[Macleod]

A coworker has recently been looking into this. He has a theory that the schema extensions aren’t properly flagging certain attributes of the computer group as required, and the lack of those attributes is causing headaches for WGM.
I’ll try to post again if/when we figure it out. 🙂

–DH

[Macleod]

You need the kerberos capaths setup for non-hierarchical cross domain.
Dns lookups alone won’t help you here.
10.5 no longer builds the capaths out by default, although I’ve got my fingers crossed it will be fixed soon. (I do have a bug filed with Apple)
The easiest way to get the capath info is to grab a 10.4 box bound to AD, and extract the [capaths] section from the /Library/Preferences/edu.mit.kerberos file.
Drop this section alone onto a 10.5 box in a new /etc/krb5.conf file. Cross domain lookups should work.

You can learn a little more about the capaths here: http://web.mit.edu/Kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/capaths.html

–DH

[Macleod]

Removed – Misread last post

[Macleod]

– Go into the AD plist in /Library/Preferences/DirectoryServices and manually set the timeouts to be shorter.
Have you actually made this work Joel? In my experience, this doesn’t work at all, or it doesn’t work well enough to notice a difference. I’ve seen the timeouts completely minimized in the plist, and the hang will still occur.
Something that I’ve found works is to use two network locations, and switch before you sleep the laptop. One location would have your standard config, and the other would have no network ports turned on. Switch to the no-port option before you leave work, switch back to the configured location after login.
Of course, getting your DNS fixed is the real solution, and seems to have worked where I am.

–DH

[Author]

Posts