TheChinaMac
Level 1 (1 points)

Q: Mobile User Slow Login Off Network

I am running server 10.58 with mobile user accounts. I have upgraded three laptops to Snow Leopard and when they are off the network any login or password entry for things like changing a sys pref takes over 1 minute. If i remove the network account server bind from the user account in sys prefs, the login is back to normal. I read of similar problems in 10.5 that was the result of a search domain being listed in the DNS settings of the client machine. However, my DHCP server provides the DNS and search domain listings so this is not listed in the client machines when they are off the network.

My domain name is miniserv.companydomain.net and the search domain in the server is companydomain.net - but again, this DNS info is not listed in the client machines. companydomain.net is a FQDN that only runs locally. Could the client be looking for companydomain.net on the WAN?

The console log reads as follows:

authorizationhost[1965] k5_authenticate(): got -1765328228 (Cannot contact any KDC for requested realm) on /SourceCache/SecurityAgent/SecurityAgent-37013/plugins/krb5/krb5_operations.c:8 4

authorizationhost[1965] -[SFBuiltinAuthenticate performDSPasswordAuth](): got -1765328228 (Cannot contact any KDC for requested realm) on /SourceCache/SecurityAgent/SecurityAgent-37013/authhostbuiltins.m:1039


Any guidance appreciated.

MacBook Pro, Mac OS X (10.6)

Posted on Sep 4, 2009 2:38 PM

Close
TheChinaMac

Q: Mobile User Slow Login Off Network

  • All replies
  • Helpful answers

Previous Page 2 of 8 last Next

  • by neekolas321,

    neekolas321 neekolas321 May 6, 2010 9:15 AM in response to phil.n
    Level 1 (0 points)
    May 6, 2010 9:15 AM in response to phil.n
    Perhaps we should file a bug report with Apple? I have noticed that if there is no network connection I am able to login much faster. It is definitely an issue with a prolonged timeout when searching for a domain.

  • by phil.n,

    phil.n phil.n May 11, 2010 5:35 AM in response to neekolas321
    Level 1 (0 points)
    May 11, 2010 5:35 AM in response to neekolas321
    Agreed. Even if someone can come up with a fix it really needs to be addressed properly by Apple. So, anyone know how you go about filing a bug?!

  • by Critforce,

    Critforce Critforce May 17, 2010 1:16 PM in response to TheChinaMac
    Level 1 (10 points)
    May 17, 2010 1:16 PM in response to TheChinaMac
    Same exact issue. Slow log on from home. What to do?

  • by neekolas321,

    neekolas321 neekolas321 May 17, 2010 2:48 PM in response to TheChinaMac
    Level 1 (0 points)
    May 17, 2010 2:48 PM in response to TheChinaMac
    I submitted a bug with Apple. I'll let you guys know if they contact me.

  • by Codeus,

    Codeus Codeus May 18, 2010 3:07 AM in response to neekolas321
    Level 1 (10 points)
    May 18, 2010 3:07 AM in response to neekolas321
    I have a work around that seems to help, you need to add a few lines to a boot script that runs from a launchd job and to a login-hook script.

    It works by checking if it can see your OD server at boot time (try by hostname or ip address and see which works best). If it can find the server fine, otherwise disable Bonjour until we have passed the loginwindow, then re-enable it for internet etc.

    In your boot.sh add: -

    #!/bin/bash
    if [ $(host odserver.mynet.com | grep -ic "not found") -gt 0 ]; then
     launchctl unload /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist
    else
     launchctl load /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist
    fi

    Then, in your login.sh just add: -

    #!/bin/bash
    launchctl load /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist


    The obvious caveat is that a reboot is needed to disable Bonjour and thus skip the login delay. Just logging out and in wont do the trick.

    Hope this helps until we get a proper fix, or preferably a WGM managable timeout.... oh its nice to dream....

  • by Codeus,

    Codeus Codeus May 18, 2010 4:57 AM in response to Codeus
    Level 1 (10 points)
    May 18, 2010 4:57 AM in response to Codeus
    following on from the above, I had some issues accessing the web from home so modified the login hook. I also added a logout hook which re-DISables bonjour if the OD server is still unavailable. These are still in testing and might have undesirable side effects so use with caution.

    boot.sh

    #!/bin/bash
    if [ $(/usr/bin/host 172.18.10.1 | grep -ic "not found:") > 0 ]; then
     launchctl unload /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist
    fi


    login.sh

    #!/bin/bash
    if [ $(host 172.18.10.1 | grep -ic "not found:") > 0 ]; then
     launchctl unload /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist
     sleep 1
     launchctl load /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist
    fi


    logout.sh

    #!/bin/bash
    if [ $(host 172.18.10.1 | grep -ic "not found:") > 0 ]; then
     launchctl unload /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist
    fi

  • by neekolas321,

    neekolas321 neekolas321 May 18, 2010 4:24 PM in response to TheChinaMac
    Level 1 (0 points)
    May 18, 2010 4:24 PM in response to TheChinaMac
    Just wanted to follow up that I have been contacted by Apple and am supplying them with my Directory Service log files. Interesting to see what they come back with.

  • by jimmayl,

    jimmayl jimmayl May 19, 2010 6:55 AM in response to Codeus
    Level 1 (0 points)
    May 19, 2010 6:55 AM in response to Codeus
    I am having this same issue -- I'd be curious to hear if anyone who's using an offline AD "mobile account" isn't having this problem.

    In any case, I can confirm that Codeus' fix works, but only for the loginwindow authentication. Any subsequent local-admin authentications (e.g. unlocking a System Preference pane) will have the same painful lag time, because Bonjour has been re-enabled with login.sh.

    If I modify login.sh to keep Bonjour disabled, then the lag time goes away, but my networking is crippled: Bonjour seems to be pretty essential to Mac OS networking these days.

    It sounds like this could be a Bonjour bug, which hopefully Apple will fix sometime in the not-too-distant future.

  • by Codeus,

    Codeus Codeus May 20, 2010 1:12 AM in response to jimmayl
    Level 1 (10 points)
    May 20, 2010 1:12 AM in response to jimmayl
    My guess is it's Kerberos' authentication timeout that is at the heart of it. But as far as I can tell there is no way of adjusting that from the command line or otherwise.

  • by InterHmai,

    InterHmai InterHmai May 21, 2010 11:12 AM in response to TheChinaMac
    Level 1 (60 points)
    May 21, 2010 11:12 AM in response to TheChinaMac
    try lowering your ldap timeout settings in dir util to 15s / 20s / 20s/ 1m

    That should speed things along when you have a mobile account off the network.

  • by bingocaller,

    bingocaller bingocaller May 27, 2010 7:14 AM in response to TheChinaMac
    Level 1 (0 points)
    May 27, 2010 7:14 AM in response to TheChinaMac
    I just wanted to chime in that I have the same problem. Mobile AD account on a .local AD domain in 10.6.3, dreadfully long login delay away from the AD network, typically about 3.5 minutes. A mobile AD account in 10.5.8 takes about 15 seconds to log in away from the AD network.

    In 10.6.3, I also have a 2 minute delay when logging in to a local admin account when away from the AD network. Unbinding from AD "fixes" the login delay for both types of account.

  • by Codeus,

    Codeus Codeus May 27, 2010 8:25 AM in response to InterHmai
    Level 1 (10 points)
    May 27, 2010 8:25 AM in response to InterHmai
    InterHmai wrote:
    try lowering your ldap timeout settings in dir util to 15s / 20s / 20s/ 1m

    That should speed things along when you have a mobile account off the network.


    Unfortunately it doesn't or at least not noticably.

  • by Aslak Asklien,

    Aslak Asklien Aslak Asklien Jun 8, 2010 10:51 PM in response to Codeus
    Level 1 (5 points)
    Jun 8, 2010 10:51 PM in response to Codeus
    Codeus:
    How do you implement the login.sh? No go with LaunchAgent....?!

  • by Codeus,

    Codeus Codeus Jun 9, 2010 1:01 AM in response to Aslak Asklien
    Level 1 (10 points)
    Jun 9, 2010 1:01 AM in response to Aslak Asklien
    LoginHooks (and Logout) are a standard feature of OS X and can be modified using the 'defaults' command:-


    sudo defaults write com.apple.loginwindow LoginHook "/path/to/script/login.sh"
    sudo defaults write com.apple.loginwindow LogoutHook "/path/to/script/logout.sh"


    You can check whats there already or that they look right with: -


    sudo defaults read com.apple.loginwindow


    They're actually really useful as the loginwindow passes the user's shortname to the script as variable $1 so you can do all kinds of cool stuff for the user who is logging in/out. Well worth reading up on.

  • by Jonathan mergy,

    Jonathan mergy Jonathan mergy Jun 10, 2010 11:29 AM in response to neekolas321
    Level 1 (0 points)
    Jun 10, 2010 11:29 AM in response to neekolas321
    I am seeing this too with our network. Perhaps it is an issue with 10.6.x clients and 10.5.x server (which we have too.) Would love to go to 10.6.x server, but Symantec has their head up their ... and doesn't have a native 10.6 client yet for BackupExec.

    The login delays off the network are crazy. Tried all the LDAP timeouts and un-binded and re-binded to no avail. UGH
Previous Page 2 of 8 last Next