Previous 1 2 3 Next 116 Replies Latest reply: May 3, 2013 3:21 AM by RULLAB
TheChinaMac Level 1 (0 points)
I am running server 10.58 with mobile user accounts. I have upgraded three laptops to Snow Leopard and when they are off the network any login or password entry for things like changing a sys pref takes over 1 minute. If i remove the network account server bind from the user account in sys prefs, the login is back to normal. I read of similar problems in 10.5 that was the result of a search domain being listed in the DNS settings of the client machine. However, my DHCP server provides the DNS and search domain listings so this is not listed in the client machines when they are off the network.

My domain name is and the search domain in the server is - but again, this DNS info is not listed in the client machines. is a FQDN that only runs locally. Could the client be looking for on the WAN?

The console log reads as follows:

authorizationhost[1965] k5_authenticate(): got -1765328228 (Cannot contact any KDC for requested realm) on /SourceCache/SecurityAgent/SecurityAgent-37013/plugins/krb5/krb5_operations.c:8 4

authorizationhost[1965] -[SFBuiltinAuthenticate performDSPasswordAuth](): got -1765328228 (Cannot contact any KDC for requested realm) on /SourceCache/SecurityAgent/SecurityAgent-37013/authhostbuiltins.m:1039

Any guidance appreciated.

MacBook Pro, Mac OS X (10.6)
  • macwiz1220 Level 4 (1,940 points)
    Yes, it is probably a DNS issue. KDC = Key Distribution Center. The server becomes a KDC when using Kerberos authentication, as Kerberos (krb5) uses key cryptography. The client can't find the server. Make sure the clients have the proper DNS servers setup.
  • haoyangliu Level 1 (0 points)
    Did you ever get this resolved? I have the same problem.

    I found that if I turn off all network interface, then login is flawless.

    Also, I think the behavior in Leopard was that off network mobile users do not sync at login/logout, because they can't find the server. But when my SL clients logout, they still want to sync. This makes me think it's because the client somehow still thinks it's in the network.
  • dalboslampen Level 1 (0 points)
    Same problem.
    Insanely slow log on, and out for that matter.
    Airport dropping connections, and trouble log on to mobile account off network.

    Lots of trouble with the golden triangle this year!!
  • haoyangliu Level 1 (0 points)
    Have you guys found a solution to this problem?

    I found that if I open TCP 389 (LDAP) and TCP&UDP 88 (Kerberos V5 KDC) on the firewall, then the problem goes away. But this begs the questions: Is it safe to open those ports? Is there any other way to tell the client that "You are not on the network, stop checking!"?

  • DirkTheDog Level 1 (10 points)
    Same problem. Has anyone solved it?
  • InterHmai Level 1 (60 points)
    Yeah my office is getting ready to try out mobile accounts and started testing out 10.6 for this and ran into the same problem. I couldn't find a workaround so I just went back to 10.5.8 to see how things work until the problem is fixed.
  • DirkTheDog Level 1 (10 points)
    I seem to have solved this problem for us by *switching off* the "Server Side File Tracking for Mobile Home Sync" setting in Server Admin. Now the Sync process no longer hangs indefinitely at login or logout (or shows Checking "~/" forever), but unfortunately the actual sync itself has slowed down as when it happens the entire folder structure is compared for changes. I guess I replaced the problem of an unreliable sync that forced users to force-power-off their machines into a reliable but slow one... realised

    By the way, as I was debugging this problem I that it was the "ssh yourserver ... FileSyncAgent" process that seemed to be hanging indefinitely. Your cause may be different therefore this solution might not work... Good luck.
  • HBarnes Level 1 (0 points)
    I thought this thread was in reference to waiting forever to login when away from your office network. We don't do any sync at login/logout but it still takes forever at home. All syncing while at work has been perfect, especially since 10.6.2.

    I sure hope Apple fixes this soon as it is holding up our deployment of Snow Leopard.
  • Bernlo Level 1 (0 points)
    I have exactly the same problem when logging in off network. It should be some key combination that bypasses the network check when logging in.

    Please let me know if you find anything useful.


    Message was edited by: Bernlo
  • neekolas321 Level 1 (0 points)
    I am experiencing the painfully slow logins as well. Sometimes 3-4 minutes. Running 10.6.3.
  • Abel408 Level 1 (0 points)
    So I know there has been a lot of input in here and I don't have a solution, but I thought I would report that I am getting the same problems. If the machine is on the network, login times are normal. If the machine is off the network, it will sit at the login screen for a very long time.
  • mrbofus Level 1 (5 points)
    Having the problem here too. Users are complaining that when logging on to their laptops at home, logins are taking upwards of 4 or 5 minutes. Also when waking from sleep, will run into that issue. Running 10.6.3 on the laptops and binding to a Windows 2003 domain.
  • Codeus Level 1 (10 points)
    Sync issues and AD issues aside.

    I too am seeing this delay of around 2 minutes during login in the following scenario which I believe the OP was experiencing: -

    • Mac OS 10.6.x
    • PHD / Mobile Account.
    • Computer CAN coonnect to internet.
    • Computer CANNOT connect to OD Master (eg. offsite, not vpn etc).

    As mentioned, my logs show KDS returning errors after a long wait (around 1:30 - 2 mins in my case) while it hunts for a KDC for the realm.

    My current thinking is: -

    • Can we reduce the KDC timeout via a conf / plist / dscl value someplace?
    • If this only happens when a internet connection is up, can we script a pull down of the internet connection in a boot script to skip it?
  • phil.n Level 1 (0 points)
    I would like to add some support to this thread. I have the same problem, with ~2.5min delay during login. This is the time from when the mouse first appears after boot until the user logon screen is displayed. Fine when within office network, problems when away from domain.

    I found this article:
    which discusses changing the LDAP timeout. I found it referenced from a couple other articles which say that this worked fine for Tiger but not for Leopard or SL. I can confirm that changing the timeout value in my activedirectory.plist from the original "90" to "10" made no difference at all.
    I have also seen people saying that disabling Bonjour helped or stopping mDNSresponder but that essentially 'switches off' the internet...

    This is a real inconvenience and I hope that someone can come up with a solution/apple fix this as soon as possible.
Previous 1 2 3 Next