Jamf Nation Community

barrya · ‎02-10-2012

We are experiencing an odd issue where our AD accounts to the JSS will randomly stop working for 10-20 minutes. No interaction is required to get the logins to start working again to the JSS server other than to just wait. Local accounts continue to work during this period so we know the JSS is up and running properly. This has been happening since we started using AD authentication with v 8 and are currently at 8.43. We have tried rebinding which made no difference. The JSS is running on an xServe with 10.6.8 and the server itself is not bound to AD. This issue applies to both logging in via the web interface or using the apps (Casper Admin, etc.).

Thoughts?

Thanks,
Barry

talkingmoose · ‎02-10-2012

In the JSS go to Settings tab --> LDAP Server Connections and test whether you receive results. I would imagine that during this down time it will fail but it's the first thing I'd do for testing.

Does your JSS use an authenticated AD account to connect to AD? Do your AD logs show any errors for that account? For testing purposes, change the account to a different known working account (such as your own) to see if that works better.

My gut tells me this is probably a network or DNS issue. We pointed our JSS to a single DNS address that was set up round-robbin for our Global Catalog servers. Later, our Network Services folks bypassed changed management and decided to point the DNS entry to a load balancer, which broke stuff until we figured out what they did.

Chris · ‎02-10-2012

We have a similar problem every now and then,
when the AD service-account used for LDAP lookups and AD bindings gets locked out by the DC.
Couldn't find a reason for that yet, the account is used only by the JSS.
Weird...

barrya · ‎02-15-2012

Thanks for the suggestions. We tried most of this already (not the first time with Macs and AD issues) and I remember a "trick" we had to do when we had Exchange running and the Mac Entourage clients. We needed to edit the settings to point to only one domain controller.
So rather than just point to our AD domain (ad.organization.edu), we are
now pointing our authentication at a specific domain controller
(control2.ad.organization.edu). This has kept us stable since last
week. One note of caution, if that controller goes down. someone with
a local account will have to login and change the controller the JSS
is pointing to.

I hope this will save someone sometime in the future.

-Barry

rmanly · ‎02-16-2012

$0.02 We have been doing AD auth to Casper since v7 and have NOT experienced this issue.

The only difference I can see from the provided info. is that our server IS bound to AD. Although how that would make a bit of difference in the JSS LDAP lookups is not clear.

rdagel · ‎02-16-2012

We have the issue about once every two weeks. when it happens, I go into the jss, go to the network pref in system prefs and go to advance and then dns. i change something then change it back and save. this always clears the issue. So it has to be some sort of DNS hiccup for us.

Jamf Nation Community

Ad authentication to JSS fails randomly