MacOS not correctly joined in Domain

xinput · August 28, 2017, 8:13am

Hello it’s me again,

after the update from 4.1.4 to 4.2.1 we had several problems which we were able to solve.
Now we have another problem when joining our MacOS clients to our domain.

Our MacOS clients have a inventory numer e.g. “000448” which we were using as Host/Computername. Now we get problems when joining them to domain.

28.08.2017 09:56:41,141 LDAP        (PROCESS): sync to ucs: Resync rejected dn: CN=000448,CN=Computers,DC=domain,DC=intern
28.08.2017 09:56:41,145 LDAP        (PROCESS): sync to ucs:   [windowscomputer] [       add] cn=000448,CN=Computers,dc=twt,dc=intern
28.08.2017 09:56:41,185 LDAP        (ERROR  ): InvalidSyntax: Windows workstation/server name: Value may not contain other than numbers, letters and dots! (cn=000448,CN=Computers,dc=twt,dc=intern)

this error appears since the update, it was possible to use this kind of hostname in Version 4.1.4

running an s4 search works fine:

univention-s4search -b "CN=000448,CN=Computers,DC=domain,DC=intern"
# record 1
dn: CN=000448,CN=Computers,DC=domain,DC=intern
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: 000448
instanceType: 4
whenCreated: 20170828065954.0Z
uSNCreated: 298066
networkAddress: 10.10.29.133
name: 000448
objectGUID: c08f5cfe-89cf-4e52-b60c-b6141e1ea52e
userAccountControl: 4096
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
primaryGroupID: 515
objectSid: S-1-5-21-1353050950-283723966-3038142339-4109
accountExpires: 9223372036854775807
sAMAccountName: 000448$
sAMAccountType: 805306369
operatingSystem: Mac OS X
operatingSystemVersion: 10.12.5
dNSHostName: 000448.domain.intern
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=domain,DC=intern
isCriticalSystemObject: FALSE
msDS-SupportedEncryptionTypes: 28
pwdLastSet: 131483771945439930
lastLogonTimestamp: 131483772098738750
servicePrincipalName: vnc/000448.domain.intern
servicePrincipalName: cifs/000448.domain.intern
servicePrincipalName: host/000448.domain.intern
servicePrincipalName: afpserver/000448.domain.intern
whenChanged: 20170828070010.0Z
uSNChanged: 298069
lastLogon: 131483776839469550
logonCount: 3
distinguishedName: CN=000448,CN=Computers,DC=domain,DC=intern

running lis-rejected gives following output:

univention-s4connector-list-rejected

UCS rejected


S4 rejected

    1:    S4 DN: CN=000448,CN=Computers,DC=domain,DC=intern
         UCS DN: <not found>
    2:    S4 DN: CN=000448,CN=Computers,DC=domain,DC=intern
         UCS DN: <not found>

	last synced USN: 6020303

New Computers with name N-000446 are created correctly but authentication isn’t working. users can’t log in in this new computers.

When joining a new mac to the domain, users are unable to authenticate now…
Is there a way to manage this kind of problem?

EDIT: Seems that this are two seperate problems. Naming Convention is the less problematic one. The problem is that new imaged macs can’t auhtenticate.

xinput · August 28, 2017, 1:49pm

Looks like we solved it. The UCR for dns/backend was set to ldap because of another problem which seems to caused this problems. We changed it back to samba4 und the problem disappeared. I Think it would be useful to have a sdb article for the UCR dns backend which addresses the differences.

takang · August 31, 2017, 9:40am

Good day xinput,
thank you for sharing the solution

regards
Anna