TheChinaMac

Q: Mobile User Slow Login Off Network

I am running server 10.58 with mobile user accounts. I have upgraded three laptops to Snow Leopard and when they are off the network any login or password entry for things like changing a sys pref takes over 1 minute. If i remove the network account server bind from the user account in sys prefs, the login is back to normal. I read of similar problems in 10.5 that was the result of a search domain being listed in the DNS settings of the client machine. However, my DHCP server provides the DNS and search domain listings so this is not listed in the client machines when they are off the network.

My domain name is miniserv.companydomain.net and the search domain in the server is companydomain.net - but again, this DNS info is not listed in the client machines. companydomain.net is a FQDN that only runs locally. Could the client be looking for companydomain.net on the WAN?

The console log reads as follows:

authorizationhost[1965] k5_authenticate(): got -1765328228 (Cannot contact any KDC for requested realm) on /SourceCache/SecurityAgent/SecurityAgent-37013/plugins/krb5/krb5_operations.c:8 4

authorizationhost[1965] -[SFBuiltinAuthenticate performDSPasswordAuth](): got -1765328228 (Cannot contact any KDC for requested realm) on /SourceCache/SecurityAgent/SecurityAgent-37013/authhostbuiltins.m:1039


Any guidance appreciated.

MacBook Pro, Mac OS X (10.6)

Posted on Sep 4, 2009 2:38 PM

Close

Q: Mobile User Slow Login Off Network

  • All replies
  • Helpful answers

first Previous Page 6 of 8 last Next
  • by Elton Babcock,

    Elton Babcock Elton Babcock Dec 9, 2010 4:05 PM in response to TheChinaMac
    Level 1 (0 points)
    Dec 9, 2010 4:05 PM in response to TheChinaMac
    We are also having this issue after trying the solution from Apple. The authentication is very quick from the login window but directly after the login prompt disappears, all I am left with is the loginwindow background for about 3-5 min. I have checked the logs over and over again and it appears it is still looking for a Kerberos Realm over and over again. Please post any results anyone hears regarding this issue.
  • by Michael Kuhn,

    Michael Kuhn Michael Kuhn Dec 21, 2010 6:00 AM in response to Michael Kuhn
    Level 1 (14 points)
    Dec 21, 2010 6:00 AM in response to Michael Kuhn
    Still no solution from Apple, have been sending them data captures, packet traces etc.. over the past few weeks.
  • by Peter-Erik,

    Peter-Erik Peter-Erik Jan 3, 2011 4:35 AM in response to Michael Kuhn
    Level 1 (10 points)
    Jan 3, 2011 4:35 AM in response to Michael Kuhn
    any news yet?
  • by Michael Kuhn,

    Michael Kuhn Michael Kuhn Jan 3, 2011 5:07 AM in response to Peter-Erik
    Level 1 (14 points)
    Jan 3, 2011 5:07 AM in response to Peter-Erik
    None other than they haven't been able to "reproduce this behavior."

    I've found that the easiest way to get it to occur is to setup an invalid DNS address on an otherwise working machine. Then the next network login attempt fails.
  • by GregD7,

    GregD7 GregD7 Jan 7, 2011 12:34 PM in response to Michael Kuhn
    Level 1 (0 points)
    Jan 7, 2011 12:34 PM in response to Michael Kuhn
    I'm seeing the same issue here -- MacBook Pro is joined to a Windows 2003 Active Directory domain; when logging on to the machine with a mobile account and the NIC is not connected to the corporate network, the login process takes about 2 min 30 seconds. It doesn't seem to make a difference whether Airport is on or off.

    I tested yesterday on 10.6.6 and still have the same issue (not that expected much of a change based on the short change list in the release notes in 10.6.6, but you never know)

    Below is a section of my secure.log from a couple of days back on 10.6.5. 2 minutes and 25 seconds elapsed from the time the username & password was entered (21:52:38) to the time the login window process finished (21:55:03).

    21:52:23 <computername> loginwindow[35]: Login Window Started Security Agent
    21:52:23 <computername> SecurityAgent[118]: Showing Login Window
    21:52:38 <computername> SecurityAgent[118]: User info context values set for <..username..>
    21:53:31 <computername> authorizationhost[117]: k5_authenticate(): got -1765328164 (Cannot resolve network address for KDC in requested realm) on /SourceCache/SecurityAgent/SecurityAgent-37556/plugins/krb5/krb5_operations.c:8 4
    21:53:31 <computername> authorizationhost[117]: -[SFBuiltinAuthenticate performDSPasswordAuth](): got -1765328164 (Cannot resolve network address for KDC in requested realm) on /SourceCache/SecurityAgent/SecurityAgent-37556/authhostbuiltins.m:1039
    21:54:31 <computername> SecurityAgent[118]: Login Window Showing Progress
    21:55:03 <computername> SecurityAgent[118]: Login Window done
    21:55:03 <computername> com.apple.SecurityServer[23]: Succeeded authorizing right 'system.login.console' by client '/System/Library/CoreServices/loginwindow.app' for authorization created by '/System/Library/CoreServices/loginwindow.app'
    21:55:03 <computername> loginwindow[35]: Login Window - Returned from Security Agent
    21:55:03 <computername> com.apple.SecurityServer[23]: Succeeded authorizing right 'system.login.done' by client '/System/Library/CoreServices/loginwindow.app' for authorization created by '/System/Library/CoreServices/loginwindow.app'
    21:55:04 <computername> /System/Library/CoreServices/CCacheServer.app/Contents/MacOS/CCacheServer[167]: Starting up
  • by Peter-Erik,

    Peter-Erik Peter-Erik Feb 7, 2011 7:03 AM in response to Michael Kuhn
    Level 1 (10 points)
    Feb 7, 2011 7:03 AM in response to Michael Kuhn
    4 weeks later, any news yet?

    greetings
  • by bingocaller,

    bingocaller bingocaller Feb 10, 2011 5:42 AM in response to TheChinaMac
    Level 1 (0 points)
    Feb 10, 2011 5:42 AM in response to TheChinaMac
    Try this. It worked for me (MacBook bound to AD, dot local domain, mobile account, extremely slow login away from AD network):
    http://support.apple.com/kb/HT3789
  • by buckster,

    buckster buckster Feb 10, 2011 1:22 PM in response to TheChinaMac
    Level 4 (2,814 points)
    Apple Watch
    Feb 10, 2011 1:22 PM in response to TheChinaMac
    This worked for me - woot!

    http://support.apple.com/kb/TS3560

    10.6.6 mobile client accounts 10.6.6. OD server.

    Login was fast on our local network. With no network available at all, login was fast. But mobile account logins were taking 120 seconds on 3rd party networks without OD server availability.

    After making the above tweak in Workgroup Manager login is speedy everywhere.

    FYI, had this not worked the next thing I planned was to tinker with some of the timeout settings in the Directory Utility app for LDAP services at settings in System/Library/CoreServices/Directory Utility.

    That might have brought down login speeds but I'd consider it a workaround rather than a fix.

    hth,

    b.
  • by bingocaller,

    bingocaller bingocaller Feb 16, 2011 6:29 PM in response to bingocaller
    Level 1 (0 points)
    Feb 16, 2011 6:29 PM in response to bingocaller
    I take that back. I still have slow logins away from the AD network.
  • by omcakuma,

    omcakuma omcakuma Feb 18, 2011 9:54 PM in response to buckster
    Level 1 (0 points)
    Feb 18, 2011 9:54 PM in response to buckster
    Has anyone verified this solution:
    http://support.apple.com/kb/TS3560
    is a fix for users away from the AD network?
  • by Peter-Erik,

    Peter-Erik Peter-Erik Feb 20, 2011 11:42 PM in response to omcakuma
    Level 1 (10 points)
    Feb 20, 2011 11:42 PM in response to omcakuma
    Not for me we have here a .local AD domain.
  • by jev1313,

    jev1313 jev1313 Feb 22, 2011 2:22 PM in response to omcakuma
    Level 1 (0 points)
    Feb 22, 2011 2:22 PM in response to omcakuma
    I already posted my results to this in this thread but ill say it again because there have been some other suggestions and what not.
    http://support.apple.com/kb/TS3560 did not work. My enviroment is a AD 2008r2 functional level with a modified schema. It also has an Apple XServer as an OD master in the golden triangle configuration. The kerberos realm master whatever you want to call it is AD and all authentication is done to AD. Our clients are OSX 10.6.6
    I have not tried http://support.apple.com/kb/HT3789 but i will update once i test it.

    My company just finished purchasing a support contract with Apple for cross platform enterprise support so I can now call and open 10 tickets with them. You can bet within the next week that this issue will be the first ticket I open.
  • by AndreaBi,

    AndreaBi AndreaBi Feb 22, 2011 9:52 PM in response to bingocaller
    Level 1 (0 points)
    Feb 22, 2011 9:52 PM in response to bingocaller
    I have slow login, and slow Workgroup manager problem.
    I remove DNS .local with .lan, but the problem persist.
    For me the problem was the LDAP Search Base the OD can't change dc=local in dc=lan.
    I read tis and resolve all problem:
    http://discussions.info.apple.com/thread.jspa?threadID=2380171&tstart=0
  • by jgilmour,

    jgilmour jgilmour Feb 23, 2011 12:22 PM in response to phil.n
    Level 1 (0 points)
    Feb 23, 2011 12:22 PM in response to phil.n
    I have found this post to work - http://techsmog.com/?p=194 (.local domain & AD) had slow logins/logouts/authenticating, all works well now.
  • by jev1313,

    jev1313 jev1313 Feb 24, 2011 8:46 AM in response to jgilmour
    Level 1 (0 points)
    Feb 24, 2011 8:46 AM in response to jgilmour
    jgilmour wrote:
    I have found this post to work - http://techsmog.com/?p=194 (.local domain & AD) had slow logins/logouts/authenticating, all works well now.


    This looks very promising, i will test and report back. However apple still needs to fix this as it is a major problem with their OS.
first Previous Page 6 of 8 last Next