Mac OS X v10.6: Editing the master edu.mit.Kerberos plist file in Open Directory to resolve slow client logins

When Mobile Account clients attempt to log in to their Macs while on a network that does not directly talk to the Open Directory they are bound to, the login times may sometimes increase by 30 seconds or more.

This article has been archived and is no longer updated by Apple.

This may occur if the "/Library/Preferences/edu.mit.Kerberos" plist file contains IP addresses in addition to, or in place of, host names of Kerberos realms that the Mac is bound to.

Quick test

Open the edu.mit.Kerberos file (located in /Library/Preferences) in a text editor. Check the [realms] section for either admin_server or kdc entries that are IP addresses. 

Move the edu.mit.Kerberos file to the desktop and restart the client computer.  If login is quicker, then follow the steps below.
 

To resolve the issue

To resolve this for all of the client computers bound to your Open Directory, you'll need to edit the master template that creates the edu.mit.Kerberos file:

  1. Open Workgroup Manager.
  2. Connect to the Open Directory Master.
  3. View the /LDAPv3/127.0.0.1 directory, authenticating as the directory admin if needed.
  4. In Workgroup Manager, open Preferences, make sure the Show "All Records" tab and inspector checkbox is checked, then close the preferences.
  5. In the left hand pane, in addition to the Users, Groups, Computers, and Computer Groups icons, you'll see an icon resembling a target. Click the icon to access to All Record Types.
  6. You'll now see a pull-down menu below the row of icons. Change it to display Config.
  7. In the list below the pull-down menu, click KerberosClient.
  8. In the right-hand pane, select XMLPlist and then click the Edit button below the list.
  9. A two-paned window will drop down.  In the top half, you'll see the contents of the edu.mit.Kerberos master.  As a safety precaution, you can copy all of the text and past it into a text file that you can save as a backup.
  10. Find the KADM_List and KDC_List arrays and remove any references to IP addresses. If needed, replace an IP address with a valid host name.
  11. Increment the generationID number by 1.
  12. Once all edits are complete, click OK.
  13. After the pull-down window disappears, click Save. 

The next time a client computer connects to the Open Directory, the new version of the edu.mit.Kerberos file will be pushed to /Library/Preferences.  At the client computer's next restart, logins should take the expected time.

Important: Information about products not manufactured by Apple is provided for information purposes only and does not constitute Apple’s recommendation or endorsement. Please contact the vendor for additional information.
Published Date: