Centrify - Securing the Cross Platform Data Center

The Centrify Apple Guys

LMcAndrew

10.7 and .local domain issues

by ‎11-09-2011 03:20 PM - edited ‎03-02-2012 01:55 PM

Update Mar 2 2012.  This article is useful but now out of date. Enhancements in 10.7.3 and a release 5.0.2 from Centrify have improved a lot of issues with .local domains. You can see the details in this blog article. 

http://community.centrify.com/t5/The-Centrify-Apple-Guy/Updated-local-domain-support-for-Macs-and-10...

 

 

We've had a lot of contact with people having significant issues with their Macs joining to an AD domain ending in .local. (An example would be centrify.local). This is happening to people using the Apple plug-in or Centrify DirectControl.

 

  1. If the home directory is located on a SMB share, it will take a long time to login.
  2. If an Active Directory user logs in and tries to mount a SMB share folder in the Finder, it will take a long time to mount. 
  3. If the customer is using portable home directory syncing, it will be very slow.

     

For the Mac OS 10.7 (Lion) release, Apple changed the way a .local domain is handled by reserving it for Bonjour. When a user tries to login to a .local domain with only one level (that is, xxx.local), OS 10.7 first tries to resolve the name using multicast. It will try several times (with a default timeout of 5 seconds for each try), and if login fails it will then use standard DNS, causing the login delay and the delay in mounting SMB shares. Under these conditions, it may not be possible to ping domain.local, and therefore the adclient process will stay in disconnected mode for up to 60 seconds

This issue affects all Mac OS 10.7 users in a .local domain and is not specific to DirectControl- managed systems. Other hostnames are resolved first using multicast and then unicast. 

 

Here is a link to a document that we've written to address these issues. 

 

Workaround: Centrify DirectControl for Mac OSX 10.7 (Lion) Using .local Domain

 

Note that these steps make the problem better, they don't make the problem go away.

 

We'll update this document as the situation changes or we learn more.

 


Comments
by kaeppy on ‎01-24-2013 08:35 AM

hi,

anyone here who has trouble with printing on 10.8 / centrify / .local-Domain - combintion?

Post a Comment
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.