Since we have more remote users, I have had two problems crop up that I am not sure where to go with. One of those is SSH connections dropping after entering the password. (The other issue may be related - but we also find some systems drop or lose proper domain bindings.)
When troubleshooting a system we will ask the user to connect to the VPN where we can (as admins) ssh into the system with our usernames. The ssh prompt connects fine and prompts for a password. When we enter our password, the devices drops the connection.
We can log in ssh using a local user account on that device. Through troubleshooting I can see that the device can reach the domain, dsconfigad -show indicates that it is connected and setup, and id on a user (id user.name) indicates that it can function.
If I run dsconfigad -passinterval 0 I can get an ssh connection through the domain user. My understanding is this disables the MacOS password change/renewal process. I am concerned this may have some long term issues.
The computer object password interval (through dsconfigad -passinterval <x>) defaults to 14 days. My Active Directory domain requires that device passwords don't exceed 60 days.
When does a bound MacOS device exchange a new password with Active Directory? If set to disabled (or 14, 30, 60, . . .), will the device renew/change the password within the time frame that AD requires?
Let me know if you have any questions.
