In the past we have simply unbind the machine from the domain, then rebind the machine, problem solved. Unfortunately this time it was not as simple and we got a very generic error message that read "This computer is unable to access the domain controller for an unknown reason", great, that doesn't sound good.
Fortunately there are some more detailed logs we can look at, but first we need to enable the debug logging to ensure we capture all the important details of the failure.
Enabling the directory services debug logs
1. Open a terminal window
2. Elevate to root privledges by typing
sudo su root
3. Type the following commands
killall -USR1 DirectoryServicetail -f /Library/Logs/DirectoryService/DirectoryService.debug.log
Now the debug logging is enabled, and the tail -f command follows the log to display the latest information live on the screen.
Detecting the problem
When we put our Directory Service into debug logging and inspected the logs, we found the following errors straight after attempting to bind the computer to the domain.
Active Directory: Password verify for administrator@TEST.INTERNAL failed with error -1765328230
Client: Directory Utilit, PID: 222, API: dsDoPlugInCustomCall(), Active Directory Used : DAR : Node Ref = 33556364 : Request Code = 84 : Result co$
Plug-in call "dsDoPlugInCustomCall()" failed with error = -14090.
Port: 20831 Call: dsDoPlugInCustomCall() == -14090
What didn't help resolve the problem
- Deleting the computer account in active directory, then unbinding/rebinding
- Unbinding and rebinding to the domain
- Recreating a fresh computer account in active directory and then rebinding
- Ensuring the IP/Host lined up correctly with the domain DNS entries
- Restoring a previous backup (obviously the computer password had changed in the previous backup, but restoring the backup then rebinding the machine to the domain also failed)
Fixing the problem
After doing some research I found a number of people that were experiencing the same issue and fortunately the fix is fairly easy, but hidden deep! The Kerberos config is located in /var/db/dslocal/nodes/Default/config/ and by deleting these configs, we can clear out any problematic settings and regenerated them.
1. If your system is still bound to active directory unbind it. This can be done in the Directory Utility, then clicking on directory services, and unbinding active directory.
2. Open a Terminal window
3. Elevate to root privledges by typing
sudo su root
4. Delete the Kerberos config, you can do this by typing.
Rm -f /var/db/dslocal/nodes/Default/config/Kerberos*
5. Reboot
6. Rebind to the domain. Again this is located in the Directory Utility.
This is a relatively easy fix, but without knowing exactly where to look, it can take a long time to find!
No comments:
Post a Comment