-
Notifications
You must be signed in to change notification settings - Fork 339
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Investigate better "forced logout" methods #923
Comments
To test: how do these work with machines set to autologin into a specific account at boot? These would be a poor replacement for the current method if all users sessions were logged out, but then the autologin user was logged back in. |
The current method that I briefly observed in the code (kill all loginwindow processes) seems to break Kerberos authenticated clients, as the login shell won't ever start back after login (iTerm / Terminal doesn't start login shell, immediately process completed), even if the kerberos ticket files in /tmp are deleted. The solution to this problem was rebooting the machine, sometimes forcing power off and on. I tried to investigate forced logout options for idle / inactive users on a pool of mac machines after I grew concerned about the machines constantly rebooting and potential HDD wear, and, well my results were rather unsuccessful so far. Tested with macOS High Sierra 10.13.4
Edit: I believe even after clearing /tmp with old kerberos tickets and testing both of the logout methods above, Kerberos would still eventually (multiple logouts and users) break with I will have to do more testing with those commands you have posted. |
I personally tend to use forced_update_ only for security/OS updates, so there's almost certainly going to be a restart anyway. One could argue that instead of doing all this stuff, just set a flag to install updates at boot and force a restart. That might be a good approach except for machines encrypted with Filevault... |
And so does (Of course a full reboot would also have this issue.) |
And now I test We probably should document this behavior though -- that forced logouts do not work as expected/desired if an autologin user is configured. |
The current method
logouthelper
uses to forcibly logout users was developed in mid-2011 and is a bit of a nasty hack.Investigate the use of macOS 10.11+
launchctl
methods to do this "better":launchctl reboot userspace
launchctl bootout gui/<uidNumber>
sudo -u <user> launchctl reboot logout
The text was updated successfully, but these errors were encountered: