Home Forums OS X Server and Client Discussion Active Directory Testing then then removing AD Bind

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • March 14, 2011 at 5:05 pm #380521
    mgb123
    Participant

    About to test various AD plug-ins. Was hoping to better understand how to return the machine to a ‘clean’ state after binding and unbinding to/from AD.

    Wasn’t sure if simply turning off the plugin itself would remove the necessary configuration changes.

    Can anyone advise?

    May 16, 2011 at 4:00 pm #380717
    benjleroy
    Participant

    According to the Apple’s Directory Services 10.6 training you remove the following files for the DSAD plugin:

    DS plists:
    /Library/Preferences/DirectoryService/ActiveDirectory.plist
    /Library/Preferences/DirectoryService/ActiveDirectoryDomainCache.plist
    /Library/Preferences/DirectoryService/ActiveDirectoryDomainPolicies.plist
    /Library/Preferences/DirectoryService/ActiveDirectoryDynamicData.plist

    Update your dscl search paths:

    dscl /Search -delete / CSPSearchPath /Active\ Directory/All\ Domains
    dscl /Search -delete /Search/Contacts CSPSearchPath /Active\ Directory/All\ Domains

    Remove your Kerberos Conf:
    /Library/Preferences/edu.mit.Kerberos

    Remove the DSAD Kerberos Caches (can be multiple files)
    /var/db/dslocal/nodes/Default/config/Kerberos:FQDN.DOMAIN.COM

    And Lastly the DSAD plugin plist:
    /var/db/dslocal/nodes/Default/config/AD\ DS\ Plugin.plist

    You may also need to go into your active directory ad delete the computer object if you did not unbind cleanly from the AD. There are still keytabs in /etc/krb5.keytab but they can be safely ignored.

    The following script run as root (sudo is fine will reset things)

    [code]
    #!/bin/sh
    rm /Library/Preferences/DirectoryService/ActiveDirectory.plist
    rm /Library/Preferences/DirectoryService/ActiveDirectoryDomainCache.plist
    rm /Library/Preferences/DirectoryService/ActiveDirectoryDomainPolicies.plist
    rm /Library/Preferences/DirectoryService/ActiveDirectoryDynamicData.plist
    dscl /Search -delete / CSPSearchPath /Active\ Directory/All\ Domains
    dscl /Search -delete /Search/Contacts CSPSearchPath /Active\ Directory/All\ Domains
    rm /Library/Preferences/edu.mit.Kerberos*
    rm /var/db/dslocal/nodes/Default/config/Kerberos\:*
    rm /var/db/dslocal/nodes/Default/config/AD\ DS\ Plugin.plist
    killall DirectoryService
    [/code]

    July 27, 2011 at 3:16 pm #380994
    Hammertime
    Participant

    [quote]Wasn’t sure if simply turning off the plugin itself would remove the necessary configuration changes.[/quote]
    well, it should

  • Author
    Posts
Viewing 3 posts - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.