[bezzoh]

That’s quality that, really appreciate.

Will give it a test on one of my 10.5.6 clients and see how I get on. Fingers crossed though that my 10.5.7’s are alright!

[bezzoh]

Just emailed the on-site engineer at our big site to give me an update. I upgraded 3 suites to 10.5.7 and left 2 at 10.5.6 for a couple of weeks to see which continued to have issues. Had no reports as yet, but then they’re all dual boot and the users prefer windows to Mac OS because they dont know what they’re doing with it, so it just might not have been noticed…

The article below says update to 10.5.7, and goes on to talk about the possible Anti-Virus Scanner issue…

http://support.apple.com/kb/TS2691

Any chance you can share the launch daemon with me that you’ve previously used?! That could save my ass a bit if this problem persists…

[bezzoh]

That just doesnt work for me unfortunately. I’m on Leopard (10.5.7 server & client now, however issue has persisted since 10.5.3)

I have AD users in multiple AD groups (between 4-10 in some cases). I can add every single one of these, or just 1 to an OD group but the MCX settings do not apply.

The *only* group I can get to work is DOMAIN\domain users

Its doin mi head in! Especially as on another one of our sites, in the same domain we have managed to get some of the groups to work but I cant work out the difference between the two…

[bezzoh]

I might be being stupid here but when you run a dig -t _kpasswd.tcp.mydomain.com should the results displayed not be my own servers on the domain rather than the root servers on the internet???

[bezzoh]

Are you hosting the DNS service on a Mac Server or Windows 2003 Server?

I wouldnt mind seeing how you’ve resolved this because I’m still having problems.

We currently have about 12 DC’s on multiple sites, each managing its own sites DHCP & DNS (for windows and mac clients) and there will soon be more DC’s popping up in the very near future.

[bezzoh]

If you deploy managed preferences to your clients via Workgroup Manager, simply select the ‘Finder’ preferences, set the Manage option to ‘Always’ and untick the box to show Connected Servers on the user desktop. (You can also disable showing Hard Disks and Removable media as well if you want…)

[bezzoh]

-14105 = eDSBadContextData
-14093 = eDSAuthParameterError

Not sure what either of these really signify without googling the h3ll out of them to be honest, however I’m in a similar situation with multiple DC’s on my domain, only a few of which are accessible by clients on any 1 site due to firewalls. 1 or 2 local servers dependent on the site, and 4 in a central server farm. I suffer a lot from these computer account passwords not changing correctly, the Kerberos files becoming 0kb in size and errors if trying to rebind at this point such as -14120 (eDSPermissionError).

Manually deleting the Kerberos files however resolves in the short term… until the next time it happens…

[bezzoh]

Came in this morning to another one no longer logging in. One of the kerberos files had again 0kb’d, whereas the other had updated at 7am this morning. the console at that time reflected the following…

29/05/2009 07:00:14 com.apple.launchctl.System[2] launchctl: Please convert the following to launchd: /etc/mach_init.d/dashboardadvisoryd.plist
29/05/2009 07:00:14 com.apple.launchd[1] (com.adobe.versioncueCS3) Unknown key: ServiceDescription
29/05/2009 07:00:14 com.apple.launchd[1] (com.apple.blued) Unknown key for boolean: EnableTransactions
29/05/2009 07:00:14 com.apple.launchd[1] (org.cups.cupsd) Unknown key: SHAuthorizationRight
29/05/2009 07:00:14 com.apple.launchd[1] (org.ntp.ntpd) Unknown key: SHAuthorizationRight
29/05/2009 07:00:27 blued[48] Apple Bluetooth daemon started.
29/05/2009 07:00:27 com.apple.launchd[1] (com.apple.aslmanager) Throttling respawn: Will start in 2 seconds
29/05/2009 07:00:28 com.apple.launchd[1] (com.apple.aslmanager) Throttling respawn: Will start in 1 seconds
29/05/2009 07:00:28 com.apple.launchd[1] (com.apple.aslmanager) Throttling respawn: Will start in 1 seconds
29/05/2009 07:00:28 DeployStudio Local KDC Configuration[42] LKDC:SHA1.2E372FE784E719C833D4D36252FFD90B6FACAE58
29/05/2009 07:00:28 com.apple.launchd[1] (com.apple.aslmanager) Throttling respawn: Will start in 1 seconds
29/05/2009 07:00:28 com.apple.launchd[1] (com.apple.aslmanager) Throttling respawn: Will start in 1 seconds
29/05/2009 07:00:29 com.mcafee.virusscan.ScanManager[41] kextload: /usr/local/vscanx/Extensions/Virex.kext/ loaded successfully
29/05/2009 07:00:30 com.apple.launchd[1] (com.mcafee.virusscan.VShieldEPOInterface) Throttling respawn: Will start in 10 seconds
29/05/2009 07:00:32 com.apple.RemoteDesktop.agent[84] stream had too few bytes
29/05/2009 07:00:32 org.ntp.ntpd[14] Error : nodename nor servname provided, or not known
29/05/2009 07:00:33 com.apple.launchd[1] (com.mcafee.virusscan.VShieldEPOInterface) Throttling respawn: Will start in 7 seconds
29/05/2009 07:00:33 com.apple.launchd[1] (com.mcafee.virusscan.VShieldEPOInterface) Throttling respawn: Will start in 7 seconds
29/05/2009 07:00:39 com.apple.launchd[1] (com.mcafee.virusscan.VShieldEPOInterface) Throttling respawn: Will start in 1 seconds
29/05/2009 07:00:40 com.apple.launchd[1] (com.mcafee.virusscan.VShieldEPOInterface) Throttling respawn: Will start in 10 seconds
29/05/2009 07:00:48 com.apple.KerberosAutoConfig[99] Couldn’t find KerberosClient config record
29/05/2009 07:00:48 com.apple.launchd[1] (com.apple.KerberosAutoConfig[101]) Check-in of Mach service failed. Already active: com.apple.KerberosAutoConfig
29/05/2009 07:00:48 com.apple.KerberosAutoConfig[102] Couldn’t find KerberosClient config record
29/05/2009 07:00:51 com.apple.launchd[1] (com.mcafee.virusscan.VShieldEPOInterface) Throttling respawn: Will start in 9 seconds
29/05/2009 07:00:59 com.apple.DirectoryServices[32] Enter machine password:
29/05/2009 07:01:00 com.apple.DirectoryServices[32] Enter machine password:
29/05/2009 07:01:00 com.apple.DirectoryServices[32] Enter machine password:
29/05/2009 07:01:01 com.apple.DirectoryServices[32] [2009/05/29 07:01:01, 0, pid=109] /SourceCache/samba/samba-187.7/samba/source/libads/kerberos.c:ads_kinit_password(228)
29/05/2009 07:01:01 com.apple.DirectoryServices[32] kerberos_kinit_password [email protected] failed: Cannot find KDC for requested realm
29/05/2009 07:01:01 com.apple.DirectoryServices[32] [2009/05/29 07:01:01, 0, pid=109] /SourceCache/samba/samba-187.7/samba/source/libads/kerberos.c:ads_kinit_password(228)
29/05/2009 07:01:01 com.apple.DirectoryServices[32] kerberos_kinit_password [email protected] failed: Cannot find KDC for requested realm
29/05/2009 07:01:01 com.apple.launchd[1] (com.mcafee.virusscan.VShieldEPOInterface) Throttling respawn: Will start in 10 seconds
29/05/2009 07:01:12 com.apple.launchd[1] (com.mcafee.virusscan.VShieldEPOInterface) Throttling respawn: Will start in 10 seconds
29/05/2009 07:01:22 com.apple.launchd[1] (com.mcafee.virusscan.VShieldEPOInterface) Throttling respawn: Will start in 10 seconds

Despite the AV entries, I no longer think this is to blame, its clearly struggling to find a server, and our domain does have multiple dc’s behind firewalls on other sites and i’m worried the clients might be trying to communicate with them.

Any thoughts and/or suggestions appreciated…

[bezzoh]

It is all down to the computer account password changing by the looks of that, however I’ve read 2 conflicting bits of advice on this subject.

1. set the dsconfigad passinterval to 0 to prevent the Mac from resetting its own password altogether…
2. set the passinterval to 10 or somewhere along those lines to prompt the mac to initiate the password change rather than a DC which would do it every 14 days…

I’m still testing…

[bezzoh]

A newly built Mac or one that has been previously bound but ‘mysteriously’ stopped working?

[bezzoh]

Ooo, just read another Apple KB article that says that real time AV scanners can also cause Kerberos file issues in this folder and they should be configured not to scan within /var/db/dslocal…. Looks like I might need to push out a config change for Mcafee perhaps

[bezzoh]

I was just about to update this actually…

6 weeks on from re-imaging 4 large ICT suites using DeployStudio (some rc11, some more recently on rc12) AND ensuring that the dsconfigad passinterval was set to 0 in the image, I have today discovered approximately 10% have again encountered kerberos file corruptions.

Due to the forest structure of our AD, my clients typically pick up 2 Kerberos plist files along the lines of….

Kerberos/ad.[i]domain[/i].xxx.xx.plist
Kerberos/xxx.ad.[i]domain[/i].xxx.xx.plist

On the machines I couldnt log into as an AD user, either one [b]’or’ [/b]both of these had changed to zero kb in size. Simply deleting the 0kb files and restarting resolves the issue immediately, but when we have 300 of these machines per site and we have a 10% outage, then that is an unmanagable fix.

Apple’s own KB article explains that it happens due to LKDC issues when multiple identical computer accounts bind to the domain (bit like non sysprep’d/newSID’ PC’s) however this is apparently fixed in the 10.5.6 version of NetInstall (and as far as I am aware the later versions of DeployStudio, as i’ve seen that it implements an LKDC fix during the imaging process).

I am therefore at a bit of a loss. As apart from these file corruptions the Mac’s themselves ‘appear’ fine. They say that network accounts are available, the servers and domain show as available in Directory Utility and I have a preferred server even set.

ANY help would be greatly appreciated… eg can you elaborate on what kerberos/DNS issues could cause this.

Thanks in advance

[bezzoh]

Thats an idea I could look into. Firefox wont be an issue, I’ve already written a custom config file for this which greys out all internet options for the application, sets the proxy and redirects downloads to the actual user download folder.

Thanks for the response!

[bezzoh]

Turns out it was due to the computer account password issue. Modified my base Mac OS image by running the [b]dsconfigad -passinterval 0[/b] command (without it being bound to AD) to resolve.

All machines with new image are fine as are ones I fixed by unbinding, deleting corrupt kerberos files and running above command before re-binding.

[bezzoh]

I have this issue and indeed the kerberos files have zero’d in size.

Deleting them and rebooting allows me to rebind successfully and resolves, however I look after several high schools each with 100+ Mac’s and unfortunately this isnt a practical fix for our on-site engineers to continually perform this ad-hoc when a particular mac becomes unusable.

I have read that the cause of this might be due to imaging the clients (I use deploystudio) and in the way that Windows clients have issues if not sys-prep’d this is ultimately what happens to the Mac clients… however I do not know how true this is.

Basically however, what I need is a working solution to this once and for all.
Does anybody know if by ensuring that there are no kerberos tickets present in /var/db/dslocal/nodes/config in the master image, will the problem no longer persist, or is there a way of ensuring that the tickets stay valid and do not corrupt over time as seems to be the case now.

On a related topic the admin.plist files keep screwing up as well.. but i’m taking this one step at a time and can cope with my workaround for that for the time being.

Thanks in advance

bez

[Author]

Posts