Adding AD to search paths via dscl

[amsterdam]

After using the usual dsconfigad script to bind our machines, the machine will bind, but the dscl command that’s used to add the paths to /Search and /Search/Contacts doesn’t seem to work:
[code]
~ root# dscl /Search -read / CSPSearchPath
CSPSearchPath: /Local/Default /BSD/local /LDAPv3/[OD server]
~ root# dscl /Search/Contacts -read / CSPSearchPath
CSPSearchPath: /Local/Default /BSD/local /LDAPv3/[OD server]
~ root# dscl /Search -append / CSPSearchPath “/Active Directory/All Domains”

attribute status: eDSNodeNotFound
DS Error: -14008 (eDSNodeNotFound)
~ root# dscl /Search/Contacts -append / CSPSearchPath “/Active Directory/All Domains”

attribute status: eDSNodeNotFound
DS Error: -14008 (eDSNodeNotFound)
[/code]
However, if I log in to the machine and simply open up Directory Utility, I see a red light on the ads server, but, if I return to the command line without doing anything in the GUI:
[code]
~ root# dscl /Search -append / CSPSearchPath “/Active Directory/All Domains”
~ root# dscl /Search/Contacts -append / CSPSearchPath “/Active Directory/All Domains”
~ root# dscl /Search -read / CSPSearchPath
CSPSearchPath:
/Local/Default
/BSD/local
/LDAPv3/[OD server]
/Active Directory/All Domains
[/code]
So apparently, running the Directory Utility GUI does something that enables one to add the ads paths via the command line. The thing I want to know is, what is that? And can it be duplicated via the command line so I can script the whole thing. The error still happens if I don’t bind to the OD server at all, and start with a clean image and no directory bindings at all. The reason I’m binding the OD first is that the computer gets its name from the OD, and then uses it to bind to AD. I have thought about using a single AD computer account, but don’t want to invite disaster if it gets deleted, and all of our Macs can’t authenticate anymore.

Also, I’m creating the CSPSearchPath key when I bind to OD, so that step is already done. But, I still get the same error if I start with a clean, OD-less image. I can create the CSPSearchPath keys, but cannot append the ADS path to them.

[amsterdam]

Yes, this is 10.5.2 Sorry I didn’t specify that earlier.

I tried binding with the alldomains option disabled, but still the same result. From a clean install of 10.5.2 that I built with InstaDMG, I’m using Mike Bombich’s script to do the AD bind:

[code]
/usr/bin/defaults write /Library/Preferences/DirectoryService/DirectoryService “Active Directory” “Active”
/usr/bin/plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist
/usr/sbin/dsconfigad -f -a [machine_account] -domain [ADS domain] -u [username] -p “[password]” -ou “[OU]”
/usr/sbin/dsconfigad -alldomains disable -localhome enable -protocol smb -mobile enable -mobileconfirm disable -useuncpath enable -shell /bin/bash -nopreferred
[/code]

The bind works, but same problem as last time, with the “All Domains” option or the specific domain:

[code]
root# dscl /Search -create / SearchPolicy CSPSearchPath
root# scl /Search -append / CSPSearchPath “/Active Directory/All Domains”
-sh: scl: command not found
root# dscl /Search -append / CSPSearchPath “/Active Directory/All Domains”

attribute status: eDSNodeNotFound
DS Error: -14008 (eDSNodeNotFound)
root# dscl /Search -append / CSPSearchPath “/Active Directory/[ADS domain]”

attribute status: eDSNodeNotFound
DS Error: -14008 (eDSNodeNotFound)
[/code]

Here’s where things get interesting. If I go into the interactive dscl mode:

[code]
root# dscl
Entering interactive mode… (type “help” for commands)
> cd Active\ Directory/
/Active Directory > ls
[ADS domain]
/Active Directory > cd [ADS domain]
[there’s a few seconds of wait time here…]
/Active Directory/[ADS domain] > ls
CertificateAuthorities
Computers
FileMakerServers
Groups
Mounts
People
Printers
Users
/Active Directory/[ADS domain] > exit
Goodbye
root# dscl /Search -append / CSPSearchPath “/Active Directory/[ADS domain]”
root#
[/code]

So, somehow, going into the dscl and poking around does the trick. Although, how I’m going to do this all with a loginHook, I’m not sure. Maybe running some -list commands or something will “wake it up” so to speak. I haven’t tried this with the “All Domains” option, but I suspect it’s going to be similar behavior since it worked, but only with the GUI intervention… It seems like there needs to be some directory listing “refresh” command, even though I’m doing the killall DirectoryService command.

any ideas?

[amsterdam]

UPDATE:

Adding a simple list command to the script, before the search paths are added:

[code]
dscl “Active Directory/[ADS domain] -list /Computers > /dev/null
[/code]

did the trick… I’d just chalk it up to our massive and overly-complex ADS domain (Indiana University)

[creisor]

Hello, there.

I’m seeing the same thing on 10.4.11.

If I go into dscl interactively, and type ls, I see this:
[code]
> ls
AppleTalk
Bonjour
NetInfo
SLP
SMB

Search
Contact
[/code]

It appears that these are all the enabled Directory Access Services. So, it makes sense that if I were to try to operate on Active Directory, it’s not there, so I get an error.

The only way I can figure out to get Active Directory populated in the list is to go into the Directory Access GUI and click the Enable box for Active Directory. Then I see:
[code]
> ls
Active Directory
AppleTalk
Bonjour
NetInfo
SLP
SMB

Search
Contact
[/code]

But the whole point of this exercise, for me, is to be able to script the configuration/enabling of Active Directory. Does anybody know of a way to script the enabling of a Service?

[pteeter]

Hopefully this isn’t beating a dead horse.

Agree with Joel that enabling the plug-in is necessary. But as for adding the Custom Search Path.

I found that a killall DirectoryService followed by dscl / -list / seems to right the DirectoryService ship for proper appending of CSPSearchPath items.

I found that Tiger especially likes to have the service bounced and ‘primed’, Leopard isn’t as picky about it.

Thank a few people at AES for this knowledge. And check out the Release Notes…

[url]http://developer.apple.com/releasenotes/MacOSXServer/RN-DirectoryServices/index.html[/url]

[Author]

Posts