Issue #1:
Open Directory accounts are unable to log in to OS X 10.6 client machines, but are able to log in to OS X 10.5 clients. The login window accepts the username and password and expands, briefly showing the username and icon, but then fails to complete the login and shakes.
Apparent Cause:
In my case, Snow Leopard choked because my users' "Home"s in Workgroup manager were set to
/dev/null.A Solution:
Set the user's Home in WGM (or
NFSHomeDirectory in the inspector view) to /Users/shortname, where shortname is the user's shortname (given in the Basic panel in WGM).Issue #2:
When logging in to a network account, OS X 10.6 clients are prompted for credentials when connecting to a share point on the Open Directory Master. This defeats the point of single sign-on, since the credentials are the same. (OS X 10.5 clients connect to the server successfully without prompting for a username and password.)
Apparent Cause:
OS X 10.6 clients do not create a Kerberos ticket for network accounts until the user's second login on the client machine. (OS X 10.5 clients create a Kerberos TGT immediately on first login)
A Solution:
Modify the
/etc/authorization file as described in this article from Apple's KBase:http://support.apple.com/kb/HT4100
Locate this key:<key>system.login.console</key>
Add this string at the end of that block:<string>builtin:krb5store,privileged</string>
Note:
This solution says it is for Active Directory users, but it successfully solved the identical issue for Open Directory accounts.
No comments:
Post a Comment