Applies to: macOS Sierra, macOS High Sierra, Active Directory 2008 R2 functional level and greater, Windows Security Baselines for Active Directory
Our environment currently consists of Mac computers that are bound to Active Directory. Recently we deployed some new Active Directory 2016 domain controllers within our environment. These domain controllers also have a Windows Security Baseline applied as a GPO for security purposes. Windows Security Baselines can be found here.
We immediately started to see issues with Mac computers related to the all familiar “Network Accounts are Unavailable” error message at login screen.
After extensive troubleshooting, we determined that the problem was with the Windows Security Baselines that were being applied to the domain controllers. And more specifically this setting in particular:
Domain controller: LDAP server signing requirements Value =Require signing
Here is the link to the reference article for this security setting.
So by default, the macOS Directory client does not sign and encrypt the LDAP connections that are used to communicate with Active Directory. The Open Directory client can sign and encrypt LDAP connections with the following configurations:
dsconfigad -packetencrypt ssl
and
/usr/bin/security add-trusted-cert -d -p basic -k /Library/Keychains/System.keychain <path/to/certificate/file>
These commands are defined in the Packet signing and encryption section of the following apple support article:
https://support.apple.com/kb/PH26273?viewlocale=en_US&locale=es_MX
Hope this helps!