Skip to main content

Hi,

I have a strange issue regarding the lifetime of kerberos tickets that are created to access a Data Center. They are created and usable but suddenly expire after 5-10 minutes in which case a user must do a new kinit.

This is very annoying as you can imagine and this is only happening to the users that are using Casper managed MacBooks. The kerberos tickets generated for authentication to our domain doesn't have these issues.

OS X versions varies from 10.9.5 to 10.10.3.

Thanks in advance!

Cheers.

@rschenk ehat differs between the Casper managed Macs & the non-Casper Managed one's?

Are they using the same OS.dmg?

Every 10-15 seems like possibly a policy is expiring the ticket. Can you have a nose at the policies?

FWIW, I've never had this issue with JSS managed macs. Over a few years & a few environments.

@bentoms

The main difference between the managed and unmanaged macs is that unmanaged macs are handed over fresh out of the box with no support while the managed macs are getting the Casper treatment with policies and such. I will recheck my policies/profiles.

This isn't something I've ever seen caused by Casper. I have had a whole range of different Kerberos related issues, but the causes have usually been something like the date & time, network changes, missing principals in the kerberos database etc.

Just out of interest, are you restoring any pre-configured OS images to the Casper MacBooks?

As Ben said, policies can be used to almost anything you like in OS X so that would be worth looking at. Custom config profiles might also be doing something odd. One split/half search way of finding out would be to set up a MacBook with Casper but don't scope any policies, config profiles etc to it. That might save you trawling through them all!

Thanks for the replies so far. I've done some troubleshooting and I've found this:

  • User is logged on a managed Mac on a mobile account bound to our domain
  • User gets a kerberos ticket from the Domain.
  • User creates a VPN connection and uses kinit to generate a kerberos ticket for access to the DC, Domain ticket is destroyed
  • DC ticket is created and usable for 10 hours

The ticket is indeed usable for 10 hours UNLESS the user locks his computer. After that the screensaver starts and after entering his/her password the kerberos ticket is gone and a new Domain ticket is generated.

This behaviour does not occur when the actions are done on the local-admin account which is a local account (So no domain stuff here).

In conclusion: Domain ticket is overruling the DC ticket and is destroyed when a Domain ticket is generated after a sleep/login.

Thoughts?

Have you modified the Kerberos configuration and PAM settings on these systems, as described in this guide?

https://www.ee.washington.edu/computing/faq/desktop/uw_kerberos_mac.html

I am still testing these modified settings, but it definitely seems to have made a world of difference so far.

Terms & ConditionsCookie settingsAccessibility statement