TheChinaMac

Q: Mobile User Slow Login Off Network

I am running server 10.58 with mobile user accounts. I have upgraded three laptops to Snow Leopard and when they are off the network any login or password entry for things like changing a sys pref takes over 1 minute. If i remove the network account server bind from the user account in sys prefs, the login is back to normal. I read of similar problems in 10.5 that was the result of a search domain being listed in the DNS settings of the client machine. However, my DHCP server provides the DNS and search domain listings so this is not listed in the client machines when they are off the network.

My domain name is miniserv.companydomain.net and the search domain in the server is companydomain.net - but again, this DNS info is not listed in the client machines. companydomain.net is a FQDN that only runs locally. Could the client be looking for companydomain.net on the WAN?

The console log reads as follows:

authorizationhost[1965] k5_authenticate(): got -1765328228 (Cannot contact any KDC for requested realm) on /SourceCache/SecurityAgent/SecurityAgent-37013/plugins/krb5/krb5_operations.c:8 4

authorizationhost[1965] -[SFBuiltinAuthenticate performDSPasswordAuth](): got -1765328228 (Cannot contact any KDC for requested realm) on /SourceCache/SecurityAgent/SecurityAgent-37013/authhostbuiltins.m:1039


Any guidance appreciated.

MacBook Pro, Mac OS X (10.6)

Posted on Sep 4, 2009 2:38 PM

Close

Q: Mobile User Slow Login Off Network

  • All replies
  • Helpful answers

first Previous Page 3 of 8 last Next
  • by jtappan,

    jtappan jtappan Jun 10, 2010 3:20 PM in response to TheChinaMac
    Level 1 (0 points)
    Jun 10, 2010 3:20 PM in response to TheChinaMac
    Same thing here. I have a Windows AD Infrastructure with about 30 Mac's bound to the domain. Mobile accounts have been created and all works as expected while they are in the office. When they leave the office their logon's are delayed several minutes if they have Internet access. If they attempt to logon with no access to the Internet logins are near instant. All are on 10.6.3.

    Has Apple responded yet? Very annoying issue for our users who like to work at home.
  • by neekolas321,

    neekolas321 neekolas321 Jun 10, 2010 3:22 PM in response to jtappan
    Level 1 (0 points)
    Jun 10, 2010 3:22 PM in response to jtappan
    Apple has responded. They have acknowledged this as a bug. Not sure if that means they are working on it but they told me that it was identified as a bug.
  • by Uomoz2,

    Uomoz2 Uomoz2 Jun 11, 2010 3:24 AM in response to neekolas321
    Level 1 (0 points)
    Jun 11, 2010 3:24 AM in response to neekolas321
    Hi all,
    I've the same issue with all mac's 10.6.3 binded in a win 2008 AD infrastructure. I've a question for you. What's the domain name of your AD infrastructure? I think that the problem is due to domain name. In fact my domain's name ending with .local
    I try to bind one of my mac to a domain called "domain.lan" and I havent' any problem.
    Thank you in advance.
    Tommaso
  • by guaro2k,

    guaro2k guaro2k Jun 11, 2010 9:40 AM in response to TheChinaMac
    Level 1 (0 points)
    Jun 11, 2010 9:40 AM in response to TheChinaMac
    Same problem here, running 10.5 server on mixed enviroment. hope apple get a solution fast.
  • by Jonathan mergy,

    Jonathan mergy Jonathan mergy Jun 11, 2010 10:12 AM in response to phil.n
    Level 1 (0 points)
    Jun 11, 2010 10:12 AM in response to phil.n
    Working on this now... I think I might have a workaround...
  • by Jonathan mergy,

    Jonathan mergy Jonathan mergy Jun 11, 2010 10:42 AM in response to Jonathan mergy
    Level 1 (0 points)
    Jun 11, 2010 10:42 AM in response to Jonathan mergy
    Scratch that. Not happy no matter what I do.
  • by Jonathan mergy,

    Jonathan mergy Jonathan mergy Jun 16, 2010 9:17 AM in response to Jonathan mergy
    Level 1 (0 points)
    Jun 16, 2010 9:17 AM in response to Jonathan mergy
    After Apple OS updates and security updates on 6/15 - seems to have improved for me (10.6.4 clients and 10.5.x servers) now, when there is no network connection, login for Mobile accounts is immediate, when on a different network, there is a delay but still working on it.

    Improvement though (for our systems at least).
  • by jev1313,

    jev1313 jev1313 Jun 18, 2010 3:09 PM in response to TheChinaMac
    Level 1 (0 points)
    Jun 18, 2010 3:09 PM in response to TheChinaMac
    Since I am having the same issues as everyone else I thought it best to contribute to this thread. I have read this whole thread and also this link http://www.macenterprise.org/articles/fixingactivedirectorytimeoutvalues and I made some some changes to my test client mac. Before I get into the details let me give some ackround about my enviroment. Windows AD with 2 domain controllers. Windows Server 2008 domain funtional level. ALL authentication is done with AD and the Schema has been updated to support Apple MCX setting. MCX is the Mac equvilent of Windows Group Policy for those that do not know. We also have an Apple XServe Running OS X Server 10.6.4 that is an OD master connected to AD in a "Golden Triangle" Config. This is done only for MCX support that does not work with just the schema updates. The reason I mention this is that I went to change the Timeout values in both the ActiveDirectory.plist and the DSLDAPv3PluginConfig.plist files. It was more of a hey lets see what this does attempt but it seems to have worked. I have only tested it today on one 10.6.4 client but I will test another on Monday. To be more clear I searched for the word "timeout" in those files and changed the value to 5 in all cases. There were 3 instances of the word timeout, 1 in the AD.plist and 2 in the LDAP.plist. I will update more on Monday.
  • by Peter-Erik,

    Peter-Erik Peter-Erik Jun 21, 2010 1:01 AM in response to jev1313
    Level 1 (10 points)
    Jun 21, 2010 1:01 AM in response to jev1313
    @jev1313 and others what is de AD domain name? ends it with .local?
  • by phil.n,

    phil.n phil.n Jun 21, 2010 1:06 AM in response to Peter-Erik
    Level 1 (0 points)
    Jun 21, 2010 1:06 AM in response to Peter-Erik
    Yes, I am on a .local domain and experiencing the problem.
  • by Codeus,

    Codeus Codeus Jun 21, 2010 1:12 AM in response to phil.n
    Level 1 (10 points)
    Jun 21, 2010 1:12 AM in response to phil.n
    What about your kerberos realm, is that .local or a FQDN?
  • by phil.n,

    phil.n phil.n Jun 21, 2010 1:19 AM in response to Codeus
    Level 1 (0 points)
    Jun 21, 2010 1:19 AM in response to Codeus
    I'm sorry, I dont understand your question.
  • by Codeus,

    Codeus Codeus Jun 21, 2010 1:35 AM in response to phil.n
    Level 1 (10 points)
    Jun 21, 2010 1:35 AM in response to phil.n
    Sorry, I didn't explain very well.

    In Server Admin on your Open Directory server, under the Open Directory item, is the 'Kerberos Realm' a fully qualified domain name eg. host.site.com or is that a .local too?
  • by phil.n,

    phil.n phil.n Jun 21, 2010 1:44 AM in response to Codeus
    Level 1 (0 points)
    Jun 21, 2010 1:44 AM in response to Codeus
    We're using AD on windows server 2003, not open directory.
  • by jev1313,

    jev1313 jev1313 Jun 21, 2010 8:33 AM in response to Peter-Erik
    Level 1 (0 points)
    Jun 21, 2010 8:33 AM in response to Peter-Erik
    My internal domain is in the form of FQDN subdomain.domain.org every thing in our comapany uses FQDN. Our OD server is not used to authenticate anything. Our kerberos realm is controlled by our Windows AD server and is also in the same form FQDN subdomain.domain.org and is working corectly to authenticate mac clients and software that use kerberos(ie Entourage).
first Previous Page 3 of 8 last Next