Jamf Nation Community

tkimpton · ‎10-18-2013

Hi guys

I am moving away from ADmitMac and using Apple built in connector.

Unfortunately my kerberos ticket gets deleted after a couple of minutes.

Has anyone seen this in Mountain Lion?

tkimpton · ‎10-21-2013

my script to add an item as a login

#!/bin/bash

######################### HISTORY #####################################
#                                                                     #
# Created by Tim Kimpton 14/05/2013                                   #
#                                                                     #
# Set an application to open at login as the currently logged in user #
#                                                                     #
################### Environment Variables #############################

# Get the currently logged in user
user=`ls -l /dev/console | cut -d " " -f4`

# Specifiying the Login Item
LoginItem='/usr/bin/osascript <<EOT
try
tell application "System Events"
make login item at end with properties {path:"/Applications/SomeApp.app/"}
end tell
end try
EOT'

############### DO NOT MODIFY BELOW THIS LINE ################

# Set the App as a login item as the currently logged in user
su - "${user}" -c "${LoginItem}" >/dev/null

View solution in original post

tkimpton · ‎10-31-2013

Culprit was Entourage 2008 holding on to the users previous kerberos identity in the Microsoft Entourage Database.

As soon as I got rid of it and select the new kerberos identity, all is ok

View solution in original post

ImAMacGuy · ‎10-18-2013

I saw this in version of 10.8.2, it seemed to be a known bug haven't tried in 10.8.5 to reproduce it.

What version are you using?

ImAMacGuy · ‎10-18-2013

If you have a dev account, re-check it in 10.9.

tkimpton · ‎10-18-2013

I'm on 10.8.5 and haven't checked 10.9 yet.

One interesting thing is that I have an Applescripted app to map network shares.

I had a config profile to launch that on the user level as a log in item.

I also had a launch agent and script to map network shares.

I removed the config profile but didn't make any difference .

I then removed the script and all is ok!

What I have discovered is that anything involving a script and Kerberos authentication causes the kerberos ticket to be destroyed.

The thing that does work is a script I have at run as a policy at login to add the item to the users login items.

I'll have to wait until I'm back at work to share the script to add an item as a login item and is a good example to use for future reference :)

I also notice as soon as a ran Casper Remote to target my machine to install an app, shortly after login, he Casper Share mounted and my Kerberos ticket got destroyed!

bentoms · ‎10-19-2013

@tkimpton you guys don't have multiple AD domains do you?

tkimpton · ‎10-20-2013

No mate just one domain. What you thinking?

bentoms · ‎10-20-2013

@tkimpton not much bud, trying to beat jet lag & that thunder is keeping me up!

I know from talking before you guys used AdmitMac as had some challenges with your environment.

I'm guessing all servers are using the same NTP, part of the same kerberos realm & have forward & reverse DNS lookups correctly set?

tkimpton · ‎10-20-2013

Yeah same ntpd, realm and dns looks ok. Think I'll just rest today and have a look tomorrow with a clear head.

Used to use ADmitMac but after their poor support and faulty latest build I'm ditching them.

One good thing was it could utilise Windows Group Policies for removable media lock down and access. Instead I'm used a mixture of an extension attributes to query their AD account at login and scope Config profiles to the smart groups.

Found out on Friday it's not Apples plugin or ADmitMac specifically because everyone's getting it but just didn't bother telling me..... Users eh!

Been working hard this week to uninstall ADmitMac, delete relevant users from directory services, migrate user data, amend permissions and join AD all from Self Service :)

tkimpton · ‎10-21-2013

my script to add an item as a login

#!/bin/bash

######################### HISTORY #####################################
#                                                                     #
# Created by Tim Kimpton 14/05/2013                                   #
#                                                                     #
# Set an application to open at login as the currently logged in user #
#                                                                     #
################### Environment Variables #############################

# Get the currently logged in user
user=`ls -l /dev/console | cut -d " " -f4`

# Specifiying the Login Item
LoginItem='/usr/bin/osascript <<EOT
try
tell application "System Events"
make login item at end with properties {path:"/Applications/SomeApp.app/"}
end tell
end try
EOT'

############### DO NOT MODIFY BELOW THIS LINE ################

# Set the App as a login item as the currently logged in user
su - "${user}" -c "${LoginItem}" >/dev/null

bentoms · ‎10-21-2013

@tkimpton why not just use a launchAgent?

tkimpton · ‎10-21-2013

i did. I noticed that a launchagent running a script to either open the App or to map network shares cause the kerberos ticket to get destroyed.

tkimpton · ‎10-31-2013

Culprit was Entourage 2008 holding on to the users previous kerberos identity in the Microsoft Entourage Database.

As soon as I got rid of it and select the new kerberos identity, all is ok

Jamf Nation Community

Vanishing Kerberos ticket