Binding to OD after imaging

[amsterdam]

This is in Leopard:

We have a “golden triangle” setup here and I want to be able to get InstaDMG to produce an image that is already bound to our OD server. From there, it can get a name that can be used to bind it to ADS. So there are 2 problems here:

1) OD binding:
Do I make a pkg of the .plist files that are generated under /Library/Preferences/DirectoryServices to take care of the OD bind or should I write a startup script or login hook?

2) AD binding
– Last time I had the machine bind to AD with one of Mike Bombich’s scripts that ran whenever someone logged in and then deleted itself. Can I create an initial login hook and then package it?

If I can have the machine already in OD, then I could manage the login hooks via WGM… very nice… but I need to get it into OD first.

[amsterdam]

Follow up:

Since my computer records are already in OD, I can use this script, without a password:

[code]
dsconfigldap -v -sgme -a [ODservername]
[/code]

And get it to bind with some nice security bits as well. Is anyone using InstaDMG to create scripts that run once at boot to do such things? Are there other solutions?

[gsprague]

What files specifically?

com.apple.DirectoryUtility.plist?
edu.mit.Kerberos?

any other files?

Thanks!

[amsterdam]

I’m not sure about the edu.mit.kerberos file, becuase that is usually created automatically. But, all the files under the /Library/Preferences/DirectoryServices folder will do.

BTW, I’m using a loginHook when the computer is first image to do the binding, and not using the file-copy method.

[Greg Neagle]

Why do this as a loginhook? That requires someone to login! Are you using the logging-in username in the script?

It seems to me this is better suited as a script that runs at startup – either triggered by launchd, or as a StartupItem. This way it runs automatically after imaging and restart.

-Greg

[QUOTE][u]Quote by: amsterdam[/u][p]I’m not sure about the edu.mit.kerberos file, becuase that is usually created automatically. But, all the files under the /Library/Preferences/DirectoryServices folder will do.

BTW, I’m using a loginHook when the computer is first image to do the binding, and not using the file-copy method.

[/p][/QUOTE]

[gsprague]

How exactly do you run a launchd script only once, is this possible and then wouldn’t you want to remove it after binding? I guess you could create a script that checks to see if you are bound and if you are not it will auto bind on startup…like so…

[code]
CHECKLDAPV3=`dscacheutil -configuration | grep -q “/LDAPv3″`
if [ $? == 1 ]
then
NEWODSERVER=yourODserverDNSorIPgoesHere;
sudo dsconfigldap -a $NEWODSERVER;
sudo dscl localhost -create /Search SearchPolicy dsAttrTypeStandard:CSPSearchPath;
sudo dscl localhost -merge /Search CSPSearchPath /LDAPv3/$NEWODSERVER;
else
exit 0;
fi
[/code]

You could either put this in a launchd daemon or have a launchd daemon call the script from where ever you want to store it.

Regards!

[amsterdam]

tried that… didn’t seem to work. we have ADS in the mix as well…

we image each machine and send it out so it’s in house before being deployed so the loginhooks works for our particular situation.

[gsprague]

I can’t actually use the script I posted because I’d have to imbed the admin password for sudo to work. How exactly are you doing the loginhook? Are you using LoginWindow Manager? What is the script?

Any help would be greatly appreciated! 😀

[amsterdam]

Here’s the script… in order for it to work, you have to have already put the machine into Open Directory, with it’s ethernet ID and name. Our script then queries LDAP to get the name of the machine and use that to add it to Active Directory. This script originated from Mike Bombich’s script, so you may notice some similarities.

[code]

#!/bin/sh
#
# Leopard boot/login script
#
# Does/Should do the following:
#
# – excecute LDAP searches to find computer name and exit on failture, or continue to…
# – bind to AD
# – create search paths
# – add search paths
# – bind to OD and add search paths
# – add network users to admin group
# – turn on SSH
# – kickstart ARD
# – reboot and destroy itself

# —————————————————————————————————————
#
# Configuration section…
#
# —————————————————————————————————————

# LDAP searches
LDAPURI=”ldap://[your ldap server]”
CONTEXT=”[your context, usually dc=[server name], dc=[your subdomain… ads for us], dc=[your domain], dc=com/edu”
MACADDR=$(ifconfig en0 | awk ‘/ether/ { print $2 }’)

# ADS Standard parameters
domain=”” # fully qualified DNS name of Active Directory Domain
udn=”” # username of a privileged network user
password=”” # password of a privileged network user
ou=”” # Distinguished name of container for the computer

# ADS Advanced options
alldomains=”enable” # ‘enable’ or ‘disable’ automatic multi-domain authentication
localhome=”enable” # ‘enable’ or ‘disable’ force home directory to local drive
protocol=”smb” # ‘afp’ or ‘smb’ change how home is mounted from server
mobile=”enable” # ‘enable’ or ‘disable’ mobile account support for offline logon
mobileconfirm=”disable” # ‘enable’ or ‘disable’ warn the user that a mobile acct will be created
useuncpath=”enable” # ‘enable’ or ‘disable’ use AD SMBHome attribute to determine the home dir
user_shell=”/bin/bash” # e.g., /bin/bash or “none”
preferred=”-nopreferred” # Use the specified server for all Directory lookups and authentication
# (e.g. “-nopreferred” or “-preferred ad.server.edu”)
admingroups=”” # These comma-separated AD groups may administer the machine (e.g. “” or “APPLE\mac admins”)

# OD Settings
odserver=”” # FQDN of your ods server

# ARD Kickstart file
kick=”/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart”

# Hooks
# Use these if you want to set new hooks when you’re done
newLoginHook=””
newLogoutHook=””

### End of configuration

# Announcement
/usr/bin/say “Now starting boot script. This will take a few moments”

# Search for computer
computerid=$(ldapsearch -u -LLL -x -H ${LDAPURI} -b “cn=computers,${CONTEXT}” “(macAddress=${MACADDR})” 1.1 | awk -F, ‘/ufn:/ { print $1 }’ | awk ‘{ print $2 }’)

if [ “$computerid” = “” ]; then
/usr/bin/say “I am unable to find the computer’s name the mac address. Please check this and try again”
/usr/bin/killall loginwindow
exit 1;
else
/usr/bin/say “Computer is $computerid”
fi

# Activate the AD plugin
/usr/bin/defaults write /Library/Preferences/DirectoryService/DirectoryService “Active Directory” “Active”
/usr/bin/plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist

# Bind to AD
/usr/sbin/dsconfigad -f -a $computerid -domain $domain -u $udn -p “$password” -ou “$ou”

# Configure advanced AD plugin options
if [ “$admingroups” = “” ]; then
/usr/sbin/dsconfigad -nogroups
else
/usr/sbin/dsconfigad -groups “$admingroups”
fi

/usr/sbin/dsconfigad -alldomains $alldomains -localhome $localhome -protocol $protocol \
-mobile $mobile -mobileconfirm $mobileconfirm -useuncpath $useuncpath \
-shell $user_shell $preferred

# Restart DirectoryService and loginwindow (necessary to reload AD plugin activation settings)
/usr/bin/killall DirectoryService

# Wait for this to take effect…
/bin/sleep 20

# Add the AD node to the search path
if [ “$alldomains” = “enable” ]; then
csp=”/Active Directory/All Domains”
else
csp=”/Active Directory/$domain”
fi

# Wake up the dscl
dscl “$csp” -list /Computers > /dev/null

# Create and add paths
/usr/bin/dscl /Search -create / SearchPolicy CSPSearchPath
/usr/bin/dscl /Search/Contacts -create / SearchPolicy CSPSearchPath
/usr/bin/dscl /Search -append / CSPSearchPath “$csp”
/usr/bin/dscl /Search/Contacts -append / CSPSearchPath “$csp”

# Check the bind
adcheck=`/usr/bin/dscl “$csp” -read / AccountName | grep -c “$computerid”`

if [ $adcheck = 1 ]; then
/usr/bin/say “Computer is now bound to A D S.”
else
/usr/bin/day “Active directory bind failed. You will have to check it manually”
fi

# Bind to OD and add path information
/usr/sbin/dsconfigldap -a $odserver
/usr/bin/dscl /Search -append / CSPSearchPath /LDAPv3/$odserver
/usr/bin/dscl /Search/Contacts -append / CSPSearchPath /LDAPv3/$odserver

# Add network users to admin list
# not necessary if you have a local admin…
/usr/bin/dscl . -append /groups/admin GroupMembers [use appropriate SSID]

# Turn on SSH
/usr/sbin/systemsetup -setremotelogin on

# Kickstart ARD
$kick -configure -users “[add your username]” -privs -mask 255
$kick -activate -configure -access -on -restart -agent

# Firewall is off for now…
#defaults write /Library/Preferences/com.apple.alf globalstate -int 1
#defaults write /Library/Preferences/com.apple.alf stealthenable -int 1

# Set new hooks
defaults write /var/root/Library/Preferences/com.apple.loginwindow LoginHook “$newLoginHook”
defaults write /var/root/Library/Preferences/com.apple.loginwindow LogoutHook “$newLogoutHook”

# Anouncement
/usr/bin/say “Configuration complete. Please restart your computer.”
/usr/bin/killall loginwindow
/usr/bin/nohup /sbin/reboot

# Destroy this script!
srm “$0”

[/code]

[Author]

Posts