Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-2094: Using .local domains with Centrify DirectControl on Mac OS X

Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:06 AM

Applies to: All versions of Centrify DirectControl on Mac OS X 10.6.8 and OS X 10.7.2 using .local AD domains.
After installing the Centrify DirectControl agent on Mac OS X 10.6.8 / 10.7.2, the following issues are observed:
- If the home directory is located on an SMB share, logging in will take a long time.
- If an AD user logs in and tries to mount a SMB share folder in Finder, it will take a long time to mount.
- The CDC agent may stay in disconnected mode (Check by running the command adinfo in Terminal).
On the affected versions of OS X, the system always defaults to Bonjour first to resolve any .local hostnames. If Bonjour fails (e.g. Due to timeout), it will then switch to standard DNS, thus causing the delays. 
For Mac systems, the .local domain is reserved for Bonjour, and OS X will only lookup these hostnames using Bonjour (multicast). 
On Mac OS 10.7.2, a hostname that contains only one level under .local (i.e. domain.local) is resolved using multicast. Other hostnames are resolved using both multicast and then unicast - it will try on multicast several times (default 5 seconds for each try) and then timeout if the host cannot be resolved, only then will it try unicast. This is the reason for the mount delay. 
Under these conditions, it may not be possible to ping domain.local which in turn causes the adclient will stay in disconnected mode for up to 60 seconds after starting up. 
Note: The following steps can be avoided entirely by upgrading OS X to 10.7.3 or higher.
- The following steps require root or sudo privileges. 
- It is advised to make backups of the original files in case of any errors when editing these files. 
Step 1: Force OS X 10.6.8 / 10.7.2 to do both multiicast and unicast queries to domain.local
- On the DNS server (AD or Unix), create a primary zone "local". 
- No modification is necessary, just ensure that SOA (Start of Authority) exists in this zone.
- Restart mDNSResponder on the Mac by running the Terminal command"
  sudo killall mDNSResponder
- This will allow domain.local to be pinged.

Step 2: Disable IPv6
- Note that OS X 10.7 always does both IPv4 and IPv6 queries. Disabling IPv6 won't actually stop the Mac from using IPv6 query, but it improves performance.
- IPv6 cannot be disabled from System Preferences, it needs to be manually configured by editing the plist at: /Library/Preferences/SystemConfiguration/preferences.plist
- Find the network adapter (Ethernet or Airport) under the NetworkServices key
- Edit the IPv6 setting and change the config method to __INACTIVE__:
 <plist version="1.0">
         ... ...
                         ... ...
                         ... ...

Step 3: Reduce DNS timeout.
- Since there is no way to change the DNS lookup order, the multicast DNS timeout can be reduced instead by editing mdns_timeout
- Edit: /System/Library/SystemConfiguration/IPMonitor.bundle/Contents/Info.plist
(The default setting is 5).
Step 4: (optional)
- If mdns_timeout is set to 0 instead of 1, any .local host/domain will not be pingable, but other apps such as Finder and Apple's AD plugin will still work (they will still be able to resolve .local hostnames). 
- AD user logins will also work quickly. 
- Mounting SMB shares in Finder will first prompt that there is a problem connecting to the server, but it will eventually connect successfully.
- This prompt can be fixed by adding the machine that hosts the DNS server and Windows share into the /etc/hosts file on the Mac:
 192.168.x.x   server.domain.local
 192.168.x.x   anotherserver.domain.local
Where 192.168.x.x is the IP address of the DNS server in the environment.
Note: Since domain.local cannot be pinged, adclient will still stay in disconnected mode for up to 60 seconds after start (which means it will be necessary to wait for more than 1 minute after a reboot). Adding domain.local into /etc/hosts resolve this issue.

Step 5: 
- If a network home directory is also on a server which has a .local suffix, please add the following line under the [domain_realm] section of /etc/krb5.conf:
- Where YOURSERVER refers to the FQDN of the server hosting the home directory and YOURDOMAIN.LOCAL is the AD domain name.

Step 6:
- Reboot the Mac.
Step 7:
- Test a network login and there should no longer be any delay during login. 
- There should also be no more delay when mounting a SMB folder using Finder.
Upgrade OS X to 10.7.3 or higher.
This is an Apple bug. (Apple Bug ID #9887516)
Apple has since provided a KB on this issue and the fix issued in OS X 10.7.3:




For more information on Bonjour:

Additional links:


(All links provided as a courtesy. Centrify can make no guarantees to their availability and any subsequent changes in content at later dates.)



Sample files with the changes in Steps 2 & 3 are attached to this KB, however it is highly recommended to make changes on the affected Mac systems directly.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.