Jamf Nation Community

What is your domain suffix?

@roland.huber Perhaps rhis is the issue?

I've set both values as shown above:

defaults write /Library/Preferences/com.apple.loginwindow DSBindTimeout -int 10
defaults write /Library/Preferences/com.apple.mdmclient BypassPreLoginCheck -bool YES

Our domain suffix is not local (it is .com).

Thanks for the suggestions!

Can you post a sanitized version of the following command from one of the affected Macs?

dsconfigad -show

It may help us to see if a configuration in your AD binding can be adjusted to help resolve this.

Active Directory Forest          = domain.com
Active Directory Domain          = domain.com
Computer Account                 = computer1$

Advanced Options - User Experience
  Create mobile account at login = Enabled
     Require confirmation        = Disabled
  Force home to startup disk     = Enabled
     Mount home as sharepoint    = Enabled
  Use Windows UNC path for home  = Disabled
     Network protocol to be used = smb
  Default user Shell             = /bin/bash

Advanced Options - Mappings
  Mapping UID to attribute       = not set
  Mapping user GID to attribute  = not set
  Mapping group GID to attribute = not set
  Generate Kerberos authority    = Enabled

Advanced Options - Administrative
  Preferred Domain controller    = not set
  Allowed admin groups           = not set
  Authentication from any domain = Disabled
  Packet signing                 = allow
  Packet encryption              = allow
  Password change interval       = 14
  Restrict Dynamic DNS updates   = not set
  Namespace mode                 = domain

I had also a Preferred DC set once and Authentication from any group as enabled without any difference.

Thanks. Just for kicks, can you try setting the Mount home as sharepoint setting from Enabled to Disabled on one of the Macs and then try rebooting and logging in off the network?

dsconfigad -sharepoint disable

Many many of us have needed to set that setting off and use a separate app/script that launches at login to connect users to their home shares to prevent horribly long login times while not in range of the domain. Apple's AD plug-in is frankly kind of garbage and does not gracefully handle a situation while disconnected. It will hang up while vainly trying to mount the home share for a long while until it realizes it can't do it and just give up.
Give that change a try and let us know what happens.

I have set it to disabled and sadly it had no effect on the login time.

These machines probably don't see a DC on login time for months and only connect via VPN. OS X tries to contact one of the DCs during login time, but won't get a reply. I wonder, if there is no option to tell OS X to check once for 15 seconds and then use the locally cached account (without further delay on waiting for other DCs to respond) ?

Actually, my understanding was that the DSBindTimeout option mentioned above should be telling the plugin to only try for the set 10 seconds and then give up. If its not doing that after being set, then you may want to look at opening up a support case with Apple if you can. Do you have an Apple support agreement of any kind you can leverage? Something doesn't sound right.
Other than the "Allowed admin groups" option, the only difference I see with your dsconfigad -show and ours was the "Mount home as sharepoint" one, so I was hopeful that would help you. Sorry to hear it had no effect. We also use local cached AD mobile accounts and are not seeing such long logins while disconnected.

Many thanks for all the help. I will contact Apple in this regard.

In case anybody has other suggestions I would be thankful, if you could post them here.

I definitely will report back, if we found a solution.

Do you have anything set in the search domain for the network connection you are using? Also whey version of OS X? Is possible if you have many offices that it could be the way Sites are setup in AD? Sometimes Windows clients will oversee bad configurations. Maybe its not able to communicate to the local DC? Just throwing ideas out there...

What OS? 10.10? 10.11?

You said your internal domain is a .com

Do your DC's have public DNS records? i.e. can you resolve your DC's off the corporate network?

Thanks for all suggestions. - The search domain is different our our corporate domain.
- We don't have public DNS records for our corporate DCs

What I have discovered: As soon as I remove Casper (sudo jamf removeFramework) the problem is gone.

Any ideas?

@roland.huber Do you have any policies running at login? is the JSS externally accessible?

Ah ha! Makes sense. Good find @roland.huber!

Please mark the above as the answer for future searchers. :)

Verified with users and it is solved

Thanks for sharing!