+ Post New Thread
Results 1 to 10 of 10
Mac Thread, Macs and Ubuntu randomly loosing trust with Active Directory in Technical; We have approx 60 Macs (mix of emac, imacs, minimacs) and a G5 Xserve all running Leopard (or Leopard Server ...
  1. #1

    Join Date
    Mar 2009
    Location
    Bottom Left
    Posts
    127
    Thank Post
    2
    Thanked 16 Times in 11 Posts
    Rep Power
    14

    Macs and Ubuntu randomly loosing trust with Active Directory

    We have approx 60 Macs (mix of emac, imacs, minimacs) and a G5 Xserve all running Leopard (or Leopard Server in the case of the Xserve). All desktop machines are binded (?!) to Open Directory on the Xserve and Active Directory on the multiple Windows Server 2k3 domain controllers.

    Every week since binding them to AD we get 3 or 4 desktop macs which appear to have lost their trust with Active Directory. We get the green 'everythings cool' light on both the OD and AD connection in Directory Utility yet we cannot login with any domain user. If we unbind the problematic mac, delete the object from AD and rebind it, systems are all go again. There is no obvious pattern, no specific machines that keep loosing trust, no specific models and we've checked the time which is spot on.

    We also have an Ubuntu 8.04 file server running samba which in turn authenticates with AD using Likewise open (setup to authenticate a month ago). Interestingly, no one could access the shares this morning so after taking a closer look I found using the 'ls -l' command in the terminal, that the usually assigned group 'domain^users' has been replaced with a gid number. Logging in directly to the server using a network account also failed. This looked rather familiar so after unbinding the server, deleting its AD account and then rebinding it all systems were go again and the gids upon running 'ls -l' had turned back into 'domain^users'. Not really what you want for a file server!

    If it makes any difference, all the macs and the ubuntu machine are on static ips.

    After originally thinking that it must be a Mac issue somewhere, I'm now leaning towards it being Server 2003 not liking something. Does anyone have any ideas, pointers or similar experiences?

    Kev

  2. #2

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,850
    Thank Post
    110
    Thanked 598 Times in 514 Posts
    Blog Entries
    1
    Rep Power
    227
    Are the internal clocks drifting apart. IIRC if you don't run an NTP server (or use a trusted external source) and keep everything in sync then eventually Kerberos will fail. It has a ~5min tolerance.

  3. #3


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,033 Times in 813 Posts
    Rep Power
    341
    sync the clocks

  4. #4

    Join Date
    Mar 2009
    Location
    Bottom Left
    Posts
    127
    Thank Post
    2
    Thanked 16 Times in 11 Posts
    Rep Power
    14
    The clocks are all in sync with our internal time server

  5. #5

    Join Date
    Jan 2008
    Location
    London
    Posts
    21
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    check out other posts on this topic

    the time-out-of-sync thing will cause problems but lets assume that everyone who manages a network keeps their computers in sync. It was a known problem to do with BST but Apple patched that soon after boot camp was released, years ago.

    check the other posts on this topic, its a big issue thats been discussed before, no fix yet tho.

  6. #6
    TomH's Avatar
    Join Date
    Jan 2010
    Location
    Nottingham
    Posts
    47
    Thank Post
    0
    Thanked 5 Times in 5 Posts
    Rep Power
    11
    Sounds like the machines are struggling to update their machine password with AD via kpasswd and as such are locking themselves out of AD, they try to do this by default at 14 days.

    Take a look at /Library/Preferences/DirectoryService/ActiveDirectory.plist to see if the last password change coincides with the failure.

    The thing to remember is that OS X always queries AD using its machine account, and not the user credentials so if the password it holds is incorrect it cannot read the user details.

    Tom

  7. Thanks to TomH from:

    samba_man (12th July 2010)

  8. #7

    Join Date
    Mar 2009
    Location
    Bottom Left
    Posts
    127
    Thank Post
    2
    Thanked 16 Times in 11 Posts
    Rep Power
    14
    Seems like you were spot on Tom, we've had no trouble in the last couple of months after setting it to not reset its password.

  9. #8
    TomH's Avatar
    Join Date
    Jan 2010
    Location
    Nottingham
    Posts
    47
    Thank Post
    0
    Thanked 5 Times in 5 Posts
    Rep Power
    11
    Good news !!

    Feel free to add a thanks ;-)

  10. #9
    Richie1972's Avatar
    Join Date
    Apr 2006
    Location
    Blackburn
    Posts
    239
    Thank Post
    2
    Thanked 6 Times in 6 Posts
    Rep Power
    19
    how do you set a Mac to not reset its machine password?

  11. #10

    Join Date
    Mar 2009
    Location
    Bottom Left
    Posts
    127
    Thank Post
    2
    Thanked 16 Times in 11 Posts
    Rep Power
    14
    If I remember correctly, the terminal command is:

    sudo dsconfigad -passinterval 0

  12. Thanks to samba_man from:

    dayzd (12th July 2010)



SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 0
    Last Post: 6th April 2009, 11:26 PM
  2. Active Directory
    By Neville in forum Windows
    Replies: 6
    Last Post: 25th June 2008, 04:24 PM
  3. Replies: 7
    Last Post: 31st January 2008, 01:17 PM
  4. Replies: 2
    Last Post: 28th November 2007, 05:40 PM
  5. Problem loosing Active Desktop wallpaper
    By Kyle in forum Windows
    Replies: 11
    Last Post: 14th November 2007, 03:21 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •