Applies to: All versions of Centrify DirectControl on Mac OS X 10.7 and above
Problem:
When Filevault 2 is enabled for an AD user, it will require two logins when logging into the Mac:
- The first login screen is the solid grey screen which is used to unlock Filevault 2.
- The second login screen is the standard Mac desktop login screen.
This behavior does not occur when enabling Filevault 2 for a local user.
Logging in with a local user only requires the first grey screen for unlocking Filevault 2 after which the system will automatically log the user straight through to their desktop.
Cause:
Logging in with an AD account requires the two separate logins because the Mac agent needs to restart the SecurityAgent process after FileVault is unlocked.
This works fine for a normal login, but when FileVault 2 is enabled, the killing of SecurityAgent causes the login window to lose the current user context:
Oct 16 14:50:25 Developers-MacBook-Air com.apple.launchd[1] (com.apple.SecurityAgent.00000000-0000-0000-0000-0000000186A5[165]): Exited abnormally: Hangup: 1 Workaround:
Edit
/etc/centrifydc/centrifydc.conf and add the line:
adclient.autoedit.CentrifyPAM: false After rebooting, it should only require one login screen again.
NOTE: Be aware that this workaround has some risk for when the computer needs to leave the domain:
- First remove the centrifydc.conf edit
- Reboot
- THEN leave the domain.
Leaving the domain without performing these steps may cause local users to not be able to login after rebooting.
Resolution:
This issue is resolved from Centrify agent version 5.1 onwards.