Mac OS X 10.5.2 Special Report: Active Directory issues

CNET staff

Sept. 2, 2009 2:25 a.m. PT

4 min read

Release notes for Mac OS X 10.5.2 Update indicate resolution of an issue that would prevent binding to an Active Directory domain. Most users are finding that while binding is more reliable overall, there still exist a bug where Mac OS X cannot automatically find the Kerberos Key Distribution Center server (KDC, usually the same as the domain controller).

MacFixIt reader Gerrit DeWitt believes that this is due to the fact thatkerberosautoconfig fails to generate a complete edu.mit.Kerberos file.

When the issue manifests, attempts to bind may fail with an invalid user name and password error, even though the user name and password are known to be correct. If binding is successful, users defined in the Active Directory domain may not be able to log in from the login window, especially after a restart. (The login window will shake and reject the user's password as if it was incorrectly typed.)

DeWitt offers the following workaround, which needs to be performed via the Terminal (located in /Applications/Utilities by a local administrator:

Close Directory Utility if it's open. If desired, back-up your current /Library/Preferences/DirectoryService folder and /Library/Preferences/edu.mit.Kerberos file.
Stop the launch daemon that is responsible for running kerberosautoconfig and periodically updating the edu.mit.Kerberos file:

sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.KerberosAutoConfig.plist

(By using -w, the item will remain unloaded even after restarting the computer.)

In some instances, it is also necessary to unload the launch daemons that are responsible for starting mDNS (Bonjour):

sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist

and

sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.mDNSResponderHelper.plist
Stop the DirectoryService process and delete its configuration files.

a. Issue the following command a few times until you get a "no matching process" error:

sudo killall DirectoryService

b. At this point DirectoryService will be dead for about 10 seconds until launchd reloads it. Before it reloads, delete these configuration files, which house Directory Service and Kerberos settings:

sudo rm -rf /Library/Preferences/DirectoryService sudo rm /Library/Preferences/edu.mit.Kerberos*

I've added the wildcard to edu.mit.Kerberos to include any Kerberos files that were moved and renamed by previous binding attempts.
Tell kerberosautoconfig to generate a valid edu.mit.Kerberos file:

kerberosautoconfig -r REALMNAME -m kdc.server

Replace REALMNAME with your Kerberos Realm, which is usually your DNS zone and suffix in upper-case like this: SOMESCHOOL.EDU

Replace kdc.server with the host name or IP address of your Kerberos Key Distribution Center (KDC), which is usually the same as a domain controller's host name; an example is: win03.someschool.edu

Now you can inspect /Library/Preferences/edu.mit.Kerberos to see that both of the kdc and admin_server directives are available in the [realms] section.
Reload DirectoryService again. Issue this command a few times until you get a "no process" error:

sudo killall DirectoryService
Wait about 10 seconds so that launchd can reload DirectoryService. Now try binding to Active Directory using dsconfigad or the Directory Utility. If adding via advanced options in Directory Utility or via dsconfigad, check to be sure that the Active Directory plugin is active and that the domain is in the authentication search path.

Binding should now be successful. If you still receive an error, try again, but this time unload the mDNS launch daemons as well (optional in step 1).