Mobile User Slow Login Off Network

Question

Level 1

1 points

Mobile User Slow Login Off Network

I am running server 10.58 with mobile user accounts. I have upgraded three laptops to Snow Leopard and when they are off the network any login or password entry for things like changing a sys pref takes over 1 minute. If i remove the network account server bind from the user account in sys prefs, the login is back to normal. I read of similar problems in 10.5 that was the result of a search domain being listed in the DNS settings of the client machine. However, my DHCP server provides the DNS and search domain listings so this is not listed in the client machines when they are off the network.

My domain name is miniserv.companydomain.net and the search domain in the server is companydomain.net - but again, this DNS info is not listed in the client machines. companydomain.net is a FQDN that only runs locally. Could the client be looking for companydomain.net on the WAN?

The console log reads as follows:

authorizationhost[1965] k5_authenticate(): got -1765328228 (Cannot contact any KDC for requested realm) on /SourceCache/SecurityAgent/SecurityAgent-37013/plugins/krb5/krb5_operations.c:8 4

authorizationhost[1965] -[SFBuiltinAuthenticate performDSPasswordAuth](): got -1765328228 (Cannot contact any KDC for requested realm) on /SourceCache/SecurityAgent/SecurityAgent-37013/authhostbuiltins.m:1039

Any guidance appreciated.

MacBook Pro, Mac OS X (10.6)

Posted on Sep 4, 2009 2:38 PM

Reply

Answer 1

Sep 4, 2009 9:55 PM in response to TheChinaMac

Yes, it is probably a DNS issue. KDC = Key Distribution Center. The server becomes a KDC when using Kerberos authentication, as Kerberos (krb5) uses key cryptography. The client can't find the server. Make sure the clients have the proper DNS servers setup.

Reply

Answer 2

Sep 24, 2009 3:54 PM in response to TheChinaMac

Did you ever get this resolved? I have the same problem.

I found that if I turn off all network interface, then login is flawless.

Also, I think the behavior in Leopard was that off network mobile users do not sync at login/logout, because they can't find the server. But when my SL clients logout, they still want to sync. This makes me think it's because the client somehow still thinks it's in the network.

Reply

Answer 3

Sep 25, 2009 1:40 AM in response to TheChinaMac

Hi
Same problem.
Insanely slow log on, and out for that matter.
Airport dropping connections, and trouble log on to mobile account off network.

Lots of trouble with the golden triangle this year!!

Reply

Answer 4

Sep 27, 2009 1:51 AM in response to TheChinaMac

Have you guys found a solution to this problem?

I found that if I open TCP 389 (LDAP) and TCP&UDP 88 (Kerberos V5 KDC) on the firewall, then the problem goes away. But this begs the questions: Is it safe to open those ports? Is there any other way to tell the client that "You are not on the network, stop checking!"?

Thanks.

Reply

Answer 5

Oct 13, 2009 5:40 AM in response to TheChinaMac

Same problem. Has anyone solved it?

Reply

Answer 6

Oct 16, 2009 11:34 AM in response to DirkTheDog

Yeah my office is getting ready to try out mobile accounts and started testing out 10.6 for this and ran into the same problem. I couldn't find a workaround so I just went back to 10.5.8 to see how things work until the problem is fixed.

Reply

Answer 7

Oct 16, 2009 11:50 AM in response to TheChinaMac

I seem to have solved this problem for us by *switching off* the "Server Side File Tracking for Mobile Home Sync" setting in Server Admin. Now the Sync process no longer hangs indefinitely at login or logout (or shows Checking "~/" forever), but unfortunately the actual sync itself has slowed down as when it happens the entire folder structure is compared for changes. I guess I replaced the problem of an unreliable sync that forced users to force-power-off their machines into a reliable but slow one... realised

By the way, as I was debugging this problem I that it was the "ssh yourserver ... FileSyncAgent" process that seemed to be hanging indefinitely. Your cause may be different therefore this solution might not work... Good luck.

Reply

Answer 8

HBarnes

Level 1

0 points

Dec 31, 2009 6:16 AM in response to DirkTheDog

I thought this thread was in reference to waiting forever to login when away from your office network. We don't do any sync at login/logout but it still takes forever at home. All syncing while at work has been perfect, especially since 10.6.2.

I sure hope Apple fixes this soon as it is holding up our deployment of Snow Leopard.

Reply

Answer 9

Bernlo

Level 1

0 points

Mar 11, 2010 9:26 AM in response to HBarnes

I have exactly the same problem when logging in off network. It should be some key combination that bypasses the network check when logging in.

Please let me know if you find anything useful.

Thanks

Message was edited by: Bernlo

Reply

Answer 10

Apr 21, 2010 7:03 AM in response to Bernlo

I am experiencing the painfully slow logins as well. Sometimes 3-4 minutes. Running 10.6.3.

Reply

Answer 11

Abel408

Level 1

9 points

Apr 28, 2010 8:41 AM in response to neekolas321

So I know there has been a lot of input in here and I don't have a solution, but I thought I would report that I am getting the same problems. If the machine is on the network, login times are normal. If the machine is off the network, it will sit at the login screen for a very long time.

Reply

Answer 12

mrbofus

Level 2

257 points

Apr 30, 2010 1:29 PM in response to Abel408

Having the problem here too. Users are complaining that when logging on to their laptops at home, logins are taking upwards of 4 or 5 minutes. Also when waking from sleep, will run into that issue. Running 10.6.3 on the laptops and binding to a Windows 2003 domain.

Reply

Answer 13

Codeus

Level 1

13 points

May 6, 2010 2:02 AM in response to mrbofus

Sync issues and AD issues aside.

I too am seeing this delay of around 2 minutes during login in the following scenario which I believe the OP was experiencing: -

• Mac OS 10.6.x
• PHD / Mobile Account.
• Computer CAN coonnect to internet.
• Computer CANNOT connect to OD Master (eg. offsite, not vpn etc).

As mentioned, my logs show KDS returning errors after a long wait (around 1:30 - 2 mins in my case) while it hunts for a KDC for the realm.

My current thinking is: -

• Can we reduce the KDC timeout via a conf / plist / dscl value someplace?
• If this only happens when a internet connection is up, can we script a pull down of the internet connection in a boot script to skip it?

Reply

Answer 14

phil.n

Level 1

0 points

May 6, 2010 8:16 AM in response to Codeus

I would like to add some support to this thread. I have the same problem, with ~2.5min delay during login. This is the time from when the mouse first appears after boot until the user logon screen is displayed. Fine when within office network, problems when away from domain.

I found this article: http://www.macenterprise.org/articles/fixingactivedirectorytimeoutvalues
which discusses changing the LDAP timeout. I found it referenced from a couple other articles which say that this worked fine for Tiger but not for Leopard or SL. I can confirm that changing the timeout value in my activedirectory.plist from the original "90" to "10" made no difference at all.
I have also seen people saying that disabling Bonjour helped or stopping mDNSresponder but that essentially 'switches off' the internet...

This is a real inconvenience and I hope that someone can come up with a solution/apple fix this as soon as possible.

Reply

Answer 15

May 6, 2010 9:15 AM in response to phil.n

Perhaps we should file a bug report with Apple? I have noticed that if there is no network connection I am able to login much faster. It is definitely an issue with a prolonged timeout when searching for a domain.

Reply