HomeFeaturesDownloadTutorialFAQManualQuestions?
  1. The Chain To Bind You To Earth Mac Os Pro
  2. The Chain To Bind You To Earth Mac Os X
  3. The Chain To Bind You To Earth Mac Os X
  4. The Chain To Bind You To Earth Mac Os Download
  1. Windows ® operating system: Windows 7 and higher; Macintosh ® operating system: Mac OS Yosemite (version 10.10 and higher) Personalize your experience. Would you like a different type size, background or text color? Learn easy ways to change text size or colors in your browser.
  2. Alternatively, you can select a Coin or Commodity in the middle box to see the prices in BTC and your selected real currency. Click in the right box on 'Show Charts of ALL my Coins' to see the prices of all Coins you have tracked on CoinTracking. (This feature is available only for registered users). All charts can be zoomed with the mouse.

Contents

  • Platform Notes and Installation
  • Usage

Features

Accuracy

AutoDock Vina significantly improves the average accuracy of the binding mode predictions compared to AutoDock 4, judging by our tests on the training set used in AutoDock 4 development.[*]

Additionally and independently, AutoDock Vina has been tested against a virtual screening benchmark called the Directory of Useful Decoys by the Watowich group, and was found to be'a strong competitor against the other programs, and at the top of the pack in many cases'. It should be noted that all six of the otherdocking programs, to which it was compared, are distributed commercially.

AutoDock Tools Compatibility

For its input and output, Vina uses the same PDBQT molecular structure file format used by AutoDock. PDBQT files can be generated (interactively or in batch mode) and viewed using MGLTools. Other files, such as the AutoDock and AutoGrid parameter files (GPF, DPF) and grid map files are not needed.


Binding mode prediction accuracy on the test set. 'AutoDock' refers to AutoDock 4, and 'Vina' to AutoDock Vina 1.

True Fasts and Sabbaths 5 Is this the fast I have chosen: a day for a man to deny himself, to bow his head like a reed, and to spread out sackcloth and ashes? Will you call this a fast and a day acceptable to the LORD? 6 Isn’t this the fast that I have chosen: to break the chains of wickedness, to untie the cords of the yoke, to set the oppressed free and tear off every yoke? To run the dig program on Mac OS X and Linux, follow these steps: Open a terminal window. The procedure to do this depends on the operating system and desktop environment: On Mac OS X, click Applications, click Utilities, and then click Terminal. On Linux, open a terminal window. At the command prompt, type the following command. To access and use all the features of Apple Card, you must add Apple Card to Wallet on an iPhone or iPad with iOS 12.4 or later or iPadOS. To manage Apple Card Monthly Installments, you need an iPhone with iOS 13.2 or later or an iPad with iPadOS 13.2 or later.

Ease of Use

Vina's design philosophy is not to require the user to understand its implementation details, tweak obscure search parameters, cluster results or know advanced algebra (quaternions). All that is required is the structures of the molecules being docked and the specification of the search space including the binding site. Calculating grid maps and assigning atom charges is not needed. The usage summary can be printed with 'vina --help'. The summary automatically remains in sync with the possible usage scenarios.

Implementation Quality

  • By design, the results should not have a statistical bias related to the conformation of the input structure.
  • Attention is paid to checking the syntactic correctness of the input and reporting errors to the user in a lucid manner.
  • The invariance of the covalent bond lengths is automatically verified in the output structures.
  • Vina avoids imposing artificial restrictions, such as the number of atoms in the input, the number of torsions, the size of the search space, the exhaustiveness of the search, etc.

Flexible Side Chains

Like in AutoDock 4, some receptor side chains can be chosen to be treated as flexible during docking.

Speed

AutoDock Vina tends to be faster than AutoDock 4 by orders of magnitude.[*]

Multiple CPUs/Cores

Additionally, Vina can take advantage of multiple CPUs or CPU cores on your system to significantly shorten its running time.

World Community Grid

Qualified projects can run AutoDock Vina calculations for free on the massively parallel World Community Grid.Existing projects using AutoDock Vina there include those targetingAIDS,Malaria,Leishmaniasis andSchistosomiasis.Some of these projects average over 50 years worth of computation per day.


Average time per receptor-ligand pair on the test set.'AutoDock' refers to AutoDock 4, and 'Vina' to AutoDock Vina 1.

License

AutoDock Vina is released under a very permissive Apache license, with few restrictions on commercial or non-commercial use, or on the derivative works.The text of the license can be found here.

Tutorial

If you have never used AutoDock Vina before, please study the Video Tutorial before attempting to use it.

Frequently Asked Questions

Earth

How to get started learning to use Vina?

Watching the video tutorial might be the best way to do that.

What is the meaning or significance of the name 'Vina'? Why was it developed?

Please see this mailing list post.

How accurate is AutoDock Vina?

See Features

It should be noted that the predictive accuracy varies a lot depending on the target, so it makes sense to evaluate AutoDock Vina against your particular target first,if you have known actives, or a bound native ligand structure, before ordering compounds. While evaluating any docking engine in a retrospective virtual screen, it might make sense to select decoys of similar size, and perhaps other physical characteristics,to your known actives.

What is the difference between AutoDock Vina and AutoDock 4?

AutoDock 4 (and previous versions) and AutoDock Vina were both developed in the Molecular Graphics Lab atThe Scripps Research Institute. AutoDock Vina inherits some of the ideas and approaches of AutoDock 4, such as treating docking as a stochastic global opimization of the scoring function, precalculating grid maps (Vina does that internally), and some other implementation tricks, such asprecalculating the interaction between every atom type pair at every distance. It also uses the same type of structure format (PDBQT) for maximum compatibility with auxiliary software.

However, the source code, the scoring funcion and the actual algorithms used are brand new,so it's more correct to think of AutoDock Vina as a new 'generation' rather than 'version' of AutoDock. The performance was compared in the original publication [*], and on average, AutoDock Vina didconsiderably better, both in speed and accuracy. However, for any given target, either program may provide a better result, even though AutoDock Vina is more likely to do so.This is due to the fact that the scoring functions are different, and both are inexact.

What is the difference between AutoDock Vina and AutoDock Tools?

AutoDock Tools is a module within the MGL Tools software package specifically for generating input (PDBQT files) forAutoDock or Vina. It can also be used for viewing the results.

Can I dock two proteins with AutoDock Vina?

You might be able to do that, but AutoDock Vina is designed only for receptor-ligand docking. There are better programs for protein-protein docking.

Will Vina run on my 64-bit machine?

Yes. By design, modern 64-bit machines can run 32-bit binaries natively.

Why do I get 'can not open conf.txt' error? The file exists!

Oftentimes, file browsers hide the file extension, so while you think you have a file 'conf.txt', it's actually called 'conf.txt.txt'.This setting can be changed in the control panel or system preferences.

You should also make sure that the file path you are providing is correct with respect to the directory (folder) you are in, e.g. if you are referring simply to conf.txt in the command line, make sure you are in the same directory (folder)as this file. You can use ls or dir commands on Linux/MacOS and Windows, respectively, to list the contentsof your directory.

Why do I get 'usage errors' when I try to follow the video tutorial?

The command line options changed somewhat since the tutorial has been recorded. In particular, '--out' replaced '--all'.

Vina runs well on my machine, but when I run it on my exotic Linux cluster, I get a 'boost thread resource' error. Why?

Your Linux cluster is [inadvertantly] configured in such a way as to disallow spawning threads. Therefore, Vina can not run. Contact your system administrator.

Why is my docked conformation different from what you get in the video tutorial?

The docking algorithm is non-deterministic. Even though with this receptor-ligand pair, the minimum of the scoring function corresponds to the correct conformation,the docking algorithm sometimes fails to find it. Try several times and see for yourself. Note that the probability of failing to find the mininum may be different with a different system.

My docked conformation is the same, but my energies are different from what you get in the video tutorial. Why?

The scoring function has changed since the tutorial was recorded, but only in the part that is independent of the conformation:the ligand-specific penalty for flexibility has changed.

Why do my results look weird in PyMOL?

PDBQT is not a standard molecular structure format. The version of PyMOL used in the tutorial (0.99rc6) happens to display it well (because PDBQT is somewhat similar to PDB).This might not be the case for newer versions of PyMOL.

Any other way to view the results?

You can also view PDBQT files in PMV (part of MGL Tools), or convert them into a different file format (e.g. using AutoDock Tools, or with 'save as' in PMV)

How big should the search space be?

As small as possible, but not smaller. The smaller the search space, the easier it is for the docking algorithm to explore it.On the other hand, it will not explore ligand and flexible side chain atom positions outside the search space. You should probably avoid search spaces bigger than 30 x 30 x 30 Angstrom, unless you also increase '--exhaustiveness'.

Why am I seeing a warning about the search space volume being over 27000 Angstrom^3?

This is probably because you intended to specify the search space sizes in 'grid points' (0.375 Angstrom), as in AutoDock 4.The AutoDock Vina search space sizes are given in Angstroms instead. If you really intended to use an unusuallylarge search space, you can ignore this warning, but note that the search algorithm's job may be harder.You may need to increase the value of the exhaustiveness to make up for it. This will lead to longer run time.

The bound conformation looks reasonable, except for the hydrogens. Why?

AutoDock Vina actually uses a united-atom scoring function, i.e. one that involves only the heavy atoms.Therefore, the positions of the hydrogens in the output are arbitrary.The hydrogens in the input file are used to decide which atoms can be hydrogen bond donors or acceptors though,so the correct protonation of the input structures is still important.

What does 'exhaustiveness' really control, under the hood?

In the current implementation, the docking calculation consists of a number of independent runs, starting from random conformations.Each of these runs consists of a number of sequential steps. Each step involves a random perturbation of the conformation followedby a local optimization (using the Broyden-Fletcher-Goldfarb-Shanno algorithm) and a selection in which the step is either accepted or not. Each local optimization involves many evaluations of the scoring function as well asits derivatives in the position-orientation-torsions coordinates.The number of evaluations in a local optimization is guided by convergence and other criteria.The number of steps in a run is determined heuristically, depending on the size and flexibility of the ligand and the flexible side chains. However, the number of runs is set by the exhaustiveness parameter. Since the individual runs are executed in parallel, where appropriate, exhaustiveness also limits the parallelism.Unlike in AutoDock 4, in AutoDock Vina, each run can produce several results: promising intermediate results are remembered.These are merged, refined, clustered and sorted automatically to produce the final result.

Why do I not get the correct bound conformation?

It can be any of a number of things:

  • If you are coming from AutoDock 4, a very common mistake is to specify the search space in 'points' (0.375 Angstrom), instead of Angstroms.
  • Your ligand or receptor might not have been correctly protonated.
  • Bad luck (the search algorithm could have found the correct conformation with good probability, but was simply unlucky). Try again with a different seed.
  • The minimum of the scoring function correponds to the correct conformation, but the search algorithm has trouble finding it. In this case, higher exhaustiveness or smaller search space should help.
  • The minimum of the scoring function simply is not where the correct conformation is. Trying over and over again will not help, but may occasionally give the right answer if two wrongs (inexact search and scoring) make a right. Docking is an approximate approach.
  • Related to the above, the culprit may also be the quality of the X-ray or NMR receptor structure.
  • If you are not doing redocking, i.e. using the correct induced fit shape of the receptor, perhaps the induced fit effects are large enough to affect the outcome of the docking experiment.
  • The rings can only be rigid during docking. Perhaps they have the wrong conformation, affecting the outcome.
  • You are using a 2D (flat) ligand as input.
  • The actual bound conformation of the ligand may occasionally be different from what the X-ray or NMR structure shows.
  • Other problems

How can I tweak the scoring function?

You can change the weights easily, by specifying them in the configuration file,or in the command line. For example

doubles the strenth of all hydrogen bonds.

Functionality that would allow the users to create new atom and pseudo-atom types,and specify their own interaction functions is planned for the future.

This should make it easier to adapt the scoring function to specific targets,model covalent docking and macro-cycle flexibility,experiment with new scoring functions,and, using pseudo-atoms, create directional interaction models.

Stay tuned to the AutoDock mailing list, if you wish to be notified of any beta-test releases.

Why don't I get as many binding modes as I specify with '--num_modes'?

This option specifies the maximum number of binding modes to output. The docking algorithm may find fewer 'interesting' binding modes internally.The number of binding modes in the output is also limited by the 'energy_range', which you may want to increase.

Why don't the results change when I change the partial charges?

AutoDock Vina ignores the user-supplied partial charges. It has its own way of dealing with the electrostatic interactions through the hydrophobic andthe hydrogen bonding terms. See the original publication [*] for details of the scoring function.

I changed something, and now the docking results are different. Why?

Firstly, had you not changed anything, some results could have been different anyway, due to the non-deterministic nature of the search algorithm.Exact reproducibility can be assured by supplying the same random seed to both calculations, but only if all other inputs and parameters are the same as well. Even minor changes to the input can have an effect similar to a new random seed.What does make sense discussing arethe statistical properties of the calculations:e.g. 'with the new protonation state, Vina is much less likely to find the correct docked conformation'.

How do I use flexible side chains?

You split the receptor into two parts: rigid and flexible, with the latter represented somewhat similarly to how the ligand is represented. See the section 'Flexible Receptor PDBQT Files' of the AutoDock4.2 User Guide (page 14) for how to do thisin AutoDock Tools.Then, you can issue this command: vina --config conf --receptor rigid.pdbqt --flex side_chains.pdbqt --ligand ligand.pdbqt.Also see this write-up on this subject.

How do I do virtual screening?

Please see the relevant section of the manual.

Please note that a variety of docking management applications exist to assist you in this task.

I don't have sufficient computing resources to run a virtual screen. What are my options?

You may be able to run your project on the World Community Grid, or use DrugDiscovery@TACC. See Other Software.

I have ideas for new features and other suggestions.

For proposed new features,we like there to be a wide consensus,resulting from a public discussion,regarding their necessity.Please consider starting or joining a discussion on the AutoDock mailing list.

Will you answer my questions about Vina if I email or call you?

No. Vina is community-supported. There is no obligation on the authors to help others with their projects.Please see this page for how to get help.

Platform Notes and Installation

Windows

Compatibility

Vina is expected to work on Windows XP and newer systems.

Installing

Double-click the downloaded MSI file and follow the instructions

Running

Open the Command Prompt and, if you installed Vina in the default location, typeIf you are using Cygwin, the above command would instead beSee the Video Tutorial for details.Don't forget to check out Other Software for GUIs, etc.

Linux

Compatibility

Vina is expected to work on x86 and compatible 64-bit Linux systems.

Installing

Optionally, you can copy the binary files where you want.

Running

If the executable is in your PATH, you can just type 'vina --help' instead.See the Video Tutorial for details.Don't forget to check out Other Software for GUIs, etc.

Mac

Compatibility

The 64 bit version is expected to work on Mac OS X 10.15 (Catalina) and newer.The 32 bit version of Vina is expected to work on Mac OS X from 10.4 (Tiger) through 10.14 (Mojave).

Installing

Optionally, you can copy the binary files where you want.

Running

If the executable is in your PATH, you can just type 'vina --help' instead.See the Video Tutorial for details.Don't forget to check out Other Software for GUIs, etc.

Building from Source

Attention: Building Vina from source is NOT meant to be done by regular users!(these instructions might be outdated)

Step 1: Install a C++ compiler suite

On Windows, you may want to install Visual Studio; on OS X, Xcode; and on Linux, the GCC compiler suite.

Step 2: Install Boost

Install Boost.(Version 1.41.0 was used to compile the official binaries. With other versions, your luck may vary)Then, build and run one of the example programs, such as the Regex example, to confirm that you have completed this step. If you can't do this, please seek help from the Boost community.

Step 3: Build Vina

If you are using Visual Studio, you may want to create three projects: lib, main and split, with the source code from the appropriate subdirectories.

The Chain To Bind You To Earth Mac Os Pro

lib must be a library, that the other projects depend on, and main and split must beconsole applications. For optimal performance, remember to compile using the Release mode.

On OS X and Linux, you may want to navigate to the appropriate build subdirectory, customize the Makefileby setting the paths and the Boost version, and then type

Other Software

Disclaimer: This list is for information purposes only and does not constitute an endorsement.
  • Tools specifically designed for use with AutoDock Vina (in no particular order):
    • MGLTools, which includes AutoDock Tools (ADT) and Python Molecular Viewer (PMV). ADT is required for generating input files for AutoDock Vina, and PMV can be used for viewing the results
    • PyRx can be used to set up docking and virtual screening with AutoDock Vina and to view the results
    • The new Autodock/Vina plugin for PyMOL can be used to set up docking and virtual screening with AutoDock Vina and to view the results
    • Computer-Aided Drug-Design Platform using PyMOL is another plugin for PyMOL that also integrates AMBER, Reduce and SLIDE.
    • AutoGrow uses AutoDock Vina in its rational drug design procedure
    • NNScore will re-score Vina results using an artificial neural network trained on Binding MOAD and PDBBind
    • A Vina GUI layer for Windows by Biochem Lab Solutions can be used to facilitate virtual screening with AutoDock Vina
    • VSDK can be used to faciliate virtual screening with AutoDock Vina
    • PaDEL-ADV can be used to facilitate virtual screening with AutoDock Vina
    • DrugDiscovery@TACC allows you to do virtual screening with AutoDock Vina through their web site
    • NBCR CADD Pipeline provides access to virtual screening with AutoDock Vina on NBCR computers
    • MOLA is a bootable, self-configuring system for virtual screening using AutoDock4/Vina on computer clusters
    • SMINA is a modification of Vina that links with OpenBabel for I/O and supports additional tweaks of the scoring function
    • Off-Target Pipeline is a platform intended to carry out secondary target identification and docking
    • AUDocker can be used to facilitate virtual screening with AutoDock Vina
    • World Community Grid can be used by qualified projects to run AutoDock Vina calculations for free on the massively parallel network of computers, where volunteers donate their idle CPU time.
    • DockoMatic is a graphical user interface intended to facilitate virtual screening with AutoDock and AutoDock Vina.
    • VinaLC is a modification of Vina by the Lawrence Livermore National Laboratory that takes advantage of MPI on computer clusters
  • Other tools that you are likely to find useful while docking or virtual screening with AutoDock Vina:
    • PyMOL is one of the most popular programs for molecular visualization and can be used for viewing the docking results
    • OpenBabel can be used to convert among various structure file formats, assign the protonation states, etc.
    • ChemAxon Marvin can be used to visualize structures, convert among various structure file formats, assign the protonation states, etc.

Usage

Summary

The usage summary can be obtained with 'vina --help':

Configuration file

For convenience, some command line options can be placed into a configuration file.

For example:

In case of a conflict, the command line option takes precedence over the configuration file one.

Search space

The search space effectively restricts where the movable atoms, including those in the flexible side chains, should lie.

Exhaustiveness

With the default (or any given) setting of exhaustiveness, the time spent on the search is already varied heuristically depending on the number of atoms, flexibility, etc. Normally, it does not make sense to spend extra time searching to reduce the probability of not finding the global minimum of the scoring function beyond what is significantly lower than the probability that the minimum is far from the native conformation.However, if you feel that the automatic trade-off made between exhaustiveness and time is inadequate, you can increase the exhaustiveness level. This should increase the time linearly and decrease the probability of not finding the minimum exponentially.

Output

Energy

The predicted binding affinity is in kcal/mol.

RMSD

RMSD values are calculated relative to the best mode and use only movable heavy atoms. Two variants of RMSD metrics are provided, Earthrmsd/lb (RMSD lower bound) and rmsd/ub (RMSD upper bound), differing in how the atoms are matched in the distance calculation:
  • rmsd/ub matches each atom in one conformation with itself in the other conformation, ignoring any symmetry
  • rmsd' matches each atom in one conformation with the closest atom of the same element type in the other conformation (rmsd' can not be used directly, because it is not symmetric)
  • rmsd/lb is defined as follows:rmsd/lb(c1, c2) = max(rmsd'(c1, c2), rmsd'(c2, c1))

Hydrogen positions

Vina uses a united-atom scoring function. As in AutoDock, polar hydrogens are needed in the input structures to correctly type heavy atoms as hydrogen bond donors. However, in Vina, the degrees of freedom that only move hydrogens, such as the hydroxyl group torsions, are degenerate. Therefore, in the output, some hydrogen atoms can be expected to be positioned randomly (but consistent with the covalent structure). For a united-atom treatment, this is essentially a cosmetic issue.

Separate models

All predicted binding modes, including the positions of the flexible side chains are placed into one multimodel PDBQT filespecified by the 'out' parameter or chosen by default, based on the ligand file name. If needed, this file can be splitinto individual models using a separate program called 'vina_split', included in the distribution.

Advanced Options

AutoDock Vina's 'advanced options' are intended to be primarily used by people interested in methods development rather thanthe end users. The usage summary including the advanced options can be shown with

The advanced options allow

  • scoring without minimization
  • performing local optimization only
  • randomizing the input with no search (this is useful for testing docking software)
  • changing the weights from their default values (see the paper[*] for what the weights mean)
  • displaying the individual contributions to the intermolecular score, before weighting (these are shown with '--score_only'; see the paper[2] for what the terms are)

Virtual Screening

You may want to choose some of the tools listed under Other Software to perform virtual screening. Alternatively, if you are familiar with shell scripting, you can do virtual screening without them.

The examples below assume that Bash is your shell. They will need to be adapted to your specific needs.

Windows

To perform virtual screening on Windows, you can either use Cygwin and the Bash scripts below, or, alternatively, adapt them for the Windows scripting language.

Linux, Mac

Suppose you are in a directory containing your receptor receptor.pdbqt and a set of ligands named ligand_01.pdbqt, ligand_02.pdbqt, etc.

You can create a configuration file conf.txt, such as

and dock all ligands with this shell script.The script assumes that vina is in your PATH.Otherwise, modify it accordingly.

PBS Cluster

If you have a Linux Beowulf cluster,you can perform the individual dockings in parallel.

Continuing with our example, instead of executing all the dockings in a loop locally,we will write one *.job script per ligand,and use qsub (a PBS command)to schedule these scripts to be executed by the cluster.

Run this shell script to do it.The script assumes that vina and qsub are in your PATH.Otherwise, modify it accordingly.

Once the jobs have been scheduled, you can monitor their status with

Selecting Best Results

If you are on Unix and in a directory that contains directories with PDBQT files, all of which are AutoDock Vina results,you may find this Python script useful for selecting the top results. Run it as:

to get the file names of the top 10 hits, which can then be easily copied.

History

Brief summaries of changes between versions can be foundhere.

Citation

If you used AutoDock Vina in your work, please cite:
O. Trott, A. J. Olson,AutoDock Vina: improving the speed and accuracy of docking with a new scoring function, efficient optimization and multithreading,Journal of Computational Chemistry 31 (2010) 455-461

Getting Help

Please seethis pageif you have questions about AutoDock Vina.

Reporting Bugs

Potential bug reports are greatly appreciated, even if you are not exactly sure that they are bugs.However, please do not include requests for assistance along with your bug report.See this pageinsead.

Likely bugs:

  • Early termination
  • Failure to terminate
  • Changes of the covalent lengths or of the invariant angles in the output
  • 'Obviously wrong' clashes (check your 'search space' though)
  • Disagreement with the documentation

Likely not bugs:

  • Anything that happens before you run Vina or after it finished
  • Occasional disagreement with the experiment
  • Vina's refusal to open a file that does not exist (e.g. try ls conf.txt to see if the file is really there)

Reporting

You can send your reports to the AutoDock mailing list. Please remember to provide a descriptive 'Subject' line and all of the information needed to reproduce the problem you are seeing.

Home > Articles > Apple > Operating Systems

  1. Troubleshooting Binding Issues
< BackPage 2 of 5Next >
This chapter is from the book
Apple Training Series: Mac OS X Directory Services v10.6: A Guide to Configuring Directory Services on Mac OS X and Mac OS X Server v10.6 Snow Leopard

This chapter is from the book

This chapter is from the book

Apple Training Series: Mac OS X Directory Services v10.6: A Guide to Configuring Directory Services on Mac OS X and Mac OS X Server v10.6 Snow Leopard

Troubleshooting Binding Issues

For the most part, binding to Active Directory should just work. Some conditions, however, will prevent binding. This section introduces potential problem areas and provides instructions on how to resolve them.

Using Command-Line Tools to Confirm Binding

You can confirm that you are bound to Active Directory with the dsconfigad-show command and option, which also shows the status of many Active Directory connector options.

You can also use the dscl or id commands to confirm that Mac OS X is bound to Active Directory. For example:

[A successful bind will display a list of users; not shown here.]

Binding After Imaging

If you use a standard image for Mac OS X, do not bind the image model to Active Directory before making the master image that you will use to image multiple computers. All computers imaged from that master image will use the same computer object in Active Directory, which may cause problems. If you later remove the computer object, all of the Mac OS X computers will be unable to log in with Active Directory user accounts, and you will need to force an unbind, and then rebind each computer to Active Directory.

Using DS Debug Error Logs

If the bind fails, enable directory service debug error logging (see “Troubleshooting Directory Services” in Chapter 1), try the bind again, and look for the phrase “Bind Step” in the DirectoryService.debug.log. You could use the Console application, or at the command line, use the following command:

The following figure shows the this command and the output associated with a successful bind to Active Directory:

For even more information on the bind process, search for “Active Directory:” in the debug log. Be sure to include the colon, otherwise you will see each of the numerous entries that mentions “Active Directory”; the messages relating specifically to binding include the colon character. The following figure illustrates only a portion of the large amount of information in the debug log that starts with “Active Directory:” during a successful bind:

Confirming DNS Service

The binding process is sensitive to DNS records, so make sure that you specify the Active Directory DNS service in the Network preference of System Preferences, and that port 53 (UDP and TCP, used for DNS requests and replies) to the DNS service is not blocked. If your Active Directory DNS is incorrectly configured, you may experience problems binding Mac OS X to Active Directory.

The Active Directory connector requires several DNS service records (SRV) in order to determine which hosts provide certain services on certain protocols. SRV records use the form _Service._Protocol.domain, and the requests are usually in lowercase text. Examples of the searches and replies for a few of the SRV records necessary to bind to Active Directory are shown here:

The host option -t SRV specifies a search of type SRV, and the queries are for various services that are available via the protocol tcp (as opposed to udp) in the domain pretendco.com. The key thing to notice is the port number and host offering the service. This example forest is very simple, and the same host offers all the services (windows-server1.pretendco.com). However, the port number is different for each service, as shown here:

  • 389—LDAP
  • 88—Kerberos (used for obtaining Kerberos tickets)
  • 464—Kpasswd (used for making Kerberos password changes)
  • 3268—gc (used for Active Directory Global Catalog lookups)

Although it is possible to use a DNS service that isn’t integrated with Active Directory, it may be impractical, because many SRV records are required, and it may be difficult to set up all the necessary records and keep them up-to-date.

Confirming Access to Service Ports

After performing SRV requests to find the hosts and ports that offer the required services, you can use telnet to open a connection to a specific port, to verify that your access to the service is not blocked by a firewall and that you can make a basic connection to each service port. When you see a Connected to message from the service, enter quit and press Return to end the connection. If you do not see the Connected to message, make sure there is no firewall blocking access, check underlying network connectivity, and make sure the service is running on the server.

Following are two examples of using telnet to connect to a port, and the replies from the service. The first connects to port 389 for LDAP service, followed by port 88 for Kerberos service. A failed attempt would stop at Trying 10.1.0.5..., but each of these telnet sessions successfully connect to the service:

Understanding the Binding Process

Mac OS X fully supports Active Directory sites, which allows directory administrators to associate specific domain controllers with specific networks. When you bind a Mac OS X client computer to an Active Directory domain, this kicks off a complicated series of events, shown in the next figure. Understanding the process can help you isolate any problem that might crop up.

Here are the steps, in detail:

The Chain To Bind You To Earth Mac Os X

  1. Mac OS X performs a request for LDAP, Kerberos, and Kpasswd DNS service records in the domain. If Mac OS X is not using the DNS server that is integrated with Active Directory, the process will likely fail at this point.
  2. Mac OS X binds anonymously with LDAP and gathers basic Active Directory domain information.
  3. DirectoryService’s Active Directory connector creates a preliminary Kerberos configuration, which may be replaced during this process.
  4. Mac OS X uses the Kerberos configuration, authenticates, and then requests the nearest domain controller.
  5. The domain controller returns a list of the nearest domain controllers, based on the IP subnet of the Mac OS X computer.
  6. Mac OS X confirms that it can connect to the LDAP and Kerberos services of the domain controller list from step 5, and DirectoryService and kerberosautoconfig create a final Kerberos configuration in /Library/Preferences/edu.mit.Kerberos and /var/db/dslocal/nodes/Default/config/Kerberos:REALM.plist.
  7. Mac OS X connects to what it was told was the nearest domain controller.
  8. Mac OS X searches the domain for an existing computer record, and it creates a new computer record to use if it cannot find one.
  9. Mac OS X updates its Samba machine password and domain SID.
  10. Mac OS X updates its DNS record in Active Directory.

Specifying a User with Authorization to Bind

When binding, you must provide an Active Directory user name and password. You’ll need to confirm that this user has write privileges for the container in which the computer object will be created or used. If the computer object already exists, the user whom you specify must have write access to the computer object. By default a regular Active Directory user can join and create a computer object only ten times. After that, you will get an error. Here are some workarounds for this limitation:

  • Create the computer object in Active Directory and assign a user or group the ability to join the computer to a domain.
  • Modify the number of times that a particular user can join computers to a domain.
  • Give all authenticated users the unlimited ability to join computers to the domain (not recommended due to security concerns).
  • Use an administrator account to perform the bind.

Many administrators choose to create an Active Directory user that has few rights other than the ability to join computers to a domain and use this user for scripts.

Unbinding from Active Directory

You can unbind from Active Directory with the Accounts pane of System Preferences, the Directory Utility application, or the dsconfigad command with the -r option. If you cannot communicate with the Active Directory service, you can force the unbind. If you force the unbind and the computer object that Mac OS X was using still exists in Active Directory, you should probably use Active Directory tools to remove the computer object.

In rare circumstances, you may be unable to do a clean unbind from Active Directory. To get a fresh start with the Active Directory connector, remove the files that are associated with the Active Directory connector, kill DirectoryService, and then try your bind again.

In /Library/Preferences/DirectoryService, the files are as follows:

  • ActiveDirectory.plist
  • ActiveDirectoryDomainCache.plist
  • ActiveDirectoryDomainPolicies.plist
  • ActiveDirectoryDynamicData.plist

Update your search paths with the command:

[There is no output from these commands.]

/Library/Preferences/edu.mit.Kerberos is automatically generated based on nodes in your authentication search path, so you shouldn’t need to modify that file (unless you removed the autogeneration lines from that file).

In /var/db/dslocal/nodes/Default/config/, you can remove these files:

  • Kerberos: REALM.plist, where REALM is your Active Directory Kerberos realm
  • AD DS Plugin.plist

You may also want to remove the following:

  • The computer object in Active Directory that Mac OS X used
  • The record(s) for the Mac OS X computer that the Active Directory connector created and updated in the DNS service

If the computer object that Mac OS X uses has been deleted or reset, you will not be able to log in using an Active Directory user account. You will not be able to use su to switch to an Active Directory user, and dscl with -authonly for an Active Directory user will return an eDSAuthFailed error even if you supply the correct password. However, if you are troubleshooting, you should be aware that you will be able to obtain a Kerberos TGT for an Active Directory user. In this case, you must unbind and rebind to Active Directory.

Troubleshooting Login Issues

The process for logging in with an Active Directory network user is similar to the process of logging in with a network user from other directory services. You can use the troubleshooting techniques in Chapters 2 and 3, which include scenarios in which Open Directory accesses user records from Active Directory and uses mount, computer, and group records (including attributes for managed preferences) from Open Directory.

This section discusses some common problems but also covers issues that are specific to logging in with an Active Directory user record.

Before you begin, verify that you are not experiencing binding issues; for instructions, see the section “Troubleshooting Binding Issues” earlier in this chapter.

The Chain To Bind You To Earth Mac Os X

Try to determine if the login problem is related to identification, authentication, or authorization. Start with identification of the user record. To confirm that you can use the id or dscl commands to identify the user, use the following:

It is possible that DirectoryService is having problems communicating over LDAP to Active Directory. Use a graphical LDAP browser or an ldapsearch query to ensure that you can make LDAP requests authenticating as an Active Directory user:

[Authentication information deleted.]

Verify that your Active Directory node is listed in your authentication search path.

Check to see if you can authenticate as the Active Directory user. Log in as a local user or a local administrator, and then use su to switch identity to the Active Directory user, or use dscl /Search -authonlyusername to verify authentication.

Verify that your Kerberos configuration is set up for the Active Directory domain; the file /Library/Preferences/edu.mit.Kerberos should reference your Active Directory Kerberos domain. For more information about the Local KDC, see Appendix C, “Understanding the Local KDC,” available online.

Confirm that you can use kinit or the Ticket Viewer application (in System/Library/CoreServices/) to obtain a TGT from the Active Directory KDC with Active Directory user credentials.

Resolving Time Issues

If the clocks on the Active Directory domain controller and Mac OS X are more than 5 minutes apart, you cannot obtain a Kerberos ticket and you cannot log in. Make sure your Mac OS X computer is in the correct time zone, has the correct daylight savings time settings, and uses the same Network Time Protocol server as your Active Directory servers.

Using the Logs

Use the log file /var/log/system.log and the log files in /Library/Logs/DirectoryService to gather information if you are experiencing problems logging in. Refer to Chapter 1 for information about enabling DirectoryService logging by sending the USR1 or the USR2 signal to DirectoryService.

Transitioning from a Local User to an Active Directory User

If you want to transition from using an established local user account to a network account, yet continue to use the existing home folder, you must perform these steps:

  1. On your Mac OS X computer, log in as a local administrator.
  2. Open System Preferences and choose the Accounts preference.
  3. In the lower-left corner, click the lock to authenticate as a local administrator.
  4. Select the local account that conflicts with the Active Directory account.
  5. In the lower-left corner, click the Remove (–) button.
  6. When prompted, select “Don’t change the home folder,” then click OK.
  7. If the short name of the local user differs from the short name of the Active Directory user, change the name of the home folder. The following command changes the name of the home folder from “david (Deleted)” to the Active Directory user name “dcolville”:
  8. Change the ownership of the files in the preserved home folder so that the Active Directory user is the new owner. Open Terminal and issue the chown (change ownership) command, which takes the form of:

    The option -R changes ownership recursively, so the command changes ownership for the entire home folder. The following chown command changes the owner and group associated with all the files in the home folder:

  9. Log out as the local administrator account, and then log in as the Active Directory account.

Updating Active Directory Indexing

As do other directories, Active Directory indexes the values of commonly requested attributes in order to increase the speed of operations. If your Active Directory implementation contains a large amount of Mac OS X clients, your Mac OS X computers may request attributes that Active Directory does not index. Microsoft provides a downloadable Server Performance Advisor tool that lets you investigate whether there are any attribute queries that could be sped up by better indexing. Use this tool to determine if there are many requests for attributes that are not indexed, and then use Active Directory tools to add the unindexed attributes to the list of attributes to index.

The Chain To Bind You To Earth Mac Os Download

Forcing Replication

If the computer object is created in one site but hasn’t been replicated to another, you may not be able to log in until the replication takes place. You can force replication to take place with standard Active Directory tools.

⇐ ⇐ Pi's Great Escape Mac OS
⇒ ⇒ BOCO Mac OS