Macs frequently need to be restarted for Network logins to succeed

Showing results for 
Search instead for 
Do you mean 
Reply
Centrify Guru I
Posts: 2,388
Registered: ‎07-26-2012
#21 of 32 5,690

Re: Macs frequently need to be restarted for Network logins to succeed

Dear aranuihigh,

 

I'm not sure if your issue is related to this one since the original poster just updated his agent and the issues were resolved.

Why don't you describe your issue.  Is it new, has it been working before, what version of the agent, and Mac OS X, etc.

 

As far as your question goes...

 

The password age for Macs running Centrify adclient can be managed with the same GPO outlined above.

We don't recommmend disabling computer passwords all together since this is not a good security practice.

 

Background:

In Active Directory, computer accounts have passwords just like user accounts; their passwords are changed (based on the above policy) and randomized automatically.  What you need to reconcile is the need for users to be off premises (away from a domain controller) or off the VPN with your security policy needs.


In a short, you need to find a good balance between your security policy and the need to be offline.

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Participant II
Posts: 11
Registered: ‎11-20-2013
#22 of 32 5,688

Re: Macs frequently need to be restarted for Network logins to succeed

Is there a setting in centrifydc.conf that controls this?

Centrify Guru I
Posts: 2,388
Registered: ‎07-26-2012
#23 of 32 5,687

Re: Macs frequently need to be restarted for Network logins to succeed

[ Edited ]

No.  That's an Active Directory policy.  Apply the policy to the AD container OU that has the UNIX/Linux or Mac accounts.

 

See message #19 of this thread, or read this reference:  http://support.microsoft.com/kb/154501

 

As per Microsoft:

 

#cya

Warning If you disable machine account password changes, there are security risks because the security channel is used for pass-through authentication. If someone discovers a password, he or she can potentially perform pass-through authentication to the domain controller.

 #/cya

GPO

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Disable machine account password changes 

 

R.P

 

 

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Participant II
Posts: 11
Registered: ‎11-20-2013
#24 of 32 5,673

Re: Macs frequently need to be restarted for Network logins to succeed

The information in that article is for how to disable the policy on a workstation with a registry key. Since it it an AD function, Centrify client must have its own setting for the machine password.

Centrify Guru I
Posts: 2,388
Registered: ‎07-26-2012
#25 of 32 5,668

Re: Macs frequently need to be restarted for Network logins to succeed

Use this GPO:

 

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Disable machine account password changes

 

Ah!!!!

 

You're using express, therefore no GPOs... no wonder.   My bad  (bad assumption:  commercial product).

 

You could play with this parameter:  adclient.krb5.password.change.interval (defaults to 28 days)

My advice - increase it.

 

But then again - you don't really have stated the nature of your issue. 

 

Good luck.  Smiley Happy

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Participant II
Posts: 11
Registered: ‎11-20-2013
#26 of 32 5,665

Re: Macs frequently need to be restarted for Network logins to succeed

The macs drop off the network randomly and will not let peeople log in. We have tried all the hardware issues to keep the network running.

Posts: 532
Kudos: 210
Blog Posts: 24
Solutions: 25
Registered: ‎04-19-2012
#27 of 32 5,662

Re: Macs frequently need to be restarted for Network logins to succeed

Ahh, this is where I step in to assist.

 

Hi aranuihigh,

 

1. Could you also let us know which versions of OS X and Centrify you are running?

 

You can find the installed version by running at the Terminal

 

adinfo -v

 

 

2. Please also let us know what the base command returns:

 

adinfo

 

 

3. Additionally - how is your Mac connected to the network? Ethernet or Wi-Fi?

 

 

 

Tweaking the machine password is merely masking the symptoms, what we want to do is to find the cause of the disconnects and cure it once and for all.

 

Kind regards,

Brian

Participant II
Posts: 11
Registered: ‎11-20-2013
#28 of 32 5,660

Re: Macs frequently need to be restarted for Network logins to succeed

Its 5.1.1-831

 

The computers are using ethernet cables

Posts: 532
Kudos: 210
Blog Posts: 24
Solutions: 25
Registered: ‎04-19-2012
#29 of 32 5,658

Re: Macs frequently need to be restarted for Network logins to succeed

Ahh you're using an older build of the 5.1.1 agent - this did have known disconnect issues and was fixed shortly after the initial release.

 

It is strongly recommended to update to the latest Mac agent (version 5.1.3), you should see much better performance with this build:

 

http://www.centrify.com/express/free-active-directory-tools-for-linux-mac.asp#agents

 

 

Kind regards,

Brian

Participant II
Posts: 5
Registered: ‎11-17-2016
#30 of 32 1,707

Re: Macs frequently need to be restarted for Network logins to succeed

I'm having this same issue.  It really only happens often with new users, because I create mobile accounts every time someone logs into a Mac, but it's really annoying and it's gotten me yelled at.  It does however happen to people sometimes when their machine goes to sleep at lunch and then they try to log in to unlock their machine, will not unlock to save their lives.  Reboot fixes the issue in both cases.

 

I'm running DC v5.5 (some machines might still be running v5.4, but this was supposedly fixed in 5.1).  

 

Just last Friday I had a user that couldn't log in and unfortunately I was out of the office, so another employee who used to do IT was trying to help and it ended up wasting a lot of time (we get a lot of freelancers).  I tell ya, having something as simple as LOGGING IN be so complicated and fragile (it is always breaking) is really frustrating.   I've tried to collect logs for this before but was told "we aren't seeing any of the usual things we should see when a logon is happening" even with debug mode on.  anyway, end rant.