triggered something for me.
Per Nick:
Our laptops don't join the network untill after a user logs in, therefore
they do not get the proper Kerberos identity/ticket and it nicks up the DFS
connection.
On desktops we are finding that 10.6 will not auto renew the Kerberos
identity/ticket at the 10 hour expiration.
We are having an issue with 10.6 machines bound to AD, mainly with laptops,
where logging into the machine or clearing the screen saver password dialog,
when off network primarily, either does not work or takes an overly long
time. How long? Well, I've timed it on my laptop to take 4 minutes at
times. What I'm noticing is that in the secure.log I am seeing these two
errors:
3/6/11 10:43:11 PM authorizationhost[279] k5_authenticate(): got
-1765328164 (Cannot resolve network address for KDC in requested realm) on
/SourceCache/SecurityAgent/SecurityAgent-39574/plugins/krb5/krb5_operations.c:84
3/6/11 10:43:11 PM authorizationhost[279] -[SFBuiltinAuthenticate
performDSPasswordAuth](): got -1765328164 (Cannot resolve network address
for KDC in requested realm) on
/SourceCache/SecurityAgent/SecurityAgent-39574/authhostbuiltins.m:1039
I've been able to figure out that it is related to Kerberos, not just
because of the mention of the KDC in the errors, but because a klist shows
no open tickets.
Allen and I have been exchanging emails (and trying to test) some edits to
/etc/authorization (among other things) that would kerberize the screen
saver. Unfortunately both of our schedules have been so hectic that we
haven't been able to test lately.
I have opened two bug reports with Apple:
9093265
Unable to clear Screen Saver password in 10.6
AND
9184458
Long Delay in Authentication on 10.6 bound to Active Directory
So, has anyone else seen this, and does anyone have a solution?
Oh, and I'm seeing this on all version of 10.6 including 10.6.7.
Steve Wood
Director of IT
swood at integer.com
The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
T 214.758.6813 | F 214.758.6901 | C 940.312.2475
I've seen this since 10.5.
I had a policy at logout that would turn off airport. That sorted the issue for us.
As the users would log in with their mobile accounts & not get a Kerberos ticket as they were offline.
Otherwise they just seem to keep searching.
If you were to do a packet dump of all dns traffic at login you'll see the mac trying to resolve each dc in your domain.
Regards,
Ben.
But how do you handle users that don't log out? They just shut their lids
On Wed, Apr 6, 2011 at 12:57 PM, Ben Toms <bentoms at btopenworld.com> wrote:
and move on.
Steve Wood
Director of IT
swood at integer.com
The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
T 214.758.6813 | F 214.758.6901 | C 940.312.2475
Educate them!
We had policies that ran maintenance etc at logout, & at login those that were admins could disable mcx.. so it was a win win situation for us & them.
You'll be waiting a kong time.
I think this issues been round since 10.4.
One thing that resolves is to have a cloud accessible dc & dns!!
Regards,
Ben.
Sadly, I've tried educating them already to the benefits of logging out and
On Wed, Apr 6, 2011 at 3:29 PM, Ben Toms <bentoms at btopenworld.com> wrote:
restarting machines regularly. They don't listen. I've even put in place a
script that checks computer up time and starts bugging them with Growl if
their machine has been up for 5 days. At 10 days they get a JAMF dialog
right in their face.
Heck, even my desktop users won't logout of their machines when they leave
at night, even though I've begged them to do it so that I can restart
servers without having to visit 20 machines to unmount the server.
Uggh....I guess all I can hope for now is that Apple will fix this issue.
I'll be sitting over here in the corner turning blue from holding my
breath. Someone wake me up when they fix it.
Steve Wood
Director of IT
swood at integer.com
The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
T 214.758.6813 | F 214.758.6901 | C 940.312.2475
Yeah, I know it's been around awhile, but up until now we've been an OD only
On Thu, Apr 7, 2011 at 2:24 PM, Ben Toms <bentoms at btopenworld.com> wrote:
house. I'm moving away from that to an AD only house so I can cut down on
the number of passwords my people have to know.
I've given a little thought to an externally accessible DC, and it's
starting sound more appealing. I'll have to look into it further. I know
there are docs out there for setting up a "slave" DC that is only for
authentication.
Steve Wood
Director of IT
swood at integer.com
The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
T 214.758.6813 | F 214.758.6901 | C 940.312.2475
I'd be interested to know if it works.
I've read reports (can't remember where) that this fixes.
But wouldn't mind it from a more trusted source. :)
Regards,
Ben.
im late to this convo and not sure if anyone suggested it but there are a
few attributes within the /Library/Preferences/DirectoryService
preferences that have time out values. make sure to specifically check
the AD plists, they definitely have 2 or 3 attributes that reference
timeouts.
Yeah, I've been down that road already and tried the timeouts in the plist
On Thu, Apr 7, 2011 at 3:28 PM, Eric Winkelhake <eric.winkelhake at mundocom.com> wrote:
files. That didn't seem to work. But, I'll look again and see if I perhaps
missed one.
Steve Wood
Director of IT
swood at integer.com
The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
T 214.758.6813 | F 214.758.6901 | C 940.312.2475
We've also been having major problems with this one. We're at the point of bringing in Apple's professional services to sort it out. We have folks that know tons about Macs, and other folks that know tons about AD and DNS. What we need are folks that can bridge the two and it seems that Apple's prof services is who those folks are.
j
--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436
We had the same issue with 10.5.2 with macs on the nw at login
I had a bug report & was asked to do a dump of all dns traffic to a file at login.
Might be worth a look. Can't remember the command though.
Regards,
Ben.
I've taken wiresharks of a machine plugged into a hub with the hub disconnected and it looks like it's all down to it searching for DNS
j
--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436
Yea that's what we used.
Not sure of this will work but this is the link to bug report.
https://bugreport.apple.com/cgi-bin/WebObjects/RadarWeb.woa/3/wo/AIE6zYOPtycfxU4saOhJ10/7.3
Bug report number: 5804896 (march 08)
They closed as a duplicate. 10.5.6 resolved I think.
Regards,
Ben.
ok.. my mac just logged in fine :)
but i'm at a new company & the domain resolves outside the nw.. i'll ask one of the guys if they have a dc that's cloud accessible..
I got this working once before but for whatever reason the changes that I made in /etc/authorization no longer apply since 10.6.5? I'm going to try some more things when I get back to the office on Monday.
Allen
Me again.
(into this sooo much as spent slot of time on it previously).
Pentland.com resolves to the company site. Handy for me that this is our domain name too.
For those of you affected, can you try the following.
Write a policy that runs the every15 & is offline.
Write a script the runs:
<code>checkJSSConnection 1</code>
If it cannot resolve your jss after 1 attempt, get the script to create a spurious entry for your domain in /etc/hosts (maybe to your companies site).
If it does resolve, remove get the script to remove the spurious entry if it exists.
It may well work.
Regards,
Ben.
Oh god. I see ITSecuring going ape sh*t on that method. I'll try it, but I'm sure it won't pass muster.
j
--
Jared F. Nichols
Desktop Engineer, Client Services
Information Services Department
MIT Lincoln Laboratory
244 Wood Street
Lexington, Massachusetts 02420
781.981.5436
