Macs and Ubuntu randomly loosing trust with Active Directory

[samba_man]

We have approx 60 Macs (mix of emac, imacs, minimacs) and a G5 Xserve all running Leopard (or Leopard Server in the case of the Xserve). All desktop machines are binded (?!) to Open Directory on the Xserve and Active Directory on the multiple Windows Server 2k3 domain controllers.

 

Every week since binding them to AD we get 3 or 4 desktop macs which appear to have lost their trust with Active Directory. We get the green 'everythings cool' light on both the OD and AD connection in Directory Utility yet we cannot login with any domain user. If we unbind the problematic mac, delete the object from AD and rebind it, systems are all go again. There is no obvious pattern, no specific machines that keep loosing trust, no specific models and we've checked the time which is spot on.

 

We also have an Ubuntu 8.04 file server running samba which in turn authenticates with AD using Likewise open (setup to authenticate a month ago). Interestingly, no one could access the shares this morning so after taking a closer look I found using the 'ls -l' command in the terminal, that the usually assigned group 'domain^users' has been replaced with a gid number. Logging in directly to the server using a network account also failed. This looked rather familiar so after unbinding the server, deleting its AD account and then rebinding it all systems were go again and the gids upon running 'ls -l' had turned back into 'domain^users'. Not really what you want for a file server!

 

If it makes any difference, all the macs and the ubuntu machine are on static ips.

 

After originally thinking that it must be a Mac issue somewhere, I'm now leaning towards it being Server 2003 not liking something. Does anyone have any ideas, pointers or similar experiences?

 

Kev

[Geoff]

Are the internal clocks drifting apart. IIRC if you don't run an NTP server (or use a trusted external source) and keep everything in sync then eventually Kerberos will fail. It has a ~5min tolerance.

[CyberNerd]

sync the clocks

[samba_man]

The clocks are all in sync with our internal time server

[BootManager]

the time-out-of-sync thing will cause problems but lets assume that everyone who manages a network keeps their computers in sync. It was a known problem to do with BST but Apple patched that soon after boot camp was released, years ago.

 

check the other posts on this topic, its a big issue thats been discussed before, no fix yet tho.

[TomH]

Sounds like the machines are struggling to update their machine password with AD via kpasswd and as such are locking themselves out of AD, they try to do this by default at 14 days.

 

Take a look at /Library/Preferences/DirectoryService/ActiveDirectory.plist to see if the last password change coincides with the failure.

 

The thing to remember is that OS X always queries AD using its machine account, and not the user credentials so if the password it holds is incorrect it cannot read the user details.

 

Tom

[samba_man]

Seems like you were spot on Tom, we've had no trouble in the last couple of months after setting it to not reset its password.

[TomH]

Good news !!

 

Feel free to add a thanks ;-)

[Richie1972]

how do you set a Mac to not reset its machine password?

[samba_man]

If I remember correctly, the terminal command is:

 

sudo dsconfigad -passinterval 0