10.7: Active Directory Binding

Aug 23, '11 07:30:00AM

Contributed by: legsak1mbo

Many people, myself included seem to be having problems binding 10.7 machines into Active Directory, a cryptic 'Error 5202' seems to be fairly common. Here's the fix that worked on our network.

Initially I managed to get machines to bind by manually creating an edu.mit.Kerberos file and populating it before performing the actual bind. This would work but a reboot would often cause a 'Network Accounts Unavailable' message.

The opendirectoryd logs were full of messages such as 'No preferred destination' and 'Failed to retrieve keychain password for 'MACHINENAME$' module '' node '/Active Directory/DOMAIN'.'

On a whim I tried disabling IPv6 on the ethernet adapter -- which is apparently no longer possible using the GUI in 10.7. Once I disabled it from the command line the machine bound without the need to create a kerberos file and authentication worked perfectly.

You can disable IPv6 from the command line with:

networksetup -setv6off Ethernet

Alternatively the script below will disable it on all adapters:

#!/bin/sh

services=$(networksetup -listallnetworkservices | grep -v "*");

for service in "${services}"
do
	echo "Disabling IPV6 on ${service}";
	networksetup -setv6off "${service}";
done
exit 0
Note: I've read a few things that say that disabling IPv6 can cause problems but we don't use it on our network and I haven't had any issues yet.

[crarko adds: I haven't tested this one. Looking at the man page for the networksetup command gives -setv6automatic or -setv6manual as the parameters to enter to re-enable IPv6 using the above command.]

Comments (7)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20110805100012401