Tuesday, July 20, 2010

Network Logins Failing on Snow Leopard Clients

Two issues resolved today. Issue #2 is more interesting than Issue #1.

Issue #1:
Open Directory accounts are unable to log in to OS X 10.6 client machines, but are able to log in to OS X 10.5 clients. The login window accepts the username and password and expands, briefly showing the username and icon, but then fails to complete the login and shakes.

Apparent Cause:
In my case, Snow Leopard choked because my users' "Home"s in Workgroup manager were set to /dev/null.

A Solution:
Set the user's Home in WGM (or NFSHomeDirectory in the inspector view) to /Users/shortname, where shortname is the user's shortname (given in the Basic panel in WGM).

Issue #2:
When logging in to a network account, OS X 10.6 clients are prompted for credentials when connecting to a share point on the Open Directory Master. This defeats the point of single sign-on, since the credentials are the same. (OS X 10.5 clients connect to the server successfully without prompting for a username and password.)

Apparent Cause:
OS X 10.6 clients do not create a Kerberos ticket for network accounts until the user's second login on the client machine. (OS X 10.5 clients create a Kerberos TGT immediately on first login)

A Solution:
Modify the /etc/authorization file as described in this article from Apple's KBase:


Locate this key:

Add this string at the end of that block:

This solution says it is for Active Directory users, but it successfully solved the identical issue for Open Directory accounts.

No comments: