -domain fqdn       fully qualified DNS name of Active Directory Domain

  -show               show current configuration for Active Directory



Advanced Options - User Experience:

  -mobile flag        'enable' or 'disable' mobile user accounts for offline use

  -mobileconfirm flag 'enable' or 'disable' warning for mobile account creation

  -localhome flag     'enable' or 'disable' force home directory to local drive

  -useuncpath flag    'enable' or 'disable' use Windows UNC for network home

  -protocol type      'afp' or 'smb' change protocol used when mounting home

  -shell value        'none' for no shell or specify a default shell '/bin/bash'



Advanced Options - Mappings:

  -uid attribute      name of attribute to be used for UNIX uid field

  -nouid              generate the UID from the Active Directory GUID

  -gid attribute      name of attribute to be used for UNIX gid field

  -nogid              generate the GID from the Active Directory information

  -ggid attribute     name of attribute to be used for UNIX group gid field

  -noggid             generate the group GID from the Active Directory GUID



Advanced Options - Administrative:

  -preferred server   fully-qualified domain name of preferred server to query

  -nopreferred        do not use a preferred server for queries

  -groups "1,2,..."   list of groups that are granted Admin privileges on local

                         workstation

  -nogroups           disable the use of groups for granting Admin privileges

  -alldomains flag    'enable' or 'disable' allow authentication from any domain

  -packetsign flag    'disable', 'allow', or 'require' packet signing

  -packetencrypt flag 'disable', 'allow', or 'require' packet encryption

  -namespace flag     'forest' or 'domain', where forest qualifies all usernames

  -passinterval days  how often to change computer trust account password in days