I'm having a problem with 50+ workstations (10.9 and 10.10) when a user changes their OD password (either at the OS X login screen or the System Preferences).
The password change updates on the server but if the user doesn't immediately restart their workstations (and every workstation they have a user account on), at some point in the coming hours, the workstation will hit the OD with dozens of auth attempts with an incorrect password (or Kerberos ticket, seemingly), even if they are logged out of the machine. And of course this hits the max failed attempts and effectively locks the user out.
If they restart every workstation that they have a user account on (mobile user or just a regular network user that has previously logged into that machine) this doesn't occur. Naturally this leads us to assume some sort of caching of the password (or ticket) is happening, but where, what? Are there any workarounds for this?
Update:
I believe I have traced the auth attempts to KCM. Seemingly randomly KCM starts running every few minutes (actually every 137 seconds) and the first few times it returns "Success" (in the accountpolicy.log) and then it starts returning "Failed Authentication Policy."
In this particular instance the amount of "Success" responses is equal to the amount of failed login attempts allowed. Then come the "Failed Authentication Policy" responses. So it seems related. I'll need to get another failure to happen to be sure.
So my question now is:
What make KCM start running in the first place (after 12+ hours, in some cases, of not running)? And why is KCM triggering the lockout?
