Mark Minasi's Reader Forum
Mark Minasi's Reader Forum
Home | Profile | Register | Active Topics | Active Polls | Members | Search | FAQ | Minasi Forum RSS Feed
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 HALP! Questions on Windows and Windows Server
 Macintosh integration
 10.6 Macs becoming unbound from AD Domain
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

tonyFSMO
Here To Stay

USA
147 Posts
Status: offline

Posted - 04/23/2012 :  11:24:46 AM  Show Profile  Reply with Quote
Hi All, recently our 10.6 macs have started unbinding from our AD domain everytime they try to change their machine account password. We have no idea why and we have not executed any changes on the AD or Macs recently. Here is a sample of the logs that are being generated. Any ideas would be super helpful:



An Error Event occured. EventID: 0xC000001A
Time Generated: 04/14/2012 10:54:14
Event String: While processing an AS request for target service

krbtgt, the account tonyd did not have a

suitable key for generating a Kerberos ticket

(the missing key has an ID of 2). The requested

etypes were 18. The accounts available etypes

were 23 -133 -128 3 -140.
An Error Event occured. EventID: 0xC000001A
Time Generated: 04/14/2012 10:55:59
Event String: While processing an AS request for target service

krbtgt, the account richt did not have a

suitable key for generating a Kerberos ticket

(the missing key has an ID of 2). The requested

etypes were 18. The accounts available etypes

were 23 -133 -128 3 -140.
An Error Event occured. EventID: 0xC000001A
Time Generated: 04/14/2012 11:05:20
Event String: While processing an AS request for target service

krbtgt, the account marks did not have a

suitable key for generating a Kerberos ticket

(the missing key has an ID of 2). The requested

etypes were 18. The accounts available etypes

were 23 -133 -128 3 -140.
......................... SAD01 failed test systemlog



Tony DiGiorgio
MCITP

wkasdo
Administrator

Netherlands
7687 Posts
Status: offline

Posted - 04/23/2012 :  2:37:30 PM  Show Profile  Click to see wkasdo's MSN Messenger address  Reply with Quote
Are these 2003 DC's? If so, it's unrelated.

Any chance of getting a client log, from whatever service on a mac is responsible of changing the computer password?

Make it as simple as you can, but not simpler -- Albert Einstein
Go to Top of Page

tonyFSMO
Here To Stay

USA
147 Posts
Status: offline

Posted - 04/23/2012 :  3:03:50 PM  Show Profile  Reply with Quote
Hi Wkasdo, thanks for replying. Most of the DCs are 2003, but we do have one 2008 R2 DC in the domain.

How do you want me to send the logs?

The other piece of the puzzle that bothers me is that to our knowledge nothing in the environment changed in either AD or on the Mac side and then one day Mac OSX 10.6 and 10.5 machines started failing. We know the failures start when the Mac tries to change its machine password (about every 14 days), but why all of sudden does this no longer work? It works for 10.7 macs?

Tony DiGiorgio
MCITP
Go to Top of Page

wkasdo
Administrator

Netherlands
7687 Posts
Status: offline

Posted - 04/23/2012 :  3:44:48 PM  Show Profile  Click to see wkasdo's MSN Messenger address  Reply with Quote
Tony, I have no idea. I don't know anything about Macs. I do know a bit about Kerberos and the password changing algorithms, so I'm basically just thinking along with you. I'd look at the logs to see if anything stands out.

If you are able to trigger the password change, it would be even better. You could make a network trace.

Make it as simple as you can, but not simpler -- Albert Einstein
Go to Top of Page

Rastor728
Major Contributor

USA
821 Posts
Status: offline

Posted - 04/24/2012 :  10:10:19 AM  Show Profile  Reply with Quote
I would check out your latest patches to those MAC OS's!

On more than one occasion (used to be a K12 Sys Admin), I have had patches and updates break the AD Binding process (almost always related to DNS changes on OS X) and for me to have all the MAC's rejoin the domain. Check out the Apple Support forums and you might see some similar posts if Apple hasn't deleted them already. Apple is very tight on the "type" of post in their support forums, if it sounds too much like complaining and "bad mouthing" their product the post will come down regardless of accuracy or content.

For me, the worst part of playing golf, by far, has always been hitting the ball...Dave Barry
Go to Top of Page

tonyFSMO
Here To Stay

USA
147 Posts
Status: offline

Posted - 04/24/2012 :  10:13:23 AM  Show Profile  Reply with Quote
Thanks guys we've engaged Apple Enterprise support and Microsoft. I'll let you know what we find.


Tony DiGiorgio
MCITP
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Mark Minasi's Reader Forum © 2002-2011 Mark Minasi Go To Top Of Page
This page was generated in 0.03 seconds. Snitz Forums 2000