Re: Mac OSX Active Directory Connection

In article <BF043862.722A%b.johns@xxxxxxxxxxxxxxxxxxxxx>,
Barry Johns <b.johns@xxxxxxxxxxxxxxxxxxxxx> wrote:

> I'm trying to connect a Mac running OSX 10.3.9 to an Active Directory on a
> 2003 Server using Directory Access. When I click on bind I get prompted for
> the Network Administrator Username and Password. Here I enter the 2003
> Server's Administrator account details. It goes through the motion of
> binding but then responds with:
>
> Insufficent Privileges
>
> The administrator account you specified does not have the appropriate
> privileges to perform the requested operation.
>
> Can anyone give me any ideas what I'm doing wrong.
>
> Many Thanks in advance.

Hi Barry!

I can only offer you my experiences with this same problem. Sincerely
hope something here will help.

I researched three potential solutions and worked with our AD dude to
implement one of these recently. It seems to have really helped, but
isn't yet 100%.

First, Macs must be time synced within 5 minutes of the domain. If they
aren't, they AD binding will most likely fail.

Otherwise of the options below, we've so far done #1 and none of the
others yet.

1. If the user account of the person trying to bind the Mac to AD is a
member of too many groups (security groups but possibly also
distribution groups) then the Kerberos ticket may be large and get
truncated during the binding process. Create a new user account with
privileges to only bind the Mac and add it to few, if any, groups.

2. Macs may have a problem with users placed into nested groups. (This
will only apply to AD domains in native mode.) Microsoft's best
practices stipulate that global groups should be placed into local
groups and then local groups should be granted privileges to an object,
such as the Computers container or whatever OU you're trying to create
the new object in. Try granting privileges to the object in AD directly
to the user instead of nesting the user in groups.

3. The user account binding the Mac to AD should need "Create Objects"
permission for the container or OU. You may want to test a user with
full-blown permissions to an AD object to see if you have a permissions
issue. You can restrict permissions from there if this works reliably.

Also have a look at this link for another idea.
<http://macenterprise.org/content/view/157/84/>

With that said, we're still testing and I've even had our AD dude, who
is an Enterprise Administrator, try and fail to bind a Mac. This means
that there is probably more than a permissions issue happening here.

I've found that if I am able to bind a machine right after I've built it
and it works, then that machine will allow me to always bind and unbind.
But if I fail the first time, I can never bind the machine and I have to
rebuild.

I also learned a great way for creating a log file and suggest you use
this to help troubleshoot.

Get the Mac ready to bind. Fill in all the blanks and get to the point
where you're ready to bind. Then from another Mac (not the same Mac)
open an SSH session and enter:

sudo killall -USR1 DirectoryService

You'll go into debug logging mode for five minutes. Then enter the
following on one line and hit the Return key.

tail -f /Library/Logs/DirectoryService/DirectoryService.debug.log | grep
ADPlug

After hitting return you'll see nothing happen. Go to the other Mac and
start the binding process. You should see the Terminal fill with a few
dozen lines of connection information. it's extremely insightful.

Our error was LDAP error -81, which is a generic error. But maybe yours
will be more intelligent.

Hope this helps! bill
--
William M. Smith
(Microsoft Interop MVP)
.

Relevant Pages

  • Re: Mac OSX Active Directory Connection
    ... What user account does the Mac use to bind to the AD is it the Mac user ... How do I alter the privileges of a user account, ... Directory Users and Computers on the Server or from somewhere else? ...
    (microsoft.public.macintosh.general)
  • Re: DNS: alle, ausser Apple patchen
    ... BIND installiert, ... Und der Patch ist auch schon per Software UPdate verfuegbar ... "For Mac OS X v10.4.11 systems, BIND is updated to version 9.3.5-P1. ...
    (de.comp.sys.mac.internet)
  • Re: FM8A: Bind Cross-Platform?
    ... Can bind for OS X no problem. ... You must install FM8A on a Windows machine and bind it there. ... Mac runtime applications must be created under the Mac OS and Windows ...
    (comp.databases.filemaker)
  • Re: Runtime Solutions
    ... worked great on a PC but I could see no way to save it as a Mac ... Windows computer, and you can not create a Windows runtime application ... but you must bind the runtime on each platform separately. ... the data files themselves are the same for both (as long as you ...
    (comp.databases.filemaker)
  • Re: Someone please tell Steve Jobs . . .
    ... The Dock is interface design on drugs. ... and then for newer Mac programs not to support it (e.g. ... The NeXT side of the new Apple didn't take AppleScript too seriously, ... The enormous overhead of users and permissions on OSX wastes ...
    (comp.sys.mac.system)
Loading