login policies not running

colonelpanic
Contributor

I am having a really hard time troubleshooting an issue right now...

I am creating a new server to move all of our clients onto, and I can not get it to behave normally. The biggest issue I am having right now is that logon policies are not running. If I look in the logs for the client computer, I see that the jamf process is reporting that it can not connect to the JSS, and if I look in the logs for that computer on the JSS, there are no logs for users logging in. I have verified that the machine has network connectivity before logging on.

What is interesting is that there are logs for everything else, log out, installing policies, and imaging. I have a load script that runs after the first reboot from casper imaging and that runs perfectly normally and will install software via triggers, there is network connectivity, and I can open the jss up in a web browser on the client computer just fine.

I am having one or two other issues, but I'd like to get this resolved first. Any ideas? I'm really scratching my head on this one.

7 REPLIES 7

mm2270
Legendary Contributor III

Are Login/Logout Hooks enabled for your Macs from the JSS? It needs to be in order for any Casper related login policy to work.

colonelpanic
Contributor

yes the hooks are enabled and I have the policies to set to run at logon

colonelpanic
Contributor

I looked in the logs and I am seeing "Connection with distnoted server was invalidated" and then jamf looks for cached logon policies. I know I have network connectivity, especially because I keep re-imaging tmy test machine so I am logging onto it for the first time with my AD credentials, so it MUST authenticate over the network. I'm starting to scratch my head on this one.

mm2270
Legendary Contributor III

Interesting. There is another thread here about the exact same error. I can't say I've ever seen it, but others obviously have, so you're not alone with this issue it seems.
I can't seem to find that exact thread at the moment, so hopefully someone else will see this and point you to it. Though I don't recall there being a solid solution to this error in that thread.

bentoms
Release Candidate Programs Tester

That'll be my thread I think.

My thinking is that this is happening when a policy tries to run, when another is running.

tlarkin
Honored Contributor

HI ColnelPanic (funny name by the way)

If I look in the logs for the client computer, I see that the jamf process is reporting that it can not connect to the JSS, and if I look in the logs for that computer on the JSS, there are no logs for users logging in. I have verified that the machine has network connectivity before logging on.

Just curious, if you open up terminal on one of those client boxes that is failing, and say run sudo jamf recon, does it return any erros that it cannot connect to the JSS? Certificate based communication can fail completely if clock skew is present. I just had this happen myself on my test boxes. I had one VM that would always fail to connect to my test JSS because when I set it up I just left the default settings and it was set to Cupertino time and I am in Kansas City, MO currently, once I fixed the time skew I stopped getting those 401 connection errors from the JAMF binary.

I would start looking at why that client is failing and running things manually on that client, see what the logs tell you. Post them here if you like.

Cheers,
Tom

colonelpanic
Contributor

I was able to fix the issue. Apparently jamf doe snot like it if you specify that the JSS URL is an IP address instead of a hostname. We had to make some DNS changes and while we were waiting for that to happen I started setting up the new server since we have an on-going project that couldn't wait. Once DNS was updated and I used the hostname everything worked perfectly.

Thank you to everyone for the suggestions!