Auto-login user not getting Kerberos TGT

etippett
Contributor II

Shared lab systems (OS X 10.10.5) in our environment are set to auto-login as a mobile Active Directory user. When auto-login takes place, the user does not get a Kerberos ticket granting ticket. If the user is manually logged in by entering the username and password at the login window, they do receive a TGT. I've confirmed this with multiple users (all mobile AD accounts) and the behavior has been consistent. Has anyone else come across this? It seems like something in the auto-login process has to be preventing the requesting of a TGT at login.

Thanks!
Eric

1 ACCEPTED SOLUTION

etippett
Contributor II

After further troubleshooting I discovered that this issue was caused by the fact that the auto-login was proceeding before the network connection was up, which of course prevented obtaining a Kerberos ticket. This was solved by running the following command

/usr/bin/defaults write /Library/Preferences/com.apple.loginwindow.plist StartupDelay -int 30

This will make the login window wait up to 30 seconds for the network to connect. It will continue the login as soon as the network is up or if the 30 seconds has passed.

I'm now getting a Kerberos TGT quite reliably with the auto-login mobile AD account. Hope this helps someone else!

Eric

View solution in original post

1 REPLY 1

etippett
Contributor II

After further troubleshooting I discovered that this issue was caused by the fact that the auto-login was proceeding before the network connection was up, which of course prevented obtaining a Kerberos ticket. This was solved by running the following command

/usr/bin/defaults write /Library/Preferences/com.apple.loginwindow.plist StartupDelay -int 30

This will make the login window wait up to 30 seconds for the network to connect. It will continue the login as soon as the network is up or if the 30 seconds has passed.

I'm now getting a Kerberos TGT quite reliably with the auto-login mobile AD account. Hope this helps someone else!

Eric