[AllanMarcus]

Ug. I reinstalled and updated to 10.3.6 with the combo updater and guess what, I was able to bind. I will call my Apple rep and report this.

-Allan

[AllanMarcus]

Holy cow, I think this is the problem! I’m trying to bind a 500mhz tiBook and I get the LDAP -81. When I use my same account and bind a Aluminum PB, it works!

Now what could explain this, and how can we fix or work around it?

-Allan

[AllanMarcus]

I’m pretty sure I’m a Domain Admin. I even had the actual AD admin come to my computer and try her password (she has all the rights), and I got the same message.

[AllanMarcus]

I don’t know if this makes a difference, but I’m not trying to bind a MAc Os X Server; I’m trying to bind a Mac OS X client.

The only DNS entry is the AD server, which is running a DNS.

I’m not familiar with the term “sane DNS configuration”.

when I perform a dig on the client’s address, I get:

allan$ dig @128.165.47.1 marcusclient.lanl.gov any   

; <<>> DiG 9.2.2 <<>> @128.165.47.1 marcusclient.lanl.gov any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10978
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;marcusclient.lanl.gov.         IN      ANY

;; ANSWER SECTION:
marcusclient.lanl.gov.  3600    IN      A       128.165.113.123

;; AUTHORITY SECTION:
lanl.gov.               3600    IN      NS      nss.lanl.gov.
lanl.gov.               3600    IN      NS      ns1.lanl.gov.

;; ADDITIONAL SECTION:
ns1.lanl.gov.           3600    IN      A       128.165.4.4
nss.lanl.gov.           3600    IN      A       128.165.11.88

;; Query time: 192 msec
;; SERVER: 128.165.47.1#53(128.165.47.1)
;; WHEN: Mon Feb 14 08:47:17 2005
;; MSG SIZE  rcvd: 123

when I perform a dig on the server, I get:

allan$ dig @128.165.47.1 ns1.ds.lanl.gov any

; <<>> DiG 9.2.2 <<>> @128.165.47.1 ns1.ds.lanl.gov any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33199
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;ns1.ds.lanl.gov.               IN      ANY

;; ANSWER SECTION:
ns1.ds.lanl.gov.        3600    IN      A       128.165.47.1

;; AUTHORITY SECTION:
ds.lanl.gov.            3600    IN      NS      nss.lanl.gov.
ds.lanl.gov.            3600    IN      NS      ns1.lanl.gov.

;; ADDITIONAL SECTION:
ns1.lanl.gov.           3600    IN      A       128.165.4.4
nss.lanl.gov.           3600    IN      A       128.165.11.88

;; Query time: 2 msec
;; SERVER: 128.165.47.1#53(128.165.47.1)
;; WHEN: Mon Feb 14 08:58:16 2005
;; MSG SIZE  rcvd: 117

Does that look right to you?

Thanks,

Allan

[AllanMarcus]

Ug, this has come back. Yes, the kerberos super user command.

[AllanMarcus]

we make the changes on an external firewire version of the image, then we make a new image.

As for setting default user prefs, you can use Work group manager (WGM) or you can modify the defaults in ‘/Library/Preferences/SystemConfiguration’

[AllanMarcus]

Have you tried just creating an alias to the mounts and dragging the aliases to the login items window in system prefs?

[AllanMarcus]

As for a repair boot image, you probably should use DVD or a firewire drive anyways.

[AllanMarcus]

Can you please go into a litle more detail on “helper addresses” Do you mean to use the “-r” switch with bootpd?

[AllanMarcus]

OK, I don’t have r/w access to the corporate LDAp server (I’m luckey enough to get root access to the servers I administrate! 🙂 I have no problem write the 4 line script to sync the corporate LDAP server down to the local Panther server. Given that you probably already have these four lines written somewhere, would you mind giving me an example?

Thanks,

Allan

[AllanMarcus]

I’ve been using TB2 for years and I love it. No pitfalls to report.

[AllanMarcus]

What type of server are your trying to mount? AFP, NFS, SMB? It makes a difference.

For NFS, you can do it easily with the mounts branch of NetInfo.
http://www.cs.dixie.edu/ldap/mac/nfs/ might help you.

For SMB and AFP there are some third party products that let you automount. Search versiontracker for “automount”

[AllanMarcus]

OK, maybe a dumb question, but how do I add a shortname to group if the person doesn’t have an account on the Panther server?

Thanks

Allan

[AllanMarcus]

I forgot to mention that groups are managed in a central LDAP server, and that we have a script to update the NIS domain from the central LDAP server!

I’m going to first try to manage groups with the Panther server, as outlined above. If (NO – WHEN) I get that working, I will create the same group on the central LDAP server and use the same group IDs in the Panther server, but I’ll remove the names from the Panther server. Hopefully, this will work.

-Authorization managed by corporate KDC – using CryptoCards.
-Groups managed by corporate LDAP.
-Home directory path managed by departmental NIS Domain.
-Client machine groups managed by corporate LDAP to NIS Domain scripts.
-NetBoot managed by Panther server.
-Client desktop managed by Panther server.

Wow, if this works, i will be impressed with Apple. So far, I’ve done virtually no coding or config file set up, other than the kerberos files an getting the login window and screen saver to use the CryptoCard password for the corporate KDC.

-Allan[/list]

[AllanMarcus]

I would like to get the advantages of the great mac OS Panther Server client management features in additional to all the other things I’m doing. If I understand you right, all I need to do is great groups on the Panther server’s OD and add the short names (monikers) of the people to the right groups. I can then use the WorkGroup manager to manage preferences and such. On the client boot image, I jsut define the LDAP server in Directory Access, and add it to the authentication path. Since there is no actual account for the user on the Panther server, the Panther server is ignored for authentication purposed. Did I get that right?

I try it today or tomorrow and let you know if it all worked.

Thanks,

Allan

[Author]

Posts