We've got a fun new issue after upgrading to OS X 10.10 client and server with Open Directory (from 10.8).

When a user changes their password (using System Preferences or at the Login screen) it seems the Kerberos credentials do not refresh/flush/update. So when they expire, trying to renew them (after 10 hours) triggers our max failed attempts limit and locks the user out.

I can see that the kcm daemon is what is running after 10 hours that ultimately leads to the lockout.

I can see using klist that a password change does not update the credential.

And moreover cached credentials (within the 7 day window) seem to be causing this on any machine the user has used (our users move around a lot). So it wouldn't just be a matter of issuing kdestroy on the machine where the password changes.

Any ideas what's going on here?

Why was OD able to keep everything in sync across all machines in the directory before?

Do I just need to disable the credential cache? Was that not an an issue prior to 10.9?

  • 83
  • 5

0 Answers0