Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.7: Active Directory Binding Network
Many people, myself included seem to be having problems binding 10.7 machines into Active Directory, a cryptic 'Error 5202' seems to be fairly common. Here's the fix that worked on our network.

Initially I managed to get machines to bind by manually creating an edu.mit.Kerberos file and populating it before performing the actual bind. This would work but a reboot would often cause a 'Network Accounts Unavailable' message.

The opendirectoryd logs were full of messages such as 'No preferred destination' and 'Failed to retrieve keychain password for 'MACHINENAME$' module '' node '/Active Directory/DOMAIN'.'

On a whim I tried disabling IPv6 on the ethernet adapter -- which is apparently no longer possible using the GUI in 10.7. Once I disabled it from the command line the machine bound without the need to create a kerberos file and authentication worked perfectly.

You can disable IPv6 from the command line with:

networksetup -setv6off Ethernet

Alternatively the script below will disable it on all adapters:
#!/bin/sh

services=$(networksetup -listallnetworkservices | grep -v "*");

for service in "${services}"
do
	echo "Disabling IPV6 on ${service}";
	networksetup -setv6off "${service}";
done
exit 0
Note: I've read a few things that say that disabling IPv6 can cause problems but we don't use it on our network and I haven't had any issues yet.

[crarko adds: I haven't tested this one. Looking at the man page for the networksetup command gives -setv6automatic or -setv6manual as the parameters to enter to re-enable IPv6 using the above command.]
    •    
  • Currently 3.25 / 5
  You rated: 2 / 5 (4 votes cast)
 
[33,323 views]  

10.7: Active Directory Binding | 7 comments | Create New Account
Click here to return to the '10.7: Active Directory Binding' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Issues with disabling IPv6
Authored by: mkuron on Aug 23, '11 08:19:03AM

I believe disabling IPv6 will break certain Bonjour-based services (such as iTunes' network sharing).
Also, in today's world of exhausted IPv4 pools, disabling IPv6 can hardly be more than a temporary workaround (as everybody will be going IPv6 sooner or later) and Apple really needs to actually fix the AD issue instead.



[ Reply to This | # ]
Issues with disabling IPv6
Authored by: leamanc on Aug 23, '11 09:47:07AM

Is it Apple's fault, or is AD just problematic with IPv6?



[ Reply to This | # ]
10.7: Active Directory Binding
Authored by: ngonzal on Aug 23, '11 08:45:35AM

I was able to resolve this by:

1. Open Keychain Access (Application/Utilities/Keychain Access)
2. Search for your domain, delete any entries
3. Search for "Active" or "Directory" and delete anything that comes up
4. Open up Disk Utility and repair permissions

That worked for me, although why it happened in the first place isn't clear.



[ Reply to This | # ]
10.7: Active Directory Binding
Authored by: stottm on Aug 23, '11 12:00:54PM

AD Binding in Lion and it's ability to locate the network accounts is a known problem. There have been unconfirmed reports that 10.7.2 fixes the problems.

Alternatively, there is the open source Likewise solution now called PowerBroker Identity Serivces Open Edition. It is free and it let's you bypass the Apple AD support with this third-party support. It's been listed as working in Lion. I haven't had a chance to test it yet.

http://www.beyondtrust.com/Products/PowerBroker-Identity-Services-Open-Edition/



[ Reply to This | # ]
10.7: Active Directory Binding
Authored by: goldie1 on Nov 03, '11 08:16:52PM

I ran both command scripts.. but my lion os x 10.7.2 has still not disabled ipv6

any suggestions on how i can get it to work?



[ Reply to This | # ]
10.7: Active Directory Binding
Authored by: SeaBash on Nov 25, '11 11:39:27AM

@golden1
There's really only one command to run here, but I assume you meant you tried to run both methods? You need to prepend sudo to the command.

This command runs fine on 10.7.2 (11C73).
I can't speak to whether disabling IPv6 addresses the bigger AD-binding issues on Lion, though.

Here's a quick way to confirm your initial IPv6 settings before disabling (assuming Ethernet)...
networksetup -getinfo Ethernet

You can replace "Ethernet" with other interfaces on your Mac (as the second form of this poster's script does).
List your other interfaces per the command below, and replace interfaces accordingly.
networksetup listallnetworkservices



[ Reply to This | # ]
10.7: Active Directory Binding
Authored by: clint.pate on Feb 28, '12 06:16:48AM

This error could also relate to mac time synchronization being more than 5 minutes off from domain (DC) time. Just set the time on the Mac to the same time that the DC is showing and you will automatically see the green dot!



[ Reply to This | # ]