TheChinaMac

Q: Mobile User Slow Login Off Network

I am running server 10.58 with mobile user accounts. I have upgraded three laptops to Snow Leopard and when they are off the network any login or password entry for things like changing a sys pref takes over 1 minute. If i remove the network account server bind from the user account in sys prefs, the login is back to normal. I read of similar problems in 10.5 that was the result of a search domain being listed in the DNS settings of the client machine. However, my DHCP server provides the DNS and search domain listings so this is not listed in the client machines when they are off the network.

My domain name is miniserv.companydomain.net and the search domain in the server is companydomain.net - but again, this DNS info is not listed in the client machines. companydomain.net is a FQDN that only runs locally. Could the client be looking for companydomain.net on the WAN?

The console log reads as follows:

authorizationhost[1965] k5_authenticate(): got -1765328228 (Cannot contact any KDC for requested realm) on /SourceCache/SecurityAgent/SecurityAgent-37013/plugins/krb5/krb5_operations.c:8 4

authorizationhost[1965] -[SFBuiltinAuthenticate performDSPasswordAuth](): got -1765328228 (Cannot contact any KDC for requested realm) on /SourceCache/SecurityAgent/SecurityAgent-37013/authhostbuiltins.m:1039


Any guidance appreciated.

MacBook Pro, Mac OS X (10.6)

Posted on Sep 4, 2009 2:38 PM

Close

Q: Mobile User Slow Login Off Network

  • All replies
  • Helpful answers

first Previous Page 5 of 8 last Next
  • by EyeQueue,

    EyeQueue EyeQueue Oct 25, 2010 7:51 PM in response to phil.n
    Level 1 (0 points)
    Oct 25, 2010 7:51 PM in response to phil.n
    I'm having this same problem in a Windows 2000 AD environment, but it seems to only affect my Mac which I was testing Home syncing on. All others have mobile accounts but no home syncing and don't experience the problem. I have no folders set to sync, and login takes about 30-45 seconds. Every time I'm required to authenticate it hangs for another 12-15 seconds. Come on Apple! Where's our fix for this?

    Message was edited by: EyeQueue
  • by thirdorderharmonic,

    thirdorderharmonic thirdorderharmonic Oct 26, 2010 10:39 AM in response to EyeQueue
    Level 1 (0 points)
    Oct 26, 2010 10:39 AM in response to EyeQueue
    I had painfully slow logins at home which are now fixed with help from the big "A". I also had some re-occurring system freezes related to spotlight which were also fixed by the same process. Apparently a KB article will be forthcoming about the fix. I asked if i could post the solution and was told that I would be provided a link to the KB article once it is created that I would be welcome to then post the link on this forum.

    My client machines exhibiting the slow logins were all macbooks with a non-authenticated bind to Open Directory and had all syncing disabled. If your slow logins are sync related then your mileage may vary, but the provided solution has been 100% successful for me on 600+ affected client machines:

    Check out the following file on one of your clients with slow logins. The file is automatically download or generated from your OD servers when you log in to your network:

    /Library/Preferences/edu.mit.Kerberos

    View this file and if you see any entries for kdc's by IP ADDRESS, this could be the cause of your slow logins. Apparently you only want kdc entries by FQDN. While at home, try deleting this file and rebooting. If your logins are fast your issue is to do with this file. It will be re-generated next time you log in at the office so don't worry about deleting it. The long-term solution is to make certain changes to the Kerberos config on your OD master. These changes then get pushed out to clients the next time that they log in inside the office. As such, it's effortless to roll out once the corrections are made. I will respect Apple's response to me and wait for them to post a KB article about the rest.

    As for those on AD or golden triangle. This may still apply but I can't speak to it.
  • by EyeQueue,

    EyeQueue EyeQueue Oct 26, 2010 1:45 PM in response to thirdorderharmonic
    Level 1 (0 points)
    Oct 26, 2010 1:45 PM in response to thirdorderharmonic
    Unfortunately the only entries in this file are FQDN, and I'm on AD. So while I'm excited that this may resolve issues for so many of you, it doesn't help my situation. Hopefully Apple will address AD users as well!
  • by davidcmn,

    davidcmn davidcmn Oct 29, 2010 9:22 AM in response to TheChinaMac
    Level 1 (5 points)
    Oct 29, 2010 9:22 AM in response to TheChinaMac
    I am having the same problem. My setup is a really simple test environment. One mac mini running server 10.6.4 and two computers running snow leopard 10.6.4. The server is setup as server.private. When connected to the private network everything works great. But if I take the computer to a coffee shop or a different wireless network I get login delays. Even after the login delay there are still authentication delays if I do something that needs system administrator authentication within snow leopard. Any help with this would be greatly appreciated. I am really struggling here. Thanks.
  • by clcerda,

    clcerda clcerda Nov 6, 2010 7:28 AM in response to davidcmn
    Level 1 (0 points)
    Nov 6, 2010 7:28 AM in response to davidcmn
    Same thing. Macmini server (server.local) a Mac Pro and a macbook pro with mobile accounts. Additionally, when using workgroup manager and server preferences from macbook pro it also takes really long to connect. Server Admin works perfect.
  • by mooregr,

    mooregr mooregr Nov 8, 2010 6:24 PM in response to clcerda
    Level 1 (4 points)
    Nov 8, 2010 6:24 PM in response to clcerda
    Having the same problem AD joined Macintosh, works fine on campus network both wired and wireless. When off campus it takes a couple of minutes to authenticate when logging in. Also couple of minute wait when you do anything that requires authentication. If I disconnect all networking it works fine.

    I found this thread that may help. I have not tried it yet, but it may help.

    http://prowiki.isc.upenn.edu/wiki/Solvingtimeout_issues_withActiveDirectory
  • by Peter-Erik,

    Peter-Erik Peter-Erik Nov 12, 2010 12:53 AM in response to mooregr
    Level 1 (10 points)
    Nov 12, 2010 12:53 AM in response to mooregr
    Is there any improvement with the 10.6.5 update?
  • by jev1313,

    jev1313 jev1313 Nov 12, 2010 8:44 PM in response to Peter-Erik
    Level 1 (0 points)
    Nov 12, 2010 8:44 PM in response to Peter-Erik
    Nope 10.6.5 Does not solve this issue despite the claim that 10.6.5 "Improves performance for users bound to an Active Directory domain." I have installed it on the very computer I write this post on, took it home to test and sure enough 12 minutes before it was functional.
  • by Peter-Erik,

    Peter-Erik Peter-Erik Nov 15, 2010 1:21 AM in response to jev1313
    Level 1 (10 points)
    Nov 15, 2010 1:21 AM in response to jev1313
    @jev1313 thanks for info!
  • by jev1313,

    jev1313 jev1313 Nov 17, 2010 12:21 PM in response to Codeus
    Level 1 (0 points)
    Nov 17, 2010 12:21 PM in response to Codeus
    Codeus wrote:
    following on from the above, I had some issues accessing the web from home so modified the login hook. I also added a logout hook which re-DISables bonjour if the OD server is still unavailable. These are still in testing and might have undesirable side effects so use with caution.

    boot.sh

    #!/bin/bash
    if [ $(/usr/bin/host 172.18.10.1 | grep -ic "not found:") > 0 ]; then
    launchctl unload /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist
    fi


    login.sh

    #!/bin/bash
    if [ $(host 172.18.10.1 | grep -ic "not found:") > 0 ]; then
    launchctl unload /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist
    sleep 1
    launchctl load /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist
    fi


    logout.sh

    #!/bin/bash
    if [ $(host 172.18.10.1 | grep -ic "not found:") > 0 ]; then
    launchctl unload /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist
    fi


    Hey Codeus I was able to follow your instructions for the login and logout files but I don’t know how to use the boot.sh file. Sorry I am a Windows admin that was put in charge of integrating macs into my windows network and I still don’t understand a lot about how the macs work. Also is this the final version of what you came up with or have the scripts you are using to get past this issue different from this post?
  • by jev1313,

    jev1313 jev1313 Nov 23, 2010 2:09 PM in response to jev1313
    Level 1 (0 points)
    Nov 23, 2010 2:09 PM in response to jev1313
    http://support.apple.com/kb/TS3560

    OMG we may have a winner. Someone please test this and post results. I will be testing it very soon and will post my own results.
  • by jev1313,

    jev1313 jev1313 Nov 24, 2010 6:40 AM in response to jev1313
    Level 1 (0 points)
    Nov 24, 2010 6:40 AM in response to jev1313
    Well I tested this last night and big surprise it does not fix it. When I looked at the file in question it did not contain any ip addresses, extra or in place of, host names like the article decribed. My file was in perfect order. I took it home and did the quick test by removing the file to see if that sped up login and it did nothing. Still a 12 minute login time.
  • by Michael Kuhn,

    Michael Kuhn Michael Kuhn Nov 25, 2010 10:21 PM in response to TheChinaMac
    Level 1 (14 points)
    Nov 25, 2010 10:21 PM in response to TheChinaMac
    The school district I work for has run into this problem head-on with a little over 5,000 MacBooks running Snow Leopard. Our clients sometimes are completely unable to log into their machines while off network, it will literally sit at the login screen for indefinitely until a forced reboot.

    We opened a case with AppleCare "Premium Service and Support" last week, but are still waiting on any solutions from them. If they come up with a something that I am able to share, I will certainly do so.
  • by jev1313,

    jev1313 jev1313 Nov 29, 2010 8:27 AM in response to Michael Kuhn
    Level 1 (0 points)
    Nov 29, 2010 8:27 AM in response to Michael Kuhn
    I am going to try and do the same. I just need to get my boss to approve the cost of the opening a ticket with apple.
  • by Elton Babcock,

    Elton Babcock Elton Babcock Dec 9, 2010 4:00 PM in response to haoyangliu
    Level 1 (0 points)
    Dec 9, 2010 4:00 PM in response to haoyangliu
    I am getting the same exact thing on my network. Also my clients are also looking for a Kerberos Realm constantly even when off network. I am yet to get this fixed.
first Previous Page 5 of 8 last Next