5

Just looking for a little help with this problem that seems to trip a lot of people up and is causing me no end of grief.

I have a number of fully patched OS X Leopard machines that are bound to my AD (Server 2003).

When on the home network, logging in seems swift and works as expected.

When users take the machines off site, login can take 5 minutes or more. The user adds correct credentials but the desktop does not appear for a very long time.

Outside the office, I have tried logging in using a local Admin account, switching off Airport and then logging in using an AD account. In this situation login is immediate again.

It all seems as if Leopard is finding a suitable wireless network, spending far too long looking for the Domain before eventually giving up and using the cached credentials instead.

I have read that disabling Bonjour on the machine will stop this problem (i have not yet tested)

http://www.macwindows.com/leopardAD.html#111607z

...but I am reluctant to use this "Solution" as I would like to be able to use Bonjour on the local network as well as having AD-bound machines.

However, is disabling Bonjour really the only answer? Is there not some time-out setting somewhere that could be amended to stop Leopard spending forever looking for home?

Any help would be very gratefully received

Thanks

Gordon

  • Have you tried updating the Kerberos configuration per http://www.macosxhints.com/article.php?story=20080808143211248 ? – Chealion Nov 23 '09 at 16:47
  • I'm guessing there is a problem with DNS... I think its timing out. Could you try adding a static entry to /etc/hosts for the server? this should bypass using Bonjour to do the lookup. Interested to know if it makes any difference. – BuildTheRobots Jan 15 '10 at 08:19
  • Like other's have said this is a DNS issue. What's appears to be happening is bonjour is checking the local network for the AD server, timing out and then allowing you on with cached credentials. One idea that was mentioned in the quick google I did: 1) Try to login with an FQDN e.g. username@domain.com instead of just username at the login prompt. – JamesBarnett Jan 09 '11 at 08:01

2 Answers2

2

Please bare in mind that by default, Mac OS X Bonjour services use the .local domain for mdns resolution.

Obviously, this conflicts with the windows AD default domain of .local also as Mac OS X will not use the domain controller as it's DNS server when trying to resolve .local domains.

The simplest solution is to use the IP of the Active Directory in Directory Utility instead of the name.

To do this, go to  > System Preferences > Accounts, click "Login Options" then click on "Join" next to "Network Account Server:".

In here you can open Directory Utility by clicking the "Open Directory Utility" button, then click on "Active Directory" and then the pencil icon. Here you can change your AD server to the IP of the Domain Controller instead of the name.

This should speed up the login process considerably.

Of course, the other option is to change the .local domain to something else like .internal, but this is only helpful when setting up a new domain. Infact it's mentioned in the Microsoft SBS server handbook.

Squeeb
  • 152
  • 1
  • 13
0

For me, this helped. In /etc/pam.d/{login,screensaver,authorization} I replaced noforward option on pam_krb5.so line with use_kcminit:

/etc/pam.d/authorization:  auth       optional       pam_krb5.so use_first_pass use_kcminit
/etc/pam.d/login:          auth       optional       pam_krb5.so use_kcminit
/etc/pam.d/screensaver:    auth       optional       pam_krb5.so use_first_pass use_kcminit

My /etc/krb5.conf:

[libdefaults]
udp_preference_limit = 1
renewable = true
renew_lifetime = 36000

Mac OS Mavericks and AD domain without .local suffix. Reboot after you apply the changes.

tuxx
  • 101