Parallels Desktop 4.0 for Mac Run all the applications you need without switching between Windows and Mac OS X! New features include: More 3D Graphics Support, 50% faster, improved Mac OS integration, speech recognition, more battery life on notebooks, and more. Enjoy the best of both worlds.

"If your goal is tight integration between one or more Windows applications and Mac OS X, Parallels is the clear winner when running either XP or Vista." --MacTech Magazine

 


Deals from Amazon

Office 2008 for Mac
Upgrade now

Mac OS X 10.5 Leopard

MacDrive 7
Access your Mac OS X partition from
Boot Camp

Windows XP or Windows Vista for your Mac, for running with Boot Camp Parallels or VMware

VMware Fusion
Run Windows on a Mac



iPhone and Exchange Server Tips and Reports

Windows Servers and Macs


Windows on Mac

- Virtual PC 7.x
(PowerPC Macs


TIP: Two kerberos-related workarounds for Macs losing AD binding

Thursday, February 19, 2009

Two readers sent in workarounds to the problems of Mac OS X 10.5 Leopard Macs losing Active Directory binding, having problems logging in. Both have to do with kerberos, but are different approaches. (We'd like to if you've tried these.) The first reader uses the Kerberos Utility to do a slight reconfiguration. The second reader uses Terminal to delete a corrupt kerberos file.

Eugene Brodsky in Ontario, Canada, uses the Kerberos Utility. The unbinding/ binding suggestion from last week didn't work, but this does:

I saw the post on MacWindows, and I may have a workaround for the issue. I've experienced it first-hand: on some of our machines the AD binding sometimes just “breaks”, and afterwards it's impossible to re-bind.

Symptoms:

  1. The machine loses AD binding; no AD users can log in
  2. "sudo net ads testjoin" throws something about a missing KDC (instead of the desired response "Join is OK")
  3. Un-binding and re-binding the machine does not work, Directory Access immediately comes up with "incorrect credentials" message when attempting to re-bind.

I found that it has to do with the default Kerberos realm. For some reason, it disappears (although edu.mit.Kerberos does not seem to be corrupt), or the system cannot find the KDC in the requested realm. In any case, here's what I've done to rectify the problem a number of times:

  1. Go to Kerberos utility (/System/Library/CoreServices/Kerberos.app)
  2. Edit -> Edit Realms (or Command-E)
  3. Add your Kerberos realm by clicking the + sign. Don't forget it needs to be all caps (e.g. "FOO.COM").
  4. Under "servers" tab, add the address of the KDC (AD domain controller).
  5. Click Apply, OK, etc, it will ask for admin password.

After these steps, the domain binding magically came back and users were able to log in.

There were a couple of times when this didn't work for me, but mostly it did the trick. If the settings above don't work right away, play with them. But this seems to be the right path at least. Hope this helps someone!

Douglas McLaughlin's approach is different (using Terminal to delete a corrupt file), but is still related to a kerberos file:

We've been experiencing this issue of losing AD login with every model of Mac we have and every version of Mac OS X 10.5 since we've started deploying it (10.5.2 - 10.5.6). Deleting this file with a Terminal sudo rm command allows us to unbind normally and then re-bind the workstation:

/private/var/db/dslocal/nodes/Default/config/Kerberos:YOURDOMAIN.NET.plist

This file has either zero bytes in size or it's full of corrupted data. We actually had to hold-off upgrading Macs to Leopard because of this problem. When we only had 25 people, there would be one a week. Now that we have 150 we're still seeing the problem five or six times a week. At least now we don't have to re-image the whole workstation each time.

If you've tried either of these workarounds

UPDATE: A number of readers have reported different degrees of success with these approaches. See Readers verify, modify Kerberos fixes for Macs losing AD binding.

(Back to Active Directory and Leopard Tips and Reports and previous workarounds.) Comment below

Current news on the MacWindows home page

Citrix GoToMeeting: Free Trial.
Now, completely cross-platform. New in this version: Mac users can now host meetings, as well as attend planned or impromptu online events just as easily as PC users. Free VoIP and audio conferencing for both Mac and PC.


Other MacWindows Departments

| Product Solutions | Reports and Tips | News Archives | Site Map |
|
MacWindows Home |

| Top of Page |

This site created and maintained by
Copyright 2009 John Rizzo. All rights reserved.