Mac OS X 10.8 not binding to Windows domain












4














I have five iMacs with OSX 10.8.5. Two of the iMacs are binding to Windows domain server (2012) successfully. But I can’t bind remaining three iMac machines, and it is showing authentication error 5202, 5200 error and some times it shows 2000 error. It is able to access windows share using domain user ID.



There is no issue when binding any Windows OS version (XP/7/8) to the domain.



I have checked the following things:




  • Verify the time of iMacs with Windows server

  • DNS resolution


Please suggest a solution.










share|improve this question





























    4














    I have five iMacs with OSX 10.8.5. Two of the iMacs are binding to Windows domain server (2012) successfully. But I can’t bind remaining three iMac machines, and it is showing authentication error 5202, 5200 error and some times it shows 2000 error. It is able to access windows share using domain user ID.



    There is no issue when binding any Windows OS version (XP/7/8) to the domain.



    I have checked the following things:




    • Verify the time of iMacs with Windows server

    • DNS resolution


    Please suggest a solution.










    share|improve this question



























      4












      4








      4


      1





      I have five iMacs with OSX 10.8.5. Two of the iMacs are binding to Windows domain server (2012) successfully. But I can’t bind remaining three iMac machines, and it is showing authentication error 5202, 5200 error and some times it shows 2000 error. It is able to access windows share using domain user ID.



      There is no issue when binding any Windows OS version (XP/7/8) to the domain.



      I have checked the following things:




      • Verify the time of iMacs with Windows server

      • DNS resolution


      Please suggest a solution.










      share|improve this question















      I have five iMacs with OSX 10.8.5. Two of the iMacs are binding to Windows domain server (2012) successfully. But I can’t bind remaining three iMac machines, and it is showing authentication error 5202, 5200 error and some times it shows 2000 error. It is able to access windows share using domain user ID.



      There is no issue when binding any Windows OS version (XP/7/8) to the domain.



      I have checked the following things:




      • Verify the time of iMacs with Windows server

      • DNS resolution


      Please suggest a solution.







      windows macos active-directory






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Mar 12 '15 at 5:06









      JakeGould

      31k1093137




      31k1093137










      asked Mar 16 '14 at 18:14









      user308211

      31114




      31114






















          2 Answers
          2






          active

          oldest

          votes


















          1














          Are you using 10.0.8 or 10.8? Hopefully the latter. Here's where I'd start




          1. Try running dsconfigad -show and make sure that the computer account matches what you see in ADU&C on your Windows Server. If your Mac had spaces in the name (e.g., My Cool Mac), your AD server might not be interpreting it correctly. Also make sure your advanced Administrative options are not in conflict

          2. I've experienced issues on Macs when the 3 different computer names are out of sync. Run scutil and make sure that HostName, ComputerName and LocalHostName are all in sync. You can use the --set option to modify them.

          3. Make sure that the accounts joining to the domain have enough rights to join to the OU you've specified and that the user's AD group has access to login to the mac from the network. You can do this from the Directory Utility.


          HTH






          share|improve this answer





















          • I can't add imac machines to windows domain.The dsconfigad -show,for Mac that was already added to domain.
            – user308211
            Mar 19 '14 at 7:22










          • In my experiences, joining OSX to AD is not as forgiving as joining a Windows box (go figure). Try using the -force option of dsconfigad to remove it from the domain. Then try adding it back to AD without the -force option. If that fails, try again WITH force. One of these should work. GL.
            – SaxDaddy
            Mar 19 '14 at 18:20



















          0














          We had this error:




          dsconfigad: Authentication server encountered an error while attempting the requested operation. (5202)




          and in the /var/log/opendirectoryd.log



          ...
          2016-03-10 11:08:30.210484 GMT - AID: 0x0000000000000000 - 1280.6968, Node: /Active Directory, Module: ActiveDirectory - krb5.dylib - krb5_get_init_creds: KRB-ERROR -1765328378/Client (XXXX@YYYY.COM) unknown
          2016-03-10 11:08:30.210505 GMT - AID: 0x0000000000000000 - 1280.6968, Node: /Active Directory, Module: ActiveDirectory - password verify for XXXX@YYYY.COM failed with error -1765328378 - 'Client (XXXX@YYYY.COM) unknown'
          2016-03-10 11:08:30.210574 GMT - AID: 0x0000000000000000 - 1280.6968, Node: /Active Directory, Module: ActiveDirectory - ODNodeCustomCall failed with error 'Credential server error' (5202)
          ...


          joining a machine running 10.11.x that had been unbound from the domain. Nothing would allow it to bind - using either OpenDirectory or dsconfigad



          The fix was deleting the following:



          /var/db/dslocal/nodes/Default/config/
          /etc/krb5.keytab
          /Library/Preferences/OpenDirectory


          This issue affected two machines which have now been able to successfully bind.






          share|improve this answer



















          • 2




            beware: we followed these steps and the machine will no longer boot.
            – Shaun Wilson
            Apr 21 '17 at 22:22











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "3"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f729776%2fmac-os-x-10-8-not-binding-to-windows-domain%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          2 Answers
          2






          active

          oldest

          votes








          2 Answers
          2






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          1














          Are you using 10.0.8 or 10.8? Hopefully the latter. Here's where I'd start




          1. Try running dsconfigad -show and make sure that the computer account matches what you see in ADU&C on your Windows Server. If your Mac had spaces in the name (e.g., My Cool Mac), your AD server might not be interpreting it correctly. Also make sure your advanced Administrative options are not in conflict

          2. I've experienced issues on Macs when the 3 different computer names are out of sync. Run scutil and make sure that HostName, ComputerName and LocalHostName are all in sync. You can use the --set option to modify them.

          3. Make sure that the accounts joining to the domain have enough rights to join to the OU you've specified and that the user's AD group has access to login to the mac from the network. You can do this from the Directory Utility.


          HTH






          share|improve this answer





















          • I can't add imac machines to windows domain.The dsconfigad -show,for Mac that was already added to domain.
            – user308211
            Mar 19 '14 at 7:22










          • In my experiences, joining OSX to AD is not as forgiving as joining a Windows box (go figure). Try using the -force option of dsconfigad to remove it from the domain. Then try adding it back to AD without the -force option. If that fails, try again WITH force. One of these should work. GL.
            – SaxDaddy
            Mar 19 '14 at 18:20
















          1














          Are you using 10.0.8 or 10.8? Hopefully the latter. Here's where I'd start




          1. Try running dsconfigad -show and make sure that the computer account matches what you see in ADU&C on your Windows Server. If your Mac had spaces in the name (e.g., My Cool Mac), your AD server might not be interpreting it correctly. Also make sure your advanced Administrative options are not in conflict

          2. I've experienced issues on Macs when the 3 different computer names are out of sync. Run scutil and make sure that HostName, ComputerName and LocalHostName are all in sync. You can use the --set option to modify them.

          3. Make sure that the accounts joining to the domain have enough rights to join to the OU you've specified and that the user's AD group has access to login to the mac from the network. You can do this from the Directory Utility.


          HTH






          share|improve this answer





















          • I can't add imac machines to windows domain.The dsconfigad -show,for Mac that was already added to domain.
            – user308211
            Mar 19 '14 at 7:22










          • In my experiences, joining OSX to AD is not as forgiving as joining a Windows box (go figure). Try using the -force option of dsconfigad to remove it from the domain. Then try adding it back to AD without the -force option. If that fails, try again WITH force. One of these should work. GL.
            – SaxDaddy
            Mar 19 '14 at 18:20














          1












          1








          1






          Are you using 10.0.8 or 10.8? Hopefully the latter. Here's where I'd start




          1. Try running dsconfigad -show and make sure that the computer account matches what you see in ADU&C on your Windows Server. If your Mac had spaces in the name (e.g., My Cool Mac), your AD server might not be interpreting it correctly. Also make sure your advanced Administrative options are not in conflict

          2. I've experienced issues on Macs when the 3 different computer names are out of sync. Run scutil and make sure that HostName, ComputerName and LocalHostName are all in sync. You can use the --set option to modify them.

          3. Make sure that the accounts joining to the domain have enough rights to join to the OU you've specified and that the user's AD group has access to login to the mac from the network. You can do this from the Directory Utility.


          HTH






          share|improve this answer












          Are you using 10.0.8 or 10.8? Hopefully the latter. Here's where I'd start




          1. Try running dsconfigad -show and make sure that the computer account matches what you see in ADU&C on your Windows Server. If your Mac had spaces in the name (e.g., My Cool Mac), your AD server might not be interpreting it correctly. Also make sure your advanced Administrative options are not in conflict

          2. I've experienced issues on Macs when the 3 different computer names are out of sync. Run scutil and make sure that HostName, ComputerName and LocalHostName are all in sync. You can use the --set option to modify them.

          3. Make sure that the accounts joining to the domain have enough rights to join to the OU you've specified and that the user's AD group has access to login to the mac from the network. You can do this from the Directory Utility.


          HTH







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Mar 17 '14 at 19:44









          SaxDaddy

          2,8961216




          2,8961216












          • I can't add imac machines to windows domain.The dsconfigad -show,for Mac that was already added to domain.
            – user308211
            Mar 19 '14 at 7:22










          • In my experiences, joining OSX to AD is not as forgiving as joining a Windows box (go figure). Try using the -force option of dsconfigad to remove it from the domain. Then try adding it back to AD without the -force option. If that fails, try again WITH force. One of these should work. GL.
            – SaxDaddy
            Mar 19 '14 at 18:20


















          • I can't add imac machines to windows domain.The dsconfigad -show,for Mac that was already added to domain.
            – user308211
            Mar 19 '14 at 7:22










          • In my experiences, joining OSX to AD is not as forgiving as joining a Windows box (go figure). Try using the -force option of dsconfigad to remove it from the domain. Then try adding it back to AD without the -force option. If that fails, try again WITH force. One of these should work. GL.
            – SaxDaddy
            Mar 19 '14 at 18:20
















          I can't add imac machines to windows domain.The dsconfigad -show,for Mac that was already added to domain.
          – user308211
          Mar 19 '14 at 7:22




          I can't add imac machines to windows domain.The dsconfigad -show,for Mac that was already added to domain.
          – user308211
          Mar 19 '14 at 7:22












          In my experiences, joining OSX to AD is not as forgiving as joining a Windows box (go figure). Try using the -force option of dsconfigad to remove it from the domain. Then try adding it back to AD without the -force option. If that fails, try again WITH force. One of these should work. GL.
          – SaxDaddy
          Mar 19 '14 at 18:20




          In my experiences, joining OSX to AD is not as forgiving as joining a Windows box (go figure). Try using the -force option of dsconfigad to remove it from the domain. Then try adding it back to AD without the -force option. If that fails, try again WITH force. One of these should work. GL.
          – SaxDaddy
          Mar 19 '14 at 18:20













          0














          We had this error:




          dsconfigad: Authentication server encountered an error while attempting the requested operation. (5202)




          and in the /var/log/opendirectoryd.log



          ...
          2016-03-10 11:08:30.210484 GMT - AID: 0x0000000000000000 - 1280.6968, Node: /Active Directory, Module: ActiveDirectory - krb5.dylib - krb5_get_init_creds: KRB-ERROR -1765328378/Client (XXXX@YYYY.COM) unknown
          2016-03-10 11:08:30.210505 GMT - AID: 0x0000000000000000 - 1280.6968, Node: /Active Directory, Module: ActiveDirectory - password verify for XXXX@YYYY.COM failed with error -1765328378 - 'Client (XXXX@YYYY.COM) unknown'
          2016-03-10 11:08:30.210574 GMT - AID: 0x0000000000000000 - 1280.6968, Node: /Active Directory, Module: ActiveDirectory - ODNodeCustomCall failed with error 'Credential server error' (5202)
          ...


          joining a machine running 10.11.x that had been unbound from the domain. Nothing would allow it to bind - using either OpenDirectory or dsconfigad



          The fix was deleting the following:



          /var/db/dslocal/nodes/Default/config/
          /etc/krb5.keytab
          /Library/Preferences/OpenDirectory


          This issue affected two machines which have now been able to successfully bind.






          share|improve this answer



















          • 2




            beware: we followed these steps and the machine will no longer boot.
            – Shaun Wilson
            Apr 21 '17 at 22:22
















          0














          We had this error:




          dsconfigad: Authentication server encountered an error while attempting the requested operation. (5202)




          and in the /var/log/opendirectoryd.log



          ...
          2016-03-10 11:08:30.210484 GMT - AID: 0x0000000000000000 - 1280.6968, Node: /Active Directory, Module: ActiveDirectory - krb5.dylib - krb5_get_init_creds: KRB-ERROR -1765328378/Client (XXXX@YYYY.COM) unknown
          2016-03-10 11:08:30.210505 GMT - AID: 0x0000000000000000 - 1280.6968, Node: /Active Directory, Module: ActiveDirectory - password verify for XXXX@YYYY.COM failed with error -1765328378 - 'Client (XXXX@YYYY.COM) unknown'
          2016-03-10 11:08:30.210574 GMT - AID: 0x0000000000000000 - 1280.6968, Node: /Active Directory, Module: ActiveDirectory - ODNodeCustomCall failed with error 'Credential server error' (5202)
          ...


          joining a machine running 10.11.x that had been unbound from the domain. Nothing would allow it to bind - using either OpenDirectory or dsconfigad



          The fix was deleting the following:



          /var/db/dslocal/nodes/Default/config/
          /etc/krb5.keytab
          /Library/Preferences/OpenDirectory


          This issue affected two machines which have now been able to successfully bind.






          share|improve this answer



















          • 2




            beware: we followed these steps and the machine will no longer boot.
            – Shaun Wilson
            Apr 21 '17 at 22:22














          0












          0








          0






          We had this error:




          dsconfigad: Authentication server encountered an error while attempting the requested operation. (5202)




          and in the /var/log/opendirectoryd.log



          ...
          2016-03-10 11:08:30.210484 GMT - AID: 0x0000000000000000 - 1280.6968, Node: /Active Directory, Module: ActiveDirectory - krb5.dylib - krb5_get_init_creds: KRB-ERROR -1765328378/Client (XXXX@YYYY.COM) unknown
          2016-03-10 11:08:30.210505 GMT - AID: 0x0000000000000000 - 1280.6968, Node: /Active Directory, Module: ActiveDirectory - password verify for XXXX@YYYY.COM failed with error -1765328378 - 'Client (XXXX@YYYY.COM) unknown'
          2016-03-10 11:08:30.210574 GMT - AID: 0x0000000000000000 - 1280.6968, Node: /Active Directory, Module: ActiveDirectory - ODNodeCustomCall failed with error 'Credential server error' (5202)
          ...


          joining a machine running 10.11.x that had been unbound from the domain. Nothing would allow it to bind - using either OpenDirectory or dsconfigad



          The fix was deleting the following:



          /var/db/dslocal/nodes/Default/config/
          /etc/krb5.keytab
          /Library/Preferences/OpenDirectory


          This issue affected two machines which have now been able to successfully bind.






          share|improve this answer














          We had this error:




          dsconfigad: Authentication server encountered an error while attempting the requested operation. (5202)




          and in the /var/log/opendirectoryd.log



          ...
          2016-03-10 11:08:30.210484 GMT - AID: 0x0000000000000000 - 1280.6968, Node: /Active Directory, Module: ActiveDirectory - krb5.dylib - krb5_get_init_creds: KRB-ERROR -1765328378/Client (XXXX@YYYY.COM) unknown
          2016-03-10 11:08:30.210505 GMT - AID: 0x0000000000000000 - 1280.6968, Node: /Active Directory, Module: ActiveDirectory - password verify for XXXX@YYYY.COM failed with error -1765328378 - 'Client (XXXX@YYYY.COM) unknown'
          2016-03-10 11:08:30.210574 GMT - AID: 0x0000000000000000 - 1280.6968, Node: /Active Directory, Module: ActiveDirectory - ODNodeCustomCall failed with error 'Credential server error' (5202)
          ...


          joining a machine running 10.11.x that had been unbound from the domain. Nothing would allow it to bind - using either OpenDirectory or dsconfigad



          The fix was deleting the following:



          /var/db/dslocal/nodes/Default/config/
          /etc/krb5.keytab
          /Library/Preferences/OpenDirectory


          This issue affected two machines which have now been able to successfully bind.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Mar 12 '16 at 12:29









          DavidPostill

          103k25223257




          103k25223257










          answered Mar 11 '16 at 10:31









          James Blackburn

          1012




          1012








          • 2




            beware: we followed these steps and the machine will no longer boot.
            – Shaun Wilson
            Apr 21 '17 at 22:22














          • 2




            beware: we followed these steps and the machine will no longer boot.
            – Shaun Wilson
            Apr 21 '17 at 22:22








          2




          2




          beware: we followed these steps and the machine will no longer boot.
          – Shaun Wilson
          Apr 21 '17 at 22:22




          beware: we followed these steps and the machine will no longer boot.
          – Shaun Wilson
          Apr 21 '17 at 22:22


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Super User!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f729776%2fmac-os-x-10-8-not-binding-to-windows-domain%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          "Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

          Alcedinidae

          Origin of the phrase “under your belt”?