On bound Macs there is a problem where a computer that has been left on, with the screen saver active, for more than 10 hours has its Kerberos ticket expire. If this happens a user is unable to unlock the screen saver using their AD credentials.
Here is the KB article from Apple on how to fix this problem:
http://support.apple.com/kb/TS3287
Showing posts with label screen saver. Show all posts
Showing posts with label screen saver. Show all posts
Thursday, August 18, 2011
Friday, May 28, 2010
Enable Screen Saver Locking From the Command Line: Snow Leopard
The settings are now stored in ~/Library/Preferences/com.apple.screensaver.plist:
$ defaults read com.apple.screensaver
{
askForPassword = 1;
askForPasswordDelay = 5;
}
$
To turn on the screen saver lock:
defaults write com.apple.screensaver askForPassword -int 1
To turn off the screen saver lock:
defaults write com.apple.screensaver askForPassword -int 0
$ defaults read com.apple.screensaver
{
askForPassword = 1;
askForPasswordDelay = 5;
}
$
To turn on the screen saver lock:
defaults write com.apple.screensaver askForPassword -int 1
To turn off the screen saver lock:
defaults write com.apple.screensaver askForPassword -int 0
Thursday, May 27, 2010
Turn on Mac screen saver password from command line (not for Snow Leopard)
Turn on the screen saver password:
defaults -currentHost write com.apple.screensaver askForPassword -int 1Turn off Screen saver password:defaults -currentHost write com.apple.screensaver askForPassword -int 0Again, this doesn't work for Snow Leopard.
Friday, December 18, 2009
Snow Leopard: Kerberos ticket not renewing coming out of Screen Saver
We had another case opened with Apple about Kerberos ticket not renewing after typing in password coming out of screen saver in Snow Leopard. They send me this instruction on modifying a file in /etc and it looks like it is resolving the problem. If you guys have Snow Leopard machine bound to AD. Please try it out too so we can confirm it does work.
Please edit the "“system.login.screensaver” entry in the /etc/authorization file to read like this:
system.login.screensaver
class
rule
comment
(Use SecurityAgent.) The owner or any administrator can unlock the screensaver.
rule
authenticate-session-owner-or-admin
Note that the string:
The owner or any administrator can unlock the screensaver
is changed to:
(Use SecurityAgent.) The owner or any administrator can unlock the screensaver
Please edit the "“system.login.screensaver” entry in the /etc/authorization file to read like this:
Note that the string:
The owner or any administrator can unlock the screensaver
is changed to:
(Use SecurityAgent.) The owner or any administrator can unlock the screensaver
Thursday, August 6, 2009
Mac: Kerberos time-outs and locked screen saver
This is an interesting little glitch.
On AD bound Macs if a user has their screen-saver set to require a password to deactivate and the user leaves their computer on for more than 10 hours, they will not be able to unlock the screen-saver. Apple has confirmed that this is a problem and advises that the user should enter their user name and password and then wait for one minute before they press “OK.”
This affects all versions of OS X through 10.5.7. The latest 10.5.8 patch is supposed to fix the issue.
The default time-out for a Kerberos ticket is 10 hours but with the screen-saver password lock enabled the Mac doesn’t auto renew the ticket properly. Normally every time you unlock your screen-saver it refreshes the Kerberos ticket back to 10 hours but this simply doesn’t happen if they machine has been sitting on and idle for over 10 hours.
On AD bound Macs if a user has their screen-saver set to require a password to deactivate and the user leaves their computer on for more than 10 hours, they will not be able to unlock the screen-saver. Apple has confirmed that this is a problem and advises that the user should enter their user name and password and then wait for one minute before they press “OK.”
This affects all versions of OS X through 10.5.7. The latest 10.5.8 patch is supposed to fix the issue.
The default time-out for a Kerberos ticket is 10 hours but with the screen-saver password lock enabled the Mac doesn’t auto renew the ticket properly. Normally every time you unlock your screen-saver it refreshes the Kerberos ticket back to 10 hours but this simply doesn’t happen if they machine has been sitting on and idle for over 10 hours.
Subscribe to:
Posts (Atom)