Home Forums OS X Server and Client Discussion Active Directory 10.4 AD Bind

Viewing 15 posts - 1 through 15 (of 19 total)
1 2
  • Author
    Posts
  • June 3, 2005 at 3:55 pm #361885
    andyinindy
    Participant

    All:

    I am trying to come up with a script for binding my 10.4 machines to Active Directory, and I’m having no luck. It seems that when I use “dsconfigad” the machines are not actually bound, even though the script reports success. I can verify this by doing a “dscl localhost”, where I find that there isn’t a node for “Active Directory”, and lookups fail. When I bind from the GUI using Directory Access, dscl immediately shows the “Active Directory” node, and lookups work properly.

    Here is my script, which is a hodgepodge of Bombich & Bartosh’s, plus a bit of MacTroll (the last line where I add the search path).

    #!/bin/sh

## Get configd warmed up so it can populate our computerid with the existing computer name this early.
/usr/sbin/scutil --get ComputerName > /dev/null
/bin/sleep 5

##### Fill in the AD plugin info here #####

## Use the next line if you want to use the existing computer name for the AD name.
computerid=`/usr/sbin/scutil --get ComputerName`

## Other required AD plugin variables.
#forest="butler.edu"
domain="butler.edu"
id="acunning"
password="12345"

## Optional AD plugin options. Just leave them commented out to not set them. 
## Note that ou will default to CN=Computers if not specified. I almost always specify a preferredserver.
#ou="CN=Computers"
#preferred="dc.foo.com"
alldomains="enable"
#uidattribute="msSFU30UidNumber"
#caching="enable or disable"
mobile="disable"
mobileconfirm="enable"
localhome="enable"
useuncpath="enable"
protocol="smb"
shell="/bin/bash"
groups="BUTLER\domain admins,BUTLER\user services"

##### End AD plugin variables. #####

##### Do the AD Bind #####

## Edit this dsconfigad command with the options you are using. I find binding goes smoother if you prefer a DC.
## If you need to add an OU do it here as so -ou $ou. It will default to CN=Computers without the argument passed.
## Remember if you log the actual bind you will put the binduser's password in the log!!!!

/usr/sbin/dsconfigad -f -a $computerid -domain $domain -u $id -p $password

## If you set any advanced options un-comment the following lines and add the ones you used. Sometimes they don't take during the bind.

/usr/sbin/dsconfigad -alldomains $alldomains -mobile $mobile -mobileconfirm $mobileconfirm -localhome $localhome -useuncpath $useuncpath -protocol $protocol -shell $shell -groups "$groups"

##### End AD Bind #####

##### Add Search Paths #####

sleep 5
dscl /Search -append / CSPSearchPath "/Active Directory/All Domains"

    Does anything look out of place with this? Would a reboot help? Maybe 10.4 breaks some part of this?

    Anyone who is successfully binding to AD in 10.4 using a script, please help!

    –Andyinindy

    June 22, 2005 at 7:01 pm #362063
    AMSR
    Participant

    Try this:

    1. Bind the computer:

    /usr/sbin/dsconfigad -f -a “ComputerID -u “WindowsAdmin” & “WindowsPassword” -lu “localAdmin” -lp “localPassword” -domain “your.domain.com” -ou “OU=YOUR,OU=CONTAINER,DC=domain,DC=COM”

    2. Set your other prefs for the AD plugin:

    “/usr/sbin/dsconfigad -lu “localAdmin” -lp “localPassword” -alldomains disable -groups “Domain Admins,Enterprise Admins,My Cool Group”

    3. Set your hostname and computer name:

    scutil –set LocalHostName “ComputerID”

    scutil –set ComputerName “ComputerID”

    4. Add the AD to your authentication path:

    dscl /Search -create / SearchPolicy CSPSearchPath

    dscl /Search -append / CSPSearchPath /Active\ Directory/All\ Domains

    Hope that helps

    AMSR

    June 24, 2005 at 4:27 pm #362107
    dhark01
    Participant

    Hi there AMSR

    You’re dscl commands where a big help to me.

    4. Add the AD to your authentication path:
    dscl /Search -create / SearchPolicy CSPSearchPath
    dscl /Search -append / CSPSearchPath /Active Directory/All Domains

    Now I tried the same for /Contact and also for OLDAP but it keeps telling me that the Path for /Contact does not exists.
    When I list the Paths then a /Contact exists.

    Can you help me out here?

    Thanks in advance and kind regards,

    Dhark01

    July 21, 2005 at 7:36 pm #362430
    andyinindy
    Participant

    I finally have managed to get this working. The only caveat is that in order for the Authentication and Search paths to be properly set, the paths for both must be set to “Automatic” in Directory Access prior to running the script. I also omitted the sections where host/computer names are set, as NetRestore does this for me already.

    Here is the script in its entirety:

    ———————————

    #!/bin/sh

    /usr/sbin/dsconfigad -f -u “diradmin” -p “password” -lu “localadmin” -lp “password” -domain “butler.edu” -ou “OU=Macintosh Systems,OU=IR Managed Computers,DC=butler,DC=edu”

    ## Set your other prefs for the AD plugin:

    /usr/sbin/dsconfigad -lu “localadmin” -lp “password” -alldomains enable -groups “Domain Admins,user services”

    ## Set your hostname and computer name:

    #scutil –set LocalHostName “ComputerID”

    #scutil –set ComputerName “ComputerID”

    ## Add the AD to your authentication path:

    dscl /Search -create / SearchPolicy CSPSearchPath

    dscl /Search -append / CSPSearchPath “/Active Directory/All Domains”

    dscl /Search/Contacts -create / SearchPolicy CSPSearchPath

    dscl /Search/Contacts -append / CSPSearchPath “/Active Directory/All Domains”

    ———————————

    Yay!

    July 25, 2005 at 9:00 am #362466
    dhark01
    Participant

    Hi andyinindy

    Thank you very much you saved my Day!!!

    How did you managed to find this out? You’re the Man!!

    Thanks again.

    I append the commands I used to bind to AD and OLDAP (with your help of course!):

    # Bind to AD
    sudo /usr/sbin/dsconfigad -f -a $computerid -domain $domain -u $udn -p $password -ou $ou

    # Configure advanced options
    sudo /usr/sbin/dsconfigad -alldomains $multidomain -localhome $localhome -useuncpath disable -protocol $mountstyle

    # LDAP binding
    sudo dsconfigldap -v -a LDAPSERVER -c $computerid -u diradmin

    # Set the Search Path for AD and LDAP
    sudo dscl /Search -create / SearchPolicy CSPSearchPath
    sudo dscl /Search -append / CSPSearchPath /LDAPv3/LDAPSERVER
    sudo dscl /Search -append / CSPSearchPath “/Active Directory/All Domains”
    sudo dscl /Search/Contacts -create / SearchPolicy CSPSearchPath
    sudo dscl /Search/Contacts -append / CSPSearchPath /LDAPv3/LDAPSERVER
    sudo dscl /Search/Contacts -append / CSPSearchPath “/Active Directory/All Domains”

    Kind regards,

    dhark01

    August 8, 2005 at 7:03 pm #362721
    Zeheeba
    Participant

    Hello There,

    Do you happen to remember where you found the list of all the different variables used for the AD plugin? I need the ones you mentioned in your original post, but need many others from the other config tabs.

    Any help would be appreciated.

    Regards,
    Z

    August 8, 2005 at 9:16 pm #362725
    Zeheeba
    Participant

    Duh…

    For anyone else who is having a brain leak, just do a man on dscl.

    : )

    Z

    October 20, 2005 at 3:18 pm #363724
    boardski
    Participant

    This has been a huge help but when i try and run the append command in dscl I recieve the following:

    attribute status: eDSNodeNotFound

    Is it just my memory but didnt the dsconfigad command in 10.3 enable the ad directoryService? Anyone know how this functionality didnt make it into 10.4’s?

    Boardski

    October 21, 2005 at 9:20 am #363735
    boardski
    Participant

    I’ve just found this now does work, but I had to put a tick in the enable box for Active Directory. Is there any way to add this tick and therefore enable active directory via the CLI?

    December 14, 2005 at 6:27 pm #364421
    Anonymous
    Guest

    [QUOTE BY= macshome]If you are getting a “eDSNodeNotFound” are you sure you are bound to AD? If so do you have the domain name correct?[/QUOTE]
    I’m getting the same error. dsconfigad correctly binds to the domain, which is shown in the Directory Access app. I’m specifying a domain instead of using All Domains. Here’s what I’m entering:

    dscl /Search -append / CSPSearchPath /Active\ Directory/domain.network.com

    — jeremy.kemp at “Google Mail” dot com

    December 28, 2005 at 2:33 pm #364553
    Anonymous
    Guest

    A backslash directly before the space will also do the trick:

    dscl /Search -append / CSPSearchPath /Active\ Directory/domain.network.com

    December 28, 2005 at 2:34 pm #364554
    Anonymous
    Guest

    try that again…

    /Active\ Directory/domain.network.com

    December 28, 2005 at 2:35 pm #364555
    Anonymous
    Guest

    Okay, for some reason the page wont display the backslash in text or html mode, but beleive me there is supposed top be one directly after /Active

    January 4, 2006 at 11:17 pm #364635
    gilburns
    Participant

    I have an Applescript Studio app that I’m working on to do AD bind, and I have worked around the issue by writing directly to the plist files in /Library/Preferences/DirectoryService/ with the do shell script command.

    sudo defaults write ‘/Library/Preferences/DirectoryService/DirectoryService’ ‘Active Directory’ ‘Active’

    sudo defaults write ‘/Library/Preferences/DirectoryService/ContactsNodeConfig’ ‘Search Policy’ -int 3

    sudo defaults delete ‘/Library/Preferences/DirectoryService/ContactsNodeConfig’ ‘Search Node Custom Path Array’

    sudo defaults write ‘/Library/Preferences/DirectoryService/ContactsNodeConfig’ ‘Search Node Custom Path Array’ -array ‘/Active Directory/All Domains’

    sudo defaults write ‘/Library/Preferences/DirectoryService/SearchNodeConfig’ ‘Search Policy’ -int 3

    sudo defaults delete ‘/Library/Preferences/DirectoryService/SearchNodeConfig’ ‘Search Node Custom Path Array’

    sudo defaults write ‘/Library/Preferences/DirectoryService/SearchNodeConfig’ ‘Search Node Custom Path Array’ -array ‘/Active Directory/All Domains’

    If you are binding with “Allow authentication from any domain in the forest” unchecked you should use the actual name of your domain instead of “All Domains” in the commands above.

    After you write to the plist files, you should do these commands:

    sudo killall DirectoryService
    sudo killall lookupd

    so that the changes are picked up.

    It works for me.

    January 5, 2006 at 7:29 pm #364646
    smuth
    Participant

    I’d love to see that script Josh, I’ve been trying to build one as of yesterday that I can incorporate with an image so after imaging, the user launches it, names the machine what they want and the script does the rest.

    I’ve looked at other fully automated methods but when you have thousands of Macs it helps if you can name them individually by site and room, especially if you want to manage them.

    I’m looking for a netboot solution I can leave behind with simple instructions so I can go elsewhere and do good Wink

    thx

    Smuth

  • Author
    Posts
Viewing 15 posts - 1 through 15 (of 19 total)
1 2
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.