Mac OS X v10.5: Active Directory - Name and password considerations when binding with Directory Utility or dsconfigad
Products Affected
Mac OS X 10.5, Mac OS X Server 10.5, Mac OS X 10.5, Microsoft Active Directory
Symptoms
Mac OS X v10.5 includes two utilities used to bind computers to Microsoft Active Directory. Directory Utility is an application, and dsconfigad is a command-line utility accessed through Terminal. Both may be used to configure the Active Directory connector in Directory Utility.
When binding a Mac OS X client to Active Directory or changing the password of an Active Directory account, it is important to ensure that the computer names and passwords used in the binding process are less than 16 characters and use valid characters for Active Directory computer account names. Entering a longer computer name or invalid characters may cause client binding to Active Directory to not work, or cause Mac OS X to bind to Active Directory with a truncated computer name. Similarly, entering a password longer than 15 characters may cause a different password to be saved than the password entered, requiring a reset of the password.
Resolution
The dsconfigad utility validates input for computer names and passwords when binding to Active Directory, but Directory Utility does not.
To ensure that the Active Directory connector binds as expected:
- Use dsconfigad to configure Mac OS X client binding to Active Directory, or to change passwords for Active Directory accounts
or
- Use computer names and passwords that are less than 16 characters in length, and which only contain alphanumeric (A–Z, a–z), numbers (0–9), - (dash) and/or _ (underscore) characters when binding with Directory Utility
Note: Although the underscore character is valid in hostnames, it is not a valid component in a DNS domain name. If the Active Directory domain being bound to contains an underscore in the domain name, binding and services will not function as expected.
Additional Information
For more information about the length and character set requirements for use with Active Directory, see this Microsoft article.
Twitter
Facebook