discoveryd causes inaccurate AD group lookups
Originator: | tom.j.burgin | ||
Number: | rdar://19237746 | Date Originated: | 12-Dec-2014 05:32 PM |
Status: | Open | Resolved: | |
Product: | OS X | Product Version: | 10.10.x |
Classification: | DNS | Reproducible: | Every Time |
The method ODRecordContainsMember does not return correct results under OS X 10.10 for the first 60+ seconds after boot or network connection for Active Directory Users and Groups. In OS X 10.10 Results returned are false, even though the user does indeed belong to the group. It takes over 60+ seconds before we get a correct response. If you search for a user that is a member of a group, ODRecordContainsMember will return false. After 60+ seconds the method will start returning proper results. https://developer.apple.com/library/mac/documentation/Networking/Reference/OpenDirectoryFramework/#//apple_ref/c/func/ODRecordContainsMember STEPS TO REPRODUCE 1) Compile command line app to test the ODRecordContainsMember method. This app has a few classes, 1st for getting the DS (Active Directory) User ODRecord and a 2nd for getting a DS (Active Directory) Group ODRecord. I then use ODRecordContainsMember to search for group membership. 2) Clear the DS cache (dscacheutil -flushcache) 3) Plugin the network that has access to the AD domain. 4) Run the binary to test the ODRecordContainsMember method This can also be reproduced with the "id" command. Under OS X 10.8.5 and 10.9.5 the ODRecordContainsMember returns the proper value within 1 sec of being connected to the network. OS X 10.10.2 does not. It take over 60 sec and multiple runs of the binary for it to display the correct result. I know that the 10.10.2 machine is communicating with AD because I am printing out the ODRecords it is returning. So I was looking through a [Fed-Talk] email chain and someone send out this link: http://arstechnica.com/apple/2015/01/why-dns-in-os-x-10-10-is-broken-and-wh at-you-can-do-to-fix-it/ I went ahead and tried it out on my 10.10.2 box… Guess what… The AD lookup issue is resolved in 10.10 when running mDNSResponder instead of discoveryd. I tried this on a second 10.10.2 system to confirm. Yep. AD group lookups resolve correctly almost instantly. Just like 10.7 - 10.9. Tom Burgin [C] Mac Support Engineer (301) 443-3904 NIMH | IRTMB
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!