Hmmm,
These directions look strangely familiar ; )
Don’t forget to set your timeserver...It is THE most common error.
If you have set the Mac to have a Domain Controller as the time server and you still have errors then you should check the DNS settings,
Brent
From: <[EMAIL PROTECTED]>
Reply-To: <[EMAIL PROTECTED]>
Date: Thu, 5 Aug 2004 10:39:15 -0400
To: <[EMAIL PROTECTED]>
Subject: RE: [ActiveDir] krbtgt error when joining OS X client
See if any of this helps as far as getting an AD computer account:
3. Join the Machine to Active Directory
- Open the finder and browse to /Applications/Utilities and open Directory Access.
- If the lock in the lower left corner is in the locked position, click on it and enter the appropriate credentials.
- Click Active Directory and click Configure you should then be able to enter your forest name in the Active Directory Forest box, enter your AD domain in the Active Directory Domain box, and finally the name of the computer account you want to use in the Computer ID box.
- Click the Hide Advanced Options box and unless you will absolutely need to authenticate users from multiple domains, then clear the checkbox.
- If the machine is a laptop, make sure to cache local accounts (You may also want to do this for desktop users who do not have network home directories.). You can also choose to allow AD groups administrative rights to the mac. By default this is set to Domain & Enterprise admins.
- When finished with all your options click the Bind button.
- You will be prompted for an account with permissions to add computers to the domain. When entering your account ID, do not prefix it with the netbios name of your domain, the sAMAccountName alone will bind. The default ldap computer account location is in the CN=Computers area off the root default domain NC. You can change this by adding a fully distinguished path to the Container or OU of your choice.
- The machine will go through 5 steps and hopefully bind successfully.
- Go back to the Directory Access application and click the Authentication tab at the top. Under search click Custom Path and click Add. A box will pop up and display the Active Directory connector you just added click Add, click Apply.
- If you have successfully bound and added the AD connector to your authentication path, then you can log off and attempt to login using the sAMAccountname of an Active Directory user.
Troubleshooting AD Authentication
If you have any issues, enable remote login in the Sharing section of System Preferences and use another machine to SSH into the Mac. If you are using a windows box to SSH there is a free application called putty that you can use, just google for it.
After ssh'ing into the box with an admin user account, enter the command:
sudo killall -USR1 DirectoryService
this command puts the lookupd daemon in debug logging mode, then type:
tail -f /Library/Logs/DirectoryService/DirectoryService.debug.log | grep ADPlug
this tells your shell to read the tail end of the log file and print any new entries to STDOUT.
Now attempt to login to the machine, and your SSH machine will capture what is going on with the AD Plugin.
Kevin Gent
Pearson Digital Learning
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Noah Eiger
Sent: Wednesday, August 04, 2004 12:10 PM
To: Active Directory List
Subject: [ActiveDir] krbtgt error when joining OS X client
Good morning (at least where I am):
I spent yesterday at a client trying to get some Mac OS X 10.3.4 clients to play nice with the enterprise AD. After trying many combinations of settings during the binding phase, we gave up: the Mac could not bind to the DC.
The Mac’s system log showed this for every attempt at binding:
/System/Library/Frameworks/Kerberos.framework/Servers/CCacheServer.app/Contents/MacOS/CCacheServer: Starting up.
Aug 3 15:12:50 localhost DirectoryService[211]: Active Directory DS Plugin: Could not determine site for closest DC!
The DC showed this in the security error log:
"The description for Event ID (675) in Source (Security) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: username, username, krbtgt/AB.bigbiz.NET, 0x0, 0x19, 139.27.76.198."
(names and addresses changed)
I can get more detailed about the configuration we were attempting if you think that would help. I have limited experience in an enterprise of this size (worldwide, with several hundred sites). The forest/domain structure did not seem to use child domains. So, the forest name was mo.largeco.net and the domain was ab.bigbiz.net.
Any thoughts definitely appreciated.
nme
