AD – Mobile home and long long time

[njespersen]

—

Hi

On Campus we have a setup with Active Directory Server 2003 – Mac OS X ver 10.4.8 clients bound to AD with Mobile Home dir. Extreme ZIP File server on a Winserver 2003 with home directory and the Apple AD plugin configured til AFP.

On campus login is fine, Kerberos ticket is granted, homedir mounts and sync of home og folder from home works.

The problem is when a client login at home connected to the home network by Airport or ethernet, then the login process hang 5 to 10 minutes, before continuing.
If the client is unpluged ethernet AND Airport is disabled, the login process is fine, to the cached mobile home.

Is it a timeout or??

Help needed.

Sincerely,

Niels G. Jespersen
IT-Services/Macintosh,
Dept. of Health Science,
University of Southern Denmark
Winsløwparken 15-1.sal
Odense, Denmark

Phone +45 6550 3555
Mobil +45 6011 3555

[schilled]

Bump, we are having the exact same issue and we just began our faculty refresh and we are distributing MacBooks to the majority of users.

Any insight would be great.

[schilled]

I got a response from our Apple Engineer and here is what he suggested…

[quote]
This can happen when a site’s external DNS resolves the AD domain controller, but that server isn’t actually reachable from outside their network. Directory services is trying to contact AD, until it hits its time out. But it will try to contact alternate DCs after that (if they are also in the external DNS), so the each DC on the network can extend the timout until the MacBook gives up completely.

Some customer have resolved it by changing their DNS to no longer publish the DCs externally. Others have removed the AD plugin from the search path once the user has longed in and established their cached credentials.

My recommendation is to fix DNS.[/quote]

Hope this helps. I am working with the AD and DNS admins as we speak.

[getalong]

My users haven’t reported this delay w/ same set up as Niels, but I have noticed two issues pertaining to 10.4 mobile accounts thusfar (hence, I’m replying here–please don’t flame me).

Issue 1: User wakes or powers up their MBP, plugs into our office GigE network, but loginwindow shakes w/ repeated attempts.
Frequency: Three users have experienced this situation over the last 4 months–one user was able to login, but with a brand new user account.
Notes: Seems only to affect previously/recently cached AD logins, as I was able to login with other AD accounts in each case.
Resolution: Login with local admin account (you have one, right?); Verify troubled user’s local home dir exists (at /Users/*), and back it up somewhere (to be safe); Launch NetInfo Manager, and look for multiple entries for troubled AD user; Determine which of these accounts has less user attributes (usually indicates the bogus account); Delete suspect user account (still in NetInfo Manager, mind you); Hold your breath and logout… attempt to login w/ user’s AD account, then verify user data is in-tact.

Issue 2: Successive clicking of loginwindow’s “OS X Version/Serial Number/Date & Time/IP Address/Network Accounts Availibilty..” field consistently gives Spinning Beachball (for up to 5-10 minutes), then permits use of usernam/password fields.
Frequency: At least five Macs (both desk/laptops) have experienced this issue.
Notes: Must be mobile accounts bound to AD; Can occur with OR without active network connection(s); Once Spinning Beachball disappears, you can trigger it again by repeating steps.
Resolution: Safe Boot, manually clear caches (or use Tiger Cache Cleaner, etc.). Presumably, something in the mobile account’s cached credentials is getting hosed, hence why Safe Boot resolves (until issue sneaks up on you later 😯 ).

Sorry for the novella. I should probably submit this to RADAR, instead of here. Oopsie…

————————————————————————–
Several Certifications later…

[Macleod]

– Go into the AD plist in /Library/Preferences/DirectoryServices and manually set the timeouts to be shorter.
Have you actually made this work Joel? In my experience, this doesn’t work at all, or it doesn’t work well enough to notice a difference. I’ve seen the timeouts completely minimized in the plist, and the hang will still occur.
Something that I’ve found works is to use two network locations, and switch before you sleep the laptop. One location would have your standard config, and the other would have no network ports turned on. Switch to the no-port option before you leave work, switch back to the configured location after login.
Of course, getting your DNS fixed is the real solution, and seems to have worked where I am.

–DH

[Macleod]

Removed – Misread last post

[njespersen]

We are in progress to fix the DNS problem – but it tahes some time on Campus.

[QUOTE][u]Quote by: Macleod[/u][p]- Go into the AD plist in /Library/Preferences/DirectoryServices and manually set the timeouts to be shorter.
Of course, getting your DNS fixed is the real solution, and seems to have worked where I am.
–DH[/p][/QUOTE]

[Author]

Posts