Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.5: A possible fix for Active Directory integration issues Network
I may have found a culprit in the OS X10.5 Active Directory integration problem (see the comments on this post at AFP548.com for more info on the problem). I noticed that after a 10.5 machine is bound, it mostly freezes up when it's trying to authenticate. I started looking around and noticed interesting things in the /Library/Preferences/edu.mit.Kerberos file.

Before being bound, the file looked like this:
[libdefaults]
    dns_fallback = "no"
I then bound the machine. It was unusably sluggish, as expected. After binding, the file looked like this:
# WARNING This file is automatically created by Active Directory
# do not make changes to this file;
# autogenerated from : /Active Directory/DOMAIN.DOMAIN.LOCAL
# generation_id : 0
[libdefaults]
    dns_fallback = no
They are pretty much the same. I changed the file to look like this (if you check the file on a 10.4 machine that has been bound, you will see this file properly populated):
# WARNING This file is automatically created by Active Directory
# do not make changes to this file;
# autogenerated from : /Active Directory/DOMAIN.DOMAIN.LOCAL
# generation_id : 0
[libdefaults]
    default_realm = DOMAIN.DOMAIN.LOCAL
    noaddresses = TRUE
    dns_fallback = "no"

[realms]
    DOMAIN.DOMAIN.LOCAL = {
        kdc = kerberosserver.domain.domain.local.:88
        admin_server = kerberosserver.domain.domain.local.
        default_domain = domain.local
    }

[domain_realm]
      .domain.local = domain.domain.local
You will have to add [v4_realms] and [v4_domain_realm] if you are using an older version of kerberos.

The machine was delayed creating the account initially, but after that, it was performing perfectly. After restarts and trying various things, I had a working 10.5 machine bound to Active Directory. I hope some of you have the resources to test this out; I'd like to hear any successes or failures.
    •    
  • Currently 2.11 / 5
  You rated: 5 / 5 (9 votes cast)
 
[13,854 views]  

10.5: A possible fix for Active Directory integration issues | 3 comments | Create New Account
Click here to return to the '10.5: A possible fix for Active Directory integration issues' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.5: A possible fix for Active Directory integration issues
Authored by: redclawx on Aug 14, '08 01:26:45PM

I have been having the same problem with computers becoming unresponsive when the authentication dialog came up. The computers are bound to AD. The odd part was, this only occurred when the computer was attempting to authenticate across any other network than the one that could communicate with the Active Directory Controller. For instance, the problem would arise when the computer would be connected to a wireless network and not a wired network. The screen saver would be password protected, so coming out would invoke the authentication window. When the user attempted to authenticate the computer would often times delay so long that authentication never occurred and the system went back to the screen saver.
According to Apple this is a known issue. The Apple Engineers are working on a fix for it. I do not know the time line for this fix. Of course, we didn't know about this being a known issue until after we had paid Apple for the extra support. We had to pay Apple because because according to them this problem was not covered under the standard AppleCare 3-year protection plan. Fortunately we were able to get a refund once we found out that this was a known issue.



[ Reply to This | # ]
10.5: A possible fix for Active Directory integration issues
Authored by: Jaharmi on Jan 30, '09 07:44:18AM

Since you didn't specify, are these problems with Mac OS X 10.4 or 10.5 or both?

Under certain circumstances, Mac OS X 10.4 can become unresponsive and not fail over to a locally-cached Active Directory mobile account when the Active Directory domain controllers are "reachable" (i.e. their names can be resolved by DNS through your current network connection) but traffic to them is blocked (perhaps by a border firewall between your current network connection and your organization's).



[ Reply to This | # ]
10.5: A possible fix for Active Directory integration issues
Authored by: Jaharmi on Jan 30, '09 07:49:32AM

My question is whether this creates any problems with the Local KDC in Leopard.

Also, the "noaddresses = TRUE" line should be unnecessary; according to the man page for krb5.conf, this setting is already the default. It gives you addressless tickets. If my understanding is correct, you would want it to be TRUE when you want Kerberos to work behind NAT (as one example).



[ Reply to This | # ]