Long Login Delays and Unable to clear screen saver on AD bound machines

I've seen this since 10.5.

I had a policy at logout that would turn off airport. That sorted the issue for us.

As the users would log in with their mobile accounts & not get a Kerberos ticket as they were offline.

Otherwise they just seem to keep searching.

If you were to do a packet dump of all dns traffic at login you'll see the mac trying to resolve each dc in your domain.

Regards,

Ben.

But how do you handle users that don't log out? They just shut their lids
On Wed, Apr 6, 2011 at 12:57 PM, Ben Toms <bentoms at btopenworld.com> wrote:
and move on.

Steve Wood
Director of IT
swood at integer.com

The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
T 214.758.6813 | F 214.758.6901 | C 940.312.2475

Educate them!

We had policies that ran maintenance etc at logout, & at login those that were admins could disable mcx.. so it was a win win situation for us & them.

You'll be waiting a kong time.

I think this issues been round since 10.4.

One thing that resolves is to have a cloud accessible dc & dns!!

Regards,

Ben.

Sadly, I've tried educating them already to the benefits of logging out and
On Wed, Apr 6, 2011 at 3:29 PM, Ben Toms <bentoms at btopenworld.com> wrote:
restarting machines regularly. They don't listen. I've even put in place a
script that checks computer up time and starts bugging them with Growl if
their machine has been up for 5 days. At 10 days they get a JAMF dialog
right in their face.

Heck, even my desktop users won't logout of their machines when they leave
at night, even though I've begged them to do it so that I can restart
servers without having to visit 20 machines to unmount the server.

Uggh....I guess all I can hope for now is that Apple will fix this issue. I'll be sitting over here in the corner turning blue from holding my
breath. Someone wake me up when they fix it.

Steve Wood
Director of IT
swood at integer.com

The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
T 214.758.6813 | F 214.758.6901 | C 940.312.2475

Yeah, I know it's been around awhile, but up until now we've been an OD only
On Thu, Apr 7, 2011 at 2:24 PM, Ben Toms <bentoms at btopenworld.com> wrote:
house. I'm moving away from that to an AD only house so I can cut down on
the number of passwords my people have to know.

I've given a little thought to an externally accessible DC, and it's
starting sound more appealing. I'll have to look into it further. I know
there are docs out there for setting up a "slave" DC that is only for
authentication.

Steve Wood
Director of IT
swood at integer.com

The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
T 214.758.6813 | F 214.758.6901 | C 940.312.2475

I'd be interested to know if it works.

I've read reports (can't remember where) that this fixes.

But wouldn't mind it from a more trusted source. :)

Regards,

Ben.

im late to this convo and not sure if anyone suggested it but there are a few attributes within the /Library/Preferences/DirectoryService preferences that have time out values. make sure to specifically check the AD plists, they definitely have 2 or 3 attributes that reference timeouts.


Yeah, I've been down that road already and tried the timeouts in the plist
On Thu, Apr 7, 2011 at 3:28 PM, Eric Winkelhake <eric.winkelhake at mundocom.com> wrote:
files. That didn't seem to work. But, I'll look again and see if I perhaps
missed one.

Steve Wood
Director of IT
swood at integer.com

The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
T 214.758.6813 | F 214.758.6901 | C 940.312.2475


We've also been having major problems with this one. We're at the point of bringing in Apple's professional services to sort it out. We have folks that know tons about Macs, and other folks that know tons about AD and DNS. What we need are folks that can bridge the two and it seems that Apple's prof services is who those folks are.

j
--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

We had the same issue with 10.5.2 with macs on the nw at login

I had a bug report & was asked to do a dump of all dns traffic to a file at login.

Might be worth a look. Can't remember the command though.

Regards,

Ben.

I've taken wiresharks of a machine plugged into a hub with the hub disconnected and it looks like it's all down to it searching for DNS

j
--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436

Yea that's what we used.

Not sure of this will work but this is the link to bug report.

https://bugreport.apple.com/cgi-bin/WebObjects/RadarWeb.woa/3/wo/AIE6zYOPtycfxU4saOhJ10/7.3

Bug report number: 5804896 (march 08)

They closed as a duplicate. 10.5.6 resolved I think.

Regards,

Ben.

ok.. my mac just logged in fine :)  

but i'm at a new company & the domain resolves outside the nw.. i'll ask one of the guys if they have a dc that's cloud accessible..

I got this working once before but for whatever reason the changes that I made in /etc/authorization no longer apply since 10.6.5? I'm going to try some more things when I get back to the office on Monday.

Allen

Me again.

(into this sooo much as spent slot of time on it previously).

Pentland.com resolves to the company site. Handy for me that this is our domain name too.

For those of you affected, can you try the following.

Write a policy that runs the every15 & is offline.

Write a script the runs:

<code>checkJSSConnection 1</code>

If it cannot resolve your jss after 1 attempt, get the script to create a spurious entry for your domain in /etc/hosts (maybe to your companies site).

If it does resolve, remove get the script to remove the spurious entry if it exists.

It may well work.

Regards,

Ben.

Oh god. I see ITSecuring going ape sh*t on that method. I'll try it, but I'm sure it won't pass muster.

j
--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436