Two readers sent in workarounds to the problems of Mac OS X 10.5 Leopard Macs losing Active Directory binding, having problems logging in. Both have to do with kerberos, but are different approaches. (We'd like to
if you've tried these.) The first reader uses the Kerberos Utility to do a slight reconfiguration. The second reader uses Terminal to delete a corrupt kerberos file.
Eugene Brodsky in Ontario, Canada, uses the Kerberos Utility. The unbinding/ binding suggestion from last week didn't work, but this does:
I saw the post on MacWindows, and I may have a workaround for the issue. I've experienced it first-hand: on some of our machines the AD binding sometimes just breaks, and afterwards it's impossible to re-bind.
- The machine loses AD binding; no AD users can log in
- "sudo net ads testjoin" throws something about a missing KDC (instead of the desired response "Join is OK")
- Un-binding and re-binding the machine does not work, Directory Access immediately comes up with "incorrect credentials" message when attempting to re-bind.
I found that it has to do with the default Kerberos realm. For some reason, it disappears (although edu.mit.Kerberos does not seem to be corrupt), or the system cannot find the KDC in the requested realm. In any case, here's what I've done to rectify the problem a number of times:
- Go to Kerberos utility (/System/Library/CoreServices/Kerberos.app)
- Edit -> Edit Realms (or Command-E)
- Add your Kerberos realm by clicking the + sign. Don't forget it needs to be all caps (e.g. "FOO.COM").
- Under "servers" tab, add the address of the KDC (AD domain controller).
- Click Apply, OK, etc, it will ask for admin password.
After these steps, the domain binding magically came back and users were able to log in.
There were a couple of times when this didn't work for me, but mostly it did the trick. If the settings above don't work right away, play with them. But this seems to be the right path at least. Hope this helps someone!
Douglas McLaughlin's approach is different (using Terminal to delete a corrupt file), but is still related to a kerberos file:
We've been experiencing this issue of losing AD login with every model of Mac we have and every version of Mac OS X 10.5 since we've started deploying it (10.5.2 - 10.5.6). Deleting this file with a Terminal sudo rm command allows us to unbind normally and then re-bind the workstation:
This file has either zero bytes in size or it's full of corrupted data. We actually had to hold-off upgrading Macs to Leopard because of this problem. When we only had 25 people, there would be one a week. Now that we have 150 we're still seeing the problem five or six times a week. At least now we don't have to re-image the whole workstation each time.
If you've tried either of these workarounds
UPDATE: A number of readers have reported different degrees of success with these approaches. See Readers verify, modify Kerberos fixes for Macs losing AD binding.
(Back to Active Directory and Leopard Tips and Reports and previous workarounds.) Comment below