I have a Mac (macOS Sierra 10.12.6) with a local admin user, a local non-admin user, and many LDAP users. One of the LDAP users can't login via VNC anymore, but can login via SSH.
The affected user can connect to the VNC port, and is prompted for a username/password.
After the password is accepted, they are prompted to either request to view the display of the current user, or log in as themselves. They choose to log in as themselves.
Then, they just see the Connecting to ... dialog and eventually it times out.
Other LDAP users are able to login via VNC and SSH, and the local admin and non-admin users can login via VNC. This has affected the same user on two different boxes (both running the same version of macOS), so I'm guessing this is some kind of LDAP configuration issue, but I wasn't aware of any LDAP properties that controlled screen sharing access.
What might have changed to cause one of my LDAP users to lose VNC?
Best Answer
The LDAP user had changed their password, but their
loginkeychain on this box still needed to be updated. Apparently, you can't log in via VNC if yourlogin.keychainpassword and your account password don't match.I discovered this when I VNCed in as a different user, then logged out, and then tried to log in as the affected user. I was able to log in, but then I received a prompt saying:
I chose
Update Keychain Password, and entered the old LDAP password, and everything worked!