TheChinaMac

Q: Mobile User Slow Login Off Network

I am running server 10.58 with mobile user accounts. I have upgraded three laptops to Snow Leopard and when they are off the network any login or password entry for things like changing a sys pref takes over 1 minute. If i remove the network account server bind from the user account in sys prefs, the login is back to normal. I read of similar problems in 10.5 that was the result of a search domain being listed in the DNS settings of the client machine. However, my DHCP server provides the DNS and search domain listings so this is not listed in the client machines when they are off the network.

My domain name is miniserv.companydomain.net and the search domain in the server is companydomain.net - but again, this DNS info is not listed in the client machines. companydomain.net is a FQDN that only runs locally. Could the client be looking for companydomain.net on the WAN?

The console log reads as follows:

authorizationhost[1965] k5_authenticate(): got -1765328228 (Cannot contact any KDC for requested realm) on /SourceCache/SecurityAgent/SecurityAgent-37013/plugins/krb5/krb5_operations.c:8 4

authorizationhost[1965] -[SFBuiltinAuthenticate performDSPasswordAuth](): got -1765328228 (Cannot contact any KDC for requested realm) on /SourceCache/SecurityAgent/SecurityAgent-37013/authhostbuiltins.m:1039


Any guidance appreciated.

MacBook Pro, Mac OS X (10.6)

Posted on Sep 4, 2009 2:38 PM

Close

Q: Mobile User Slow Login Off Network

  • All replies
  • Helpful answers

first Previous Page 4 of 8 last Next
  • by jev1313,

    jev1313 jev1313 Jun 21, 2010 8:37 AM in response to jev1313
    Level 1 (0 points)
    Jun 21, 2010 8:37 AM in response to jev1313
    I have tested a second laptop and changed the timeout values but it did not fix that laptop while i was at home this weekend. I need to do more testing this week because i have some more ideas that i need to work out.

    Message was edited by: jev1313
  • by jev1313,

    jev1313 jev1313 Jun 21, 2010 11:29 AM in response to Codeus
    Level 1 (0 points)
    Jun 21, 2010 11:29 AM in response to Codeus
    @Codeus The Kerberos on my Apple Xserve is currently in a stopped state. This is due to the servers Open Directory config. It is joined to a Kerberos realm. That realm is the Active Directory realm and it is a FQDN.
  • by jsutton78,

    jsutton78 jsutton78 Jul 8, 2010 12:50 PM in response to jev1313
    Level 1 (0 points)
    Jul 8, 2010 12:50 PM in response to jev1313
    This would be a simple fix for Apple to implement... The issue is not the ldap timeout, but the timeout trying to find the srv dns record. I don't see anywhere to change this timeout, so I made a workaround. If you install dnsmasq to manually enter the srv record, and set 127.0.0.1 as a dns server, this fixes the issue.
  • by jev1313,

    jev1313 jev1313 Jul 10, 2010 6:04 PM in response to jsutton78
    Level 1 (0 points)
    Jul 10, 2010 6:04 PM in response to jsutton78
    I am unfamiliar with dnsmasq. could you elaborate on how to use this program to fix the issue. your explanation makes great sense to me but i need a bit of help with the specifics of the implementation.
  • by Neal Keesee,

    Neal Keesee Neal Keesee Jul 12, 2010 6:43 PM in response to TheChinaMac
    Level 1 (6 points)
    Jul 12, 2010 6:43 PM in response to TheChinaMac
    For the record, server 10.6.4 and client 10.6.4 does not resolve this issue. I am running a new OD master and the mobile clients are having this exact issue, taking 15 minutes to log in off the network. So it's not just in an AD network.
  • by jev1313,

    jev1313 jev1313 Jul 13, 2010 7:34 AM in response to Neal Keesee
    Level 1 (0 points)
    Jul 13, 2010 7:34 AM in response to Neal Keesee
    this is good to know. Apple really needs to fix this. I am using 10.6.4 client and server as well. I wonder if that dnsmasq progrma would also resolve the issue when it only using OD master and no AD at all.
  • by jsutton78,

    jsutton78 jsutton78 Jul 13, 2010 9:51 AM in response to jev1313
    Level 1 (0 points)
    Jul 13, 2010 9:51 AM in response to jev1313
    I'm not familiar with configurations using OSX servers, but since OD is an ldap server it could suffer from the same issue as AD looking for the srv record. Basically, dnsmasq lets you statically configure the DNS srv record locally which eliminates the long login delays. The srv record basically says what server has the ldap information.

    To install dnsmasq, just install icode (from your osx install cd) and then install macport. After macport is installed, run "sudo port install dnsmasq" from a terminal. Once dnsmasq is installed, edit the /opt/local/etc/dnsmasq.conf file and add the fqdn srv record (this should point to your od or ad server). Once this is done, add 127.0.0.1 as your primary dns server. You may also have to add a host record in /etc/hosts pointing to your od/ad server.
  • by jev1313,

    jev1313 jev1313 Aug 9, 2010 2:23 PM in response to jsutton78
    Level 1 (0 points)
    Aug 9, 2010 2:23 PM in response to jsutton78
    Any chance someone could post the syntax of the srv record inside the conf file. I got the stuff installed but I dont exactly know how to enter the srv info correctly.
  • by enobmort,

    enobmort enobmort Aug 13, 2010 4:36 PM in response to TheChinaMac
    Level 1 (0 points)
    Aug 13, 2010 4:36 PM in response to TheChinaMac
    Here's what fixed it for me.

    First: Open Directory Utility on the client machine and authenticate by clicking on the padlock and entering your Administrator username & password.

    Next: Under the Services tab, doubleclick the line labeled "LDAPv3"(make sure not to click the box next to "Enable" just doubleclick anywhere in the line of the text).

    Then: From the pulldown menu under the "LDAP Mappings" header select "Open Directory" and click "OK" in the lower right corner.

    Now: Go to the "Search Policy" tab. Select "Local Directory" from the pulldown menu next to the Search field. Do this for both "Authentication" and "Contacts" sections. Logout.

    Finally: Login and open/authenticate Directory Utility again. Go to "Search Policy" tab again and select "Custom Path" from the pulldown menu next to the Search field(do this even if this was what was selected previously). Click "Apply" then restart the computer.

    That's it! Let me know if this helps or not by replying to this thread.
  • by tom_taylor,

    tom_taylor tom_taylor Aug 14, 2010 8:56 AM in response to enobmort
    Level 1 (0 points)
    Aug 14, 2010 8:56 AM in response to enobmort
    that didn't work for me.

    i have two network locations, and by selecting home instead of work before i shut down (or if i disable airport) i dont have the delayed login issue.

    still its anoying though!

    has it been fixed in the next SL update (10.6.5)?
  • by ePhone,

    ePhone ePhone Sep 13, 2010 3:38 PM in response to TheChinaMac
    Level 1 (45 points)
    Sep 13, 2010 3:38 PM in response to TheChinaMac
    Same problem. Apple...anyone, is there a fix out there?

    Thanks to all trying to help!
  • by Peter-Erik,

    Peter-Erik Peter-Erik Sep 14, 2010 1:09 AM in response to ePhone
    Level 1 (10 points)
    Sep 14, 2010 1:09 AM in response to ePhone
    I try the solution from "enobmort" but here this is also not working
  • by thirdorderharmonic,

    thirdorderharmonic thirdorderharmonic Sep 15, 2010 2:53 PM in response to Peter-Erik
    Level 1 (0 points)
    Sep 15, 2010 2:53 PM in response to Peter-Erik
    I too have this problem. 10.6.4 on servers and clients (650 macbooks). Last year I rolled out all my laptops with standalone local accounts specifically to avoid this kind of thing. I went to the server based accounts this year so I could leverage podcast producer and the wiki/blog server. My users are used to the snappy response of local accounts so they're grumbling at me for doing things in what should be the 'correct way'.

    Apple, please get some people on this issue!! It's a frustrating one!

    -Neil
  • by Johnny5th,

    Johnny5th Johnny5th Oct 14, 2010 10:07 AM in response to enobmort
    Level 1 (0 points)
    Oct 14, 2010 10:07 AM in response to enobmort
    This just worked for me. I have no idea why but I've been trying to fix this for the past 4 hours.
  • by Graffxguy,

    Graffxguy Graffxguy Oct 14, 2010 4:13 PM in response to TheChinaMac
    Level 2 (229 points)
    iCloud
    Oct 14, 2010 4:13 PM in response to TheChinaMac
    I too am experiencing painfully slow logins and ridiculously slow logoffs (like 5 minutes to logoff).

    The only thing that lets it work somewhat decently is to use mobile accounts that don't sync to the server. If I try to sync anything, even if it's a folder with just one text file in it, it just hangs there.

    So frustrating!

    If they don't fix this or tell us how to, I'm going to just change accounts into mobile accounts with NO syncing.
first Previous Page 4 of 8 last Next