Leopard’s Login Window Doesnt Get AD Password Expiriation Warnings

[dds]

Has anyone else having problems getting AD password expiration notices in AD environments on Leopard Macs?

It used to work for me in Tiger, but Im not getting the warnings when I log into Leopard Macs.

After logging into the domain, AD aware apps such as Entourage 2008 warns me about my password expiration, but the OS X Login window isn’t prompting me with the expected “Your password will expire in x days.”

Just for fun, I unearthed an older PPC Mac that is still running Tiger (10.4.11) and the Login Window does give me the “Password will expire in x Days” warning as expected.

I filed a bug report with Apple and they closed it and said basically “Works fine for us. Go away now”. Nice.

Notes:
All of my users have ‘managed mobile’ user accounts for offline access (laptop users, etc)
All my Macs are running 10.5.2. None of them can get AD password notices at the Login Window.
All my Macs are bound to a simple AD 2003 domain. No complicated forest. 1 single domain. Vanilla.
When I log into my AD domain from a Leopard Mac, I get a TGT from the KDC (which is an Active Diectory domain controller) as expected. Thus, Kerberos appears to be working. (see below). SSO to other services such as SMB file servers works as expected.
DNS works fine (forward and reverse lookups are resolving as expected)
All of my Mac desktop clients are getting their IPs via DHCP (not static)

I did notice that, based info in the Kerberos Utility, my TGT appears to be forwardable and proxiable in Tiger test Macs, but in Leopard the TGT I receive from my AD DC (KDC) isnt forwardable nor proxiable. So, as a test, I edited the /Library/Preferences/edu.mit.kerberos file on a test Leopard box, and made the settings identical to the Tiger Mac, but that had no effect on the Leopard Login Window.

Any help is appreciated.

[inkswamp]

The exact same thing is happening to me. The Leopard Macs aren’t showing the password expiration notice. The Tiger machines are showing them. I just filed my own bug report for this. It’s 100% consistent. Leopard shows nothing. Tiger does. These are Macs set up identically in every other respect and connected to the same network. Definitely some kind of bug going on there.

[OkiKowai]

I too am seeing this issue. And of course this lack of warning also causes the machine to not allow the password to be changed from the Macs. It just shakes at them. If they go to a PC it tells them that their password has expired and forces them to change their password. If anyone has more information as to what could be causing this or better yet a good workaround/fix, that would be greatly appreciated. Thanks.

[OkiKowai]

By the way, my machines are not running leopard, they are running Tiger. Most are 10.4.11. They get no warnings and once the password expires, the window just shakes not giving them any indication why it won’t let them log in. They go to a PC, it asks for a new password and voila, they are good to go. But obviously, this should work from the Mac the whole time. No idea what the cause of this is.

[macmattias]

So three days Mactroll and no script yet. 😛 *lol*

I havnt had a chance to try out 10.5.3 yet isn’t this a problem Apple solved? *hoping*

[Author]

Posts