Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-4208: Mac systems stuck in "Disconnected" mode

Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:46 AM

Applies to: All versions of Centrify DirectControl on Mac OS X
 
 
Question:
 
The Mac is connected to the domain and can access network resources with no issues (such as network shares) with no issues.
However, looking in the System Preferences > Centrify panel shows the "CentrifyDC mode" as "Disconnected".
Rebooting seems to have no effect and this is causing password synchronisation issues between the Mac and Active Directory.
The only solution seems to be to unbind and rebind the Mac from AD.
 
Why does this happen and how can it be prevented without having to leave and rejoin the domain each time?
 
 
Answer:

There are several environmental factors which may cause a Mac system to fall into Disconnected mode, the most common scenarios are listed below:

Scenario 1:

If there is a mismatch between what the Mac thinks its own hostname is, what the AD thinks the Mac hostname is (and possibly what the DNS hostname is), then the Centrify agent can fall into disconnected mode:
  1. Login to the Mac as Local Admin and open the Terminal
  2. Run the command: adinfo
  3. In an environment where all the names line up, the name-specific properties in the output should look like this:
    • Local host name: MAC-HOSTNAME
    • Joined as: MAC-HOSTNAME.domain.com
    • Pre-win2K name: MAC-HOSTNAME
  4. If the names do not match up, then there is a mismatch in the hostname records. To fix this:
  5. Unbind the Mac from the domain and delete the computer object from AD
  6. Delete the DNS record of the Mac from the DNS server
  7. Go to the Mac and run the following commands:
    • sudo scutil --set HostName MAC-HOSTNAME
    • sudo scutil --set LocalHostName MAC-HOSTNAME
    • sudo scutil --set ComputerName MAC-HOSTNAME
    • (Where "MAC-HOSTNAME" is the desired hostname for this Mac in AD)
  8. Once the name properties are all aligned, rebind the Mac to the domain.
This should reset the hostname properties for that machine and it should now be able to retain its connectivity.

 


Scenario 2:
 
Machines can also fall into Disconnected mode if their machine passwords (not user passwords) falls out of sync with the password stored in AD. 
 
To reset this without having to unbind and rebind the Mac to and from the domain, login to the Mac as Local Admin either via remote SSH, or login directly and open the Terminal. Then run the following command(s): 
 
  sudo adflush -f -y 

(For older versions of the agent, the equivalent command is just: sudo adflush -f )
 
This will flush the binding information and force the agent to refresh its connections with the domain.
After a few moments, run "adinfo" to see if the "CentrifyDC mode" status gets Connected
If there is no change, then use this command to force a machine password reset with AD: 
 
  sudo adkeytab -r -u domain_admin_username 
 
(Replace "domain_admin_username" with the appropriate domain admin account) 
 
Once the machine passwords are re-synced and the Centrify agent is in Connected mode again - AD user passwords will also be updated at the next Connected login event.


Other Scenarios:
 
For other possible causes of connectivity issues with Mac systems, please see the following KBs:
 
If the above commands and KBs are unsuccessful in bringing the Mac agent back into Connected status, then try unbinding the machine from AD, delete the (disabled) computer object from AD and then rebind the Mac onto the domain.

If the situation persists even after rebinding, then use the following steps to capture debug logs to send to Centrify Support:
  1. Log into the Mac as Local Admin and download the Mac Diagnostic Tool from the following KB:
  2. Open the tool and go to the Debugs / Logs tab
     
  3. Push the buttons in the following order:

    [ 0. Clear Debug Log Files ]
    [ 1. Enable / Disable Debugger ]

     
  4. Open the Terminal and run the commands:

    sudo adflush -f -y   (or just: sudo adflush -f ) 
     
  5. Wait approximately 5 minutes for the agent to attempt the reconnection.
     
  6. Run the second command and wait another 5 minutes:

    sudo adkeytab -r -u domain_admin_username 
     
  7. Verify that the agent is still Disconnected
     
  8. Go back to the Diagnostic Tool and push:

    [ 1. Enable / Disable Debugger ]
    [ 2. Save Debug Log Files to Desktop ]

     
  9. Send the Full_Log_Pack.zip to Centrify Support


 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.