locked
Binding Mac to Windows Domain RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    My team and I have been working for days trying to get the Mac computers in our environment to join our Windows Domain and we have been horribly failing. I'm hoping to see if anyone else has had experience with the kind of problems I'm seeing. To start off with I don't believe it to be a client issue as I stood up a test domain and was able to get the Mac to bind to the test domain network without any issues. As a matter of fact it would appear in the logs that the Mac is basically binded to the domain for about half a second and then basically removes it self from the domain due to a password change issue (client log file below, Only the names and IP have been changed to protect the innocent). If you look at the last three lines of the log it states that it tries to change the computer password and fails, however on my test domain it's able to change its computer password with no issue. This is what is causing me to believe that there may be a setting somewhere on my DC that is causing this issue. I would appreciate any help that I can get.


    18:00:59.089194 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - Bind Step 5 - Bind/Join computer to domain - 'domain.com'
    18:00:59.090782 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - resolving 'DC.domain.com'
    18:00:59.091431 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - added socket 29 for host 'DC.domain.com:389' address '192.168.1.1' to kqueue list
    18:00:59.092064 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - Setting kerberos server for 'Kerberos:domain.com' to 'DC.domain.com'
    18:00:59.092119 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - switching to cache 'MEMORY:0x92be135fa87d'
    18:00:59.092125 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - switching GSS to cache 'MEMORY:0x92be135fa87d
    18:00:59.092314 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - GSSAPI allow Confidentiality
    18:00:59.092323 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - GSSAPI allow Integrity (signing)
    18:00:59.092343 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - GSSAPI using hostname 'DC.domain.com'
    18:00:59.092342 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - setting realm 'domain.com' for node '/Active Directory/domain.com'
    18:00:59.092350 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - GSSAPI using initiator credential 'DMaccount@domain.com'
    18:00:59.104970 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - Authenticate to LDAP using Kerberos credential - 0
    18:00:59.104995 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - verified connectivity to '192.168.1.1' with socket 29
    18:00:59.105970 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - locating site using domain domain.com using CLDAP
    18:00:59.106749 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - using site of 'New York' from CLDAP
    18:00:59.111621 MST - AID: 0x0000000000000000 - Module: ActiveDirectory - DC userAccountControl = 0x82000
    18:00:59.111638 MST - AID: 0x0000000000000000 - Module: ActiveDirectory - DC userAccountControl = 0x82000
    18:00:59.111648 MST - AID: 0x0000000000000000 - Module: ActiveDirectory - DC userAccountControl = 0x82000
    18:00:59.111654 MST - AID: 0x0000000000000000 - Module: ActiveDirectory - DC userAccountControl = 0x82000
    18:00:59.111701 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - resolving 'DC.domain.com'
    18:00:59.112666 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - added socket 29 for host 'DC.domain.com:389' address '192.168.1.1' to kqueue list
    18:00:59.113013 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - Setting kerberos server for 'Kerberos:domain.com' to 'DC.domain.com'
    18:00:59.113055 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - switching to cache 'MEMORY:0x92be135fa87d'
    18:00:59.113062 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - switching GSS to cache 'MEMORY:0x92be135fa87d
    18:00:59.113224 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - setting realm 'domain.com' for node '/Active Directory/domain.com'
    18:00:59.113290 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - GSSAPI allow Confidentiality
    18:00:59.113297 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - GSSAPI allow Integrity (signing)
    18:00:59.113317 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - GSSAPI using hostname 'DC.domain.com'
    18:00:59.113325 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - GSSAPI using initiator credential 'DMaccount@domain.com'
    18:00:59.120554 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - Authenticate to LDAP using Kerberos credential - 0
    18:00:59.120577 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - verified connectivity to '192.168.1.1' with socket 29
    18:00:59.121636 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - Computer account either already exists or DC is already Read/Write
    18:00:59.123483 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - Adding record 'cn=Mac Computer,cn=Computers,dc=domain,dc=com' in 'domain.com'
    18:00:59.250494 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - switching to cache 'MEMORY:0x92be135fa87d'
    18:00:59.250785 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - krb5.dylib - Trying to find service kdc for realm domain.com flags 2
    18:00:59.252092 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - krb5.dylib - submissing new requests to new host
    18:00:59.252148 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - krb5.dylib - host_create: setting hostname 192.168.1.1
    18:00:59.252180 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - krb5.dylib - connecting to host: tcp 192.168.1.1:kerberos (192.168.1.1) tid: 00040001
    18:00:59.252300 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - krb5.dylib - connecting to 28 (in progress): tcp 192.168.1.1:kerberos (192.168.1.1) tid: 00040001
    18:00:59.252657 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - krb5.dylib - writing packet: tcp 192.168.1.1:kerberos (192.168.1.1) tid: 00040001
    18:00:59.256718 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - krb5.dylib - reading packet: tcp 192.168.1.1:kerberos (192.168.1.1) tid: 00040001
    18:00:59.256754 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - krb5.dylib - host completed: tcp 192.168.1.1:kerberos (192.168.1.1) tid: 00040001
    18:00:59.256766 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - krb5.dylib - krb5_sendto_context domain.com done: 0 hosts 1 packets 1 wc: 0.006005 nr: 0.000001 kh: 0.001290 tid: 00040001
    18:00:59.256848 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - krb5.dylib - tkt: extract key 18/14F1C3AD
    18:00:59.256946 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - krb5.dylib - krb5_get_credentials_with_flags: domain.com wc: 0.006431
    18:00:59.256958 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - krb5.dylib - trying to set password
    18:00:59.256963 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - krb5.dylib - trying to set password using: MS set password in realm domain.com
    18:00:59.256970 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - krb5.dylib - using TCP since the ticket is large: 2039
    18:00:59.256987 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - krb5.dylib - Trying to find service change_password for realm domain.com flags 2
    18:00:59.258168 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - krb5.dylib - submissing new requests to new host
    18:00:59.258224 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - krb5.dylib - host_create: setting hostname 192.168.1.1
    18:00:59.258247 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - krb5.dylib - connecting to host: tcp 192.168.1.1:kpasswd (192.168.1.1) tid: 00050001
    18:00:59.258322 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - krb5.dylib - connecting to 28 (in progress): tcp 192.168.1.1:kpasswd (192.168.1.1) tid: 00050001
    18:00:59.258988 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - krb5.dylib - writing packet: tcp 192.168.1.1:kpasswd (192.168.1.1) tid: 00050001
    18:00:59.259918 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - krb5.dylib - reading packet: tcp 192.168.1.1:kpasswd (192.168.1.1) tid: 00050001
    18:00:59.259952 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - krb5.dylib - host completed: tcp 192.168.1.1:kpasswd (192.168.1.1) tid: 00050001
    18:00:59.259960 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - krb5.dylib - krb5_sendto_context domain.com done: 0 hosts 1 packets 1 wc: 0.002982 nr: 0.000000 kh: 0.001158 tid: 00050001
    18:00:59.260011 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - krb5.dylib - set password using MS set password returned: 0 result_code 3
    18:00:59.260053 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - Changing password failed for 'Mac Computer$@domain.com' with error 'server only sent error code' (3)
    18:00:59.260060 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - failed to change computer password deleting record - 'cn=Mac Computer,cn=Computers,dc=domain,dc=com'
    18:00:59.266224 MST - AID: 0x0000000000000000 - 1372.14395, Node: /Active Directory, Module: ActiveDirectory - ODNodeCustomCall failed with error 'Credential operation failed' (5103)

    Wednesday, June 22, 2016 7:27 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi

     Check this similar case(also they could not find a solution) ; https://discussions.apple.com/thread/5126488?tstart=0

    and check these for Interacting with Windows from a Mac Environment ; https://technet.microsoft.com/en-us/magazine/2008.12.interacting.aspx

    Also you can check for related logs from event viewer menü on Domain Controller.

    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Proposed as answer by Wendy Jiang Thursday, June 30, 2016 6:04 AM
    • Unproposed as answer by AfterSchock Friday, July 1, 2016 1:04 AM
    Wednesday, June 22, 2016 7:38 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Hi,
    For the Mac configuration and binding to AD domain, you could refer to following articles and check step by step:
    How to Join a Mac to a Windows Domain
    https://www.pluralsight.com/blog/tutorials/join-mac-to-windows-domain
    Joining a Mac OS X to an Active Directory Domain
    http://sammoffatt.com.au/knowledge-base-mainmenu/5-uncategorized/20-joining-a-mac-os-x-to-an-active-directory-domain
    Please Note: Since the web sites are not hosted by Microsoft, the links may change without notice. Microsoft does not guarantee the accuracy of this information.
    Regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Wendy Jiang Thursday, June 30, 2016 6:04 AM
    • Unproposed as answer by AfterSchock Friday, July 1, 2016 1:10 AM
    Monday, June 27, 2016 6:37 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Thanks for the help everyone, but I have read through all of those and they are currently no help. I don't need to know how to join a Mac to a domain. I have done it many times before and have even joined the same Mac I'm currently working on to my "test" domain with no issue. There is a problem with currently getting this to bind to my production environment. Technically the Mac does join the domain for about half a sec then removes itself because its not able to change its computer password. So the problem resides somewhere on my domain controller. I'm just seeing if anyone else has had this issue and if I have a setting or service disabled that is preventing this final part from completing. 
    Friday, July 1, 2016 1:10 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Hi,
    Have you checked if some group polices are configured to do that?
    In addition, I would suggest you use process monitor tool or network monitor tool to capture where the failure is. It will help us to detect settings or service which could be disabled as your said.
    Regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Wendy Jiang Friday, July 8, 2016 7:27 AM
    • Marked as answer by Wendy Jiang Friday, July 15, 2016 8:39 AM
    • Unmarked as answer by AfterSchock Tuesday, July 19, 2016 1:00 AM
    • Unproposed as answer by AfterSchock Tuesday, July 19, 2016 1:00 AM
    Monday, July 4, 2016 2:17 AM