Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

A fix for 2005-003 update and Active Directory issues Network
I've been using Apple Active Directory plug-in for Directory Services to "bind" a Mac to an Active Directory (AD) computer account ever since 10.3 came out. It has worked like a charm! Users with an AD user account (in a specified AD group) could log onto a Mac that they never had visited before, and would have a local account created for them with administrative rights on the Mac. They could connect to network file shares without authenticating for each connection.

But now, after the latest 003 security update, trying to bind a Mac to an AD computer account stopped working. It gave me an error at the last stage of the bind saying that the user account didn't have sufficient privileges (referring to the AD user account I supplied) to joint the Mac to the AD computer account. So, I called up a network administrator to help me troubleshoot it, and here is what we found out.

When you create the computer account in AD, just like always, it inherits the permissions of the organizational unit (OU) it was created in. The admin group I am a member of has full permissions on this OU, so the group was added to the computer account with full permissions.

Before the Apple Security Update 2005-003:
The Apple AD plug-in would be fine with this, and realize that the AD user account supplied during the bind was in an AD group that had sufficient permission to join the Mac to the AD computer account.

After the Apple Security Update 2005-003:
The Apple AD plug-in will not check to see if the AD user account supplied during the bind is a member of an AD group with sufficient permissions to join a Mac to the AD computer account.

The Fix:
The way we were able to get around this was to give my AD user account full permissions for the AD computer account that I was trying to bind the Mac to.
    •    
  • Currently 2.67 / 5
  You rated: 2 / 5 (3 votes cast)
 
[6,520 views]  

A fix for 2005-003 update and Active Directory issues | 3 comments | Create New Account
Click here to return to the 'A fix for 2005-003 update and Active Directory issues' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
A fix for 2005-003 update and Active Directory issues
Authored by: jyu on Mar 24, '05 01:37:30PM

I've seen this problem occasionally since 10.3.7 update and I believe some folks already posted the problem and fix before on this forum site. Normally I don't create a computer account first in AD. The binding process will do that automatically.

When the problem happens, I just double check IP/DNS/Domain name/Computer name are correct. Restart the Mac a couple of times and problem will go away.



[ Reply to This | # ]
A fix for 2005-003 update and Active Directory issues
Authored by: allanmarcus on Mar 24, '05 07:18:47PM

this problem starting happening to us with 10.3.7. We have not found a solution. Out AD admin, who have complete superuser authority, cannot add a mac to our development AD, but we can add Mac's to our production AD. They re set up the same, as far as we can tell. Very frustrating.

Also, once added to the domain, when I try to authenticate off the domain on a 500 mhz tibook, the entire computer screen turns into a console and the logon prompt is shown (like when you log in as >console). This is on a fresh OS X 10.3.8 install. Tomorrow I will tray again with 10.3.6 and see if it works. I'm betting it will. I'm also going to try to use an OpenLDAP server we have running to provide users and home directory locations. Too bad I can't just use OS X Server, but my management wants us to use OpenLDAP on Linux or AD. :-(



[ Reply to This | # ]
A fix for 2005-003 update and Active Directory issues
Authored by: iteratix on Mar 25, '05 10:13:48AM

This is part of why my organization uses ADmit Mac. Works great and has more features than Apple's implementation.



[ Reply to This | # ]