Additional update 5/14/2012:
I have found success in using likewise to bind users to Active Directory instead of the regular OSX method. Follow the instructions in the PDF here: http://www.beyondtrust.com/Technical-Support/Downloads/files/pbiso/Manuals/Likewise-Open-5-Quick-Start-Mac.pdf. Slowdowns have pretty much gone away when using this method.
Big thanks to Simon who brought up this fix which I have confirmed on my end to be working pretty well. You can either view his comments below, or here is what was stated:
Change the ‘ Preferred Domain Server’ option in Directory Utility to an IP address, and the Mac will NOT do a .local lookup for the domain login. (Which is the problem when not on the LAN).
I tested the solution by connecting to a wireless access point that was not connected to our LAN, and login was a 2 or 3 seconds. Before doing this it took 2 mins exactly every time.
Try the following steps, I think its essential to re-bind.
1) Unbind from Active Directory
2) Change Preferred Domain Server to your Domain Controller IP address
3) Rebind to Active directory
This worked for me along with countless other Mac’s I tried as well. So before you go and remove you search policies as the steps below state, try out this fix and let me know how it goes.
There has been this ongoing issue with osx machines and snow leopard… A user joined to the domain will see log waiting periods when logging into the machine, logging out of the machine, and authenticating when running privileged commands. This commonly happens when the user is not on the same network as the domain controller, yet has a wireless/wired connection.
I have tried all the solutions I could find, creating login hooks to disable Bonjour, disabling mDNS multicasting, editing LDAP timeout entries (even though LDAP isn’t used!), nothing seemed to work! Until finally I found a solution!
The problem lies within search policies on the OSX system. After the computer is joined to the domain, 2 entries are added to the search policy. The entry /Active Directory/All Domains is added to both the Authentication and Contacts search path. Since there is no way to change the Kerberos timeout value on OSX (that I am aware of), the system tries to either authenticate to all 3 directory domains (‘/Local/Default’, ‘/BSD/Local’, ‘/Active Directory/All Domains’), or tries authenticating Active directory first even though it is in the bottom of the list.
Most of the time this has been seen when the domain is also a .local suffix. This MAY be due to problems with Bonjour (which also uses .local) and the .local Active Directory domain, but I’m not positive.
Fixing the problem:
Remove the /Active Directory/All Domains search path from both the Authentication & Contacts search policy.
* Please see the Notes section at the bottom for possible problems this may cause when doing this.
We must make sure that the user is first a ‘mobile’ user. This means that the user has a /Users/ directory created when the login, and the credentials have been cached. To verify this, we need to do the following:
- Navigate to System Preferences
- Click Accounts
- View the users account (they should already be binded to the domain), it should look like the following:
- Once this has been verified you will be able to continue.
We must now go through the process of removing the Search Policies from Active Directory:
- Navigate to System Preferences
- Click Accounts
- Click Login Options
- Next to Network Account Server, click on the Edit button
- Click on Open Directory Utility
- Under Services make sure LDAPv3 is unchecked, since we don’t use this, only Active Directory
- Click on Search Policyat the top
- Click on the Authenticationtab:
- Click on the Contactstab:
- Click once on /Active Directory/All Domains to highlight it
- Click on the - (minus) button to remove the entry
- There should be no listings under the contacts tab after removal
- Click Apply
- Close out the Directory Utility
- Close out the Accounts window
- Reboot the computer, and the login process should be MUCH faster.
- New network users (who do not already have an account on the local machine) can not login to the computer after, since we removed Active Directory from the authentication tab. It is recommended you create an administrator local account, so an administrator can always login, along with a network admin account as well for backup.
- Changing passwords work fine, and have been tested. As long as the user has the green icon (connected) under Network Account Server, they can change their password and it will sync up with the domain controller.
- Authentication to network shares works as well since osx directly communicates with the server to authorize the connection.
- If for some reason the search paths need to be changed back, they are automatically generated again if you un-join and re-bind the machine to the domain (or they can be added manually).