Posted on 01-06-2016 12:10 PM
Shared lab systems (OS X 10.10.5) in our environment are set to auto-login as a mobile Active Directory user. When auto-login takes place, the user does not get a Kerberos ticket granting ticket. If the user is manually logged in by entering the username and password at the login window, they do receive a TGT. I've confirmed this with multiple users (all mobile AD accounts) and the behavior has been consistent. Has anyone else come across this? It seems like something in the auto-login process has to be preventing the requesting of a TGT at login.
Thanks!
Eric
Solved! Go to Solution.
Posted on 01-07-2016 11:48 AM
After further troubleshooting I discovered that this issue was caused by the fact that the auto-login was proceeding before the network connection was up, which of course prevented obtaining a Kerberos ticket. This was solved by running the following command
/usr/bin/defaults write /Library/Preferences/com.apple.loginwindow.plist StartupDelay -int 30
This will make the login window wait up to 30 seconds for the network to connect. It will continue the login as soon as the network is up or if the 30 seconds has passed.
I'm now getting a Kerberos TGT quite reliably with the auto-login mobile AD account. Hope this helps someone else!
Eric
Posted on 01-07-2016 11:48 AM
After further troubleshooting I discovered that this issue was caused by the fact that the auto-login was proceeding before the network connection was up, which of course prevented obtaining a Kerberos ticket. This was solved by running the following command
/usr/bin/defaults write /Library/Preferences/com.apple.loginwindow.plist StartupDelay -int 30
This will make the login window wait up to 30 seconds for the network to connect. It will continue the login as soon as the network is up or if the 30 seconds has passed.
I'm now getting a Kerberos TGT quite reliably with the auto-login mobile AD account. Hope this helps someone else!
Eric