[amsterdam]

It seems the problem was because Bonnie++ likes to create 1024 zero-length files as part of its test. It puts these in one sub-directory. However, if I set the test to split these files out in 100 different sub-directories, it seems to work fine. Perhaps a limitation with AFP?

[amsterdam]

Well, the solution was easy… Guest access was somehow disabled on the AFP service. Doh!

I did, however, read up on the security update and there was a change made to singe-signon which explains why I had to re-run dsconfigad -enablesso

word to the wise…

[amsterdam]

Ditto for us too. We have about 50 machines, OD/AD integration… It’s the AD account that seems to be dropping out. The problem seems to manifest itself in these ways:
We either see a yellow light at the login screen indicating that only a some network accounts are available
Spinning beach ball when the user is logged in
Blue screen and system freeze at logout

Sometimes rebooting the machine fixes it, sometime not and you have to rebind the machine to AD:

[code]
rm -Rf /Library/Preferences/DirectoryServices/*
rm -f /Library/Preferences/edu.mit.kerberos.plist
rm -f /private/etc/krb5.keytab
[/code]

Then rebind with either command line script or the GUI.

When I last saw the problem, the logs reported the following errors:

[code]
Oct 13 14:31:55 129-79-129-108 com.apple.KerberosAutoConfig[96]: dsOpenDirNode failed with error of type -14002 (File: /SourceCache/SingleSignOnTools/SingleSignOnTools-129/Sources/HighLevelDirServices.c. Line: 758)
Oct 13 14:31:55 129-79-129-108 com.apple.KerberosAutoConfig[96]: Kerberos configuration not updated, cannot contact all nodes on search path
Oct 13 14:31:55 129-79-129-108 /sbin/kerberosautoconfig[96]: Kerberos configuration not updated, cannot contact all nodes on search path
Oct 13 14:31:57 129-79-129-108 com.apple.KerberosAutoConfig[97]: dsOpenDirNode failed with error of type -14002 (File: /SourceCache/SingleSignOnTools/SingleSignOnTools-129/Sources/HighLevelDirServices.c. Line: 758)
Oct 13 14:31:57 129-79-129-108 com.apple.KerberosAutoConfig[97]: Kerberos configuration not updated, cannot contact all nodes on search path
Oct 13 14:31:57 129-79-129-108 /sbin/kerberosautoconfig[97]: Kerberos configuration not updated, cannot contact all nodes on search path
Oct 13 14:31:57 129-79-129-108 kextd[10]: writing kernel link data to /var/run/mach.sym
Oct 13 14:32:10 129-79-129-108 com.apple.DirectoryServices[11]: Enter machine password:
Oct 13 14:32:10 129-79-129-108 com.apple.launchd[1] (org.samba.nmbd): Throttling respawn: Will start in 10 seconds
Oct 13 14:32:10 129-79-129-108 com.apple.DirectoryServices[11]: [2008/10/13 14:32:10, 0, pid=106] /SourceCache/samba/samba-187.1/samba/source/libads/kerberos.c:ads_kinit_password(228)
Oct 13 14:32:10 129-79-129-108 com.apple.DirectoryServices[11]: kerberos_kinit_password [email protected] failed: Preauthentication failed
Oct 13 14:32:10 129-79-129-108 com.apple.DirectoryServices[11]: Enter machine password:
Oct 13 14:32:10 129-79-129-108 com.apple.DirectoryServices[11]: [2008/10/13 14:32:10, 0, pid=106] /SourceCache/samba/samba-187.1/samba/source/libads/kerberos.c:ads_kinit_password(228)
Oct 13 14:32:10 129-79-129-108 com.apple.DirectoryServices[11]: kerberos_kinit_password [email protected] failed: Preauthentication failed
Oct 13 14:32:10 129-79-129-108 DirectoryService[11]: Failed to changed computer password in Active Directory domain ads.iu.edu
Oct 13 14:32:10 129-79-129-108 com.apple.DirectoryServices[11]: [2008/10/13 14:32:10, 0, pid=110] /SourceCache/samba/samba-187.1/samba/source/libads/kerberos.c:ads_kinit_password(228)
Oct 13 14:32:10 129-79-129-108 com.apple.DirectoryServices[11]: kerberos_kinit_password [email protected] failed: Preauthentication failed
Oct 13 14:32:10 129-79-129-108 com.apple.DirectoryServices[11]: [2008/10/13 14:32:10, 0, pid=110] /SourceCache/samba/samba-187.1/samba/source/libads/kerberos.c:ads_kinit_password(228)
Oct 13 14:32:10 129-79-129-108 com.apple.DirectoryServices[11]: kerberos_kinit_password [email protected] failed: Preauthentication failed
Oct 13 14:32:10 129-79-129-108 com.apple.DirectoryServices[11]: Enter machine password:
Oct 13 14:32:11 129-79-129-108 com.apple.DirectoryServices[11]: [2008/10/13 14:32:11, 0, pid=114] /SourceCache/samba/samba-187.1/samba/source/libads/kerberos.c:ads_kinit_password(228)
Oct 13 14:32:11 129-79-129-108 com.apple.DirectoryServices[11]: kerberos_kinit_password [email protected] failed: Preauthentication failed
Oct 13 14:32:11 129-79-129-108 com.apple.DirectoryServices[11]: [2008/10/13 14:32:11, 0, pid=114] /SourceCache/samba/samba-187.1/samba/source/libads/kerberos.c:ads_kinit_password(228)
Oct 13 14:32:11 129-79-129-108 com.apple.DirectoryServices[11]: kerberos_kinit_password [email protected] failed: Preauthentication failed
Oct 13 14:32:41 129-79-129-108 sshd[123]: USER_PROCESS: 123 ttys000
[/code]

[amsterdam]

We’re seeing similar problems… except we’re on a wired network. It’s our AD accounts that not working.

Is it your AD or OD accounts that are unavailable?

What’s your OS version?

[amsterdam]

Well, I’ve made some progress… looking around, I found this:

[url]https://trac.calendarserver.org/ticket/276[/url]

If I set requireComputerRecord to false, it works. But I am troubled as to why I have to do this. Poking around my LDAP record if found:

[code]
dscl /Search read /Computers/[myserver]

dsAttrTypeNative:description:
XServe 10.4 – OD Master
[/code]

Does this mean my OD master still thinks it’s 10.4 and not 10.5?

[amsterdam]

I also found this link:

[url]http://www.nabble.com/No-virtual-host-found-for-iCal-service-td13633275.html[/url]

Which outlines the same problem. I’ve verified that dsAttrTypeStandard:RealName, dsAttrTypeStandard:RecordName and the apple-realname and cn bits are all equal to to the server’s FQDN. I’m now digging around this file:

/usr/share/caldavd/lib/python/twistedcaldav/directory/appleopendirectory.py

My guess is this python script is looking for an attribute in the computer’s record in OD that isn’t there… but what that attribute is ???

anyone?

[amsterdam]

Here’s the script… in order for it to work, you have to have already put the machine into Open Directory, with it’s ethernet ID and name. Our script then queries LDAP to get the name of the machine and use that to add it to Active Directory. This script originated from Mike Bombich’s script, so you may notice some similarities.

[code]

#!/bin/sh
#
# Leopard boot/login script
#
# Does/Should do the following:
#
# – excecute LDAP searches to find computer name and exit on failture, or continue to…
# – bind to AD
# – create search paths
# – add search paths
# – bind to OD and add search paths
# – add network users to admin group
# – turn on SSH
# – kickstart ARD
# – reboot and destroy itself

# —————————————————————————————————————
#
# Configuration section…
#
# —————————————————————————————————————

# LDAP searches
LDAPURI=”ldap://[your ldap server]”
CONTEXT=”[your context, usually dc=[server name], dc=[your subdomain… ads for us], dc=[your domain], dc=com/edu”
MACADDR=$(ifconfig en0 | awk ‘/ether/ { print $2 }’)

# ADS Standard parameters
domain=”” # fully qualified DNS name of Active Directory Domain
udn=”” # username of a privileged network user
password=”” # password of a privileged network user
ou=”” # Distinguished name of container for the computer

# ADS Advanced options
alldomains=”enable” # ‘enable’ or ‘disable’ automatic multi-domain authentication
localhome=”enable” # ‘enable’ or ‘disable’ force home directory to local drive
protocol=”smb” # ‘afp’ or ‘smb’ change how home is mounted from server
mobile=”enable” # ‘enable’ or ‘disable’ mobile account support for offline logon
mobileconfirm=”disable” # ‘enable’ or ‘disable’ warn the user that a mobile acct will be created
useuncpath=”enable” # ‘enable’ or ‘disable’ use AD SMBHome attribute to determine the home dir
user_shell=”/bin/bash” # e.g., /bin/bash or “none”
preferred=”-nopreferred” # Use the specified server for all Directory lookups and authentication
# (e.g. “-nopreferred” or “-preferred ad.server.edu”)
admingroups=”” # These comma-separated AD groups may administer the machine (e.g. “” or “APPLE\mac admins”)

# OD Settings
odserver=”” # FQDN of your ods server

# ARD Kickstart file
kick=”/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart”

# Hooks
# Use these if you want to set new hooks when you’re done
newLoginHook=””
newLogoutHook=””

### End of configuration

# Announcement
/usr/bin/say “Now starting boot script. This will take a few moments”

# Search for computer
computerid=$(ldapsearch -u -LLL -x -H ${LDAPURI} -b “cn=computers,${CONTEXT}” “(macAddress=${MACADDR})” 1.1 | awk -F, ‘/ufn:/ { print $1 }’ | awk ‘{ print $2 }’)

if [ “$computerid” = “” ]; then
/usr/bin/say “I am unable to find the computer’s name the mac address. Please check this and try again”
/usr/bin/killall loginwindow
exit 1;
else
/usr/bin/say “Computer is $computerid”
fi

# Activate the AD plugin
/usr/bin/defaults write /Library/Preferences/DirectoryService/DirectoryService “Active Directory” “Active”
/usr/bin/plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist

# Bind to AD
/usr/sbin/dsconfigad -f -a $computerid -domain $domain -u $udn -p “$password” -ou “$ou”

# Configure advanced AD plugin options
if [ “$admingroups” = “” ]; then
/usr/sbin/dsconfigad -nogroups
else
/usr/sbin/dsconfigad -groups “$admingroups”
fi

/usr/sbin/dsconfigad -alldomains $alldomains -localhome $localhome -protocol $protocol \
-mobile $mobile -mobileconfirm $mobileconfirm -useuncpath $useuncpath \
-shell $user_shell $preferred

# Restart DirectoryService and loginwindow (necessary to reload AD plugin activation settings)
/usr/bin/killall DirectoryService

# Wait for this to take effect…
/bin/sleep 20

# Add the AD node to the search path
if [ “$alldomains” = “enable” ]; then
csp=”/Active Directory/All Domains”
else
csp=”/Active Directory/$domain”
fi

# Wake up the dscl
dscl “$csp” -list /Computers > /dev/null

# Create and add paths
/usr/bin/dscl /Search -create / SearchPolicy CSPSearchPath
/usr/bin/dscl /Search/Contacts -create / SearchPolicy CSPSearchPath
/usr/bin/dscl /Search -append / CSPSearchPath “$csp”
/usr/bin/dscl /Search/Contacts -append / CSPSearchPath “$csp”

# Check the bind
adcheck=`/usr/bin/dscl “$csp” -read / AccountName | grep -c “$computerid”`

if [ $adcheck = 1 ]; then
/usr/bin/say “Computer is now bound to A D S.”
else
/usr/bin/day “Active directory bind failed. You will have to check it manually”
fi

# Bind to OD and add path information
/usr/sbin/dsconfigldap -a $odserver
/usr/bin/dscl /Search -append / CSPSearchPath /LDAPv3/$odserver
/usr/bin/dscl /Search/Contacts -append / CSPSearchPath /LDAPv3/$odserver

# Add network users to admin list
# not necessary if you have a local admin…
/usr/bin/dscl . -append /groups/admin GroupMembers [use appropriate SSID]

# Turn on SSH
/usr/sbin/systemsetup -setremotelogin on

# Kickstart ARD
$kick -configure -users “[add your username]” -privs -mask 255
$kick -activate -configure -access -on -restart -agent

# Firewall is off for now…
#defaults write /Library/Preferences/com.apple.alf globalstate -int 1
#defaults write /Library/Preferences/com.apple.alf stealthenable -int 1

# Set new hooks
defaults write /var/root/Library/Preferences/com.apple.loginwindow LoginHook “$newLoginHook”
defaults write /var/root/Library/Preferences/com.apple.loginwindow LogoutHook “$newLogoutHook”

# Anouncement
/usr/bin/say “Configuration complete. Please restart your computer.”
/usr/bin/killall loginwindow
/usr/bin/nohup /sbin/reboot

# Destroy this script!
srm “$0”

[/code]

[amsterdam]

tried that… didn’t seem to work. we have ADS in the mix as well…

we image each machine and send it out so it’s in house before being deployed so the loginhooks works for our particular situation.

[amsterdam]

I’m not sure about the edu.mit.kerberos file, becuase that is usually created automatically. But, all the files under the /Library/Preferences/DirectoryServices folder will do.

BTW, I’m using a loginHook when the computer is first image to do the binding, and not using the file-copy method.

[amsterdam]

I fixed this… It was because of a duplicate name in AD not in OD …

[amsterdam]

UPDATE:

Adding a simple list command to the script, before the search paths are added:

[code]
dscl “Active Directory/[ADS domain] -list /Computers > /dev/null
[/code]

did the trick… I’d just chalk it up to our massive and overly-complex ADS domain (Indiana University)

[amsterdam]

Yes, this is 10.5.2 Sorry I didn’t specify that earlier.

I tried binding with the alldomains option disabled, but still the same result. From a clean install of 10.5.2 that I built with InstaDMG, I’m using Mike Bombich’s script to do the AD bind:

[code]
/usr/bin/defaults write /Library/Preferences/DirectoryService/DirectoryService “Active Directory” “Active”
/usr/bin/plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist
/usr/sbin/dsconfigad -f -a [machine_account] -domain [ADS domain] -u [username] -p “[password]” -ou “[OU]”
/usr/sbin/dsconfigad -alldomains disable -localhome enable -protocol smb -mobile enable -mobileconfirm disable -useuncpath enable -shell /bin/bash -nopreferred
[/code]

The bind works, but same problem as last time, with the “All Domains” option or the specific domain:

[code]
root# dscl /Search -create / SearchPolicy CSPSearchPath
root# scl /Search -append / CSPSearchPath “/Active Directory/All Domains”
-sh: scl: command not found
root# dscl /Search -append / CSPSearchPath “/Active Directory/All Domains”

attribute status: eDSNodeNotFound
DS Error: -14008 (eDSNodeNotFound)
root# dscl /Search -append / CSPSearchPath “/Active Directory/[ADS domain]”

attribute status: eDSNodeNotFound
DS Error: -14008 (eDSNodeNotFound)
[/code]

Here’s where things get interesting. If I go into the interactive dscl mode:

[code]
root# dscl
Entering interactive mode… (type “help” for commands)
> cd Active\ Directory/
/Active Directory > ls
[ADS domain]
/Active Directory > cd [ADS domain]
[there’s a few seconds of wait time here…]
/Active Directory/[ADS domain] > ls
CertificateAuthorities
Computers
FileMakerServers
Groups
Mounts
People
Printers
Users
/Active Directory/[ADS domain] > exit
Goodbye
root# dscl /Search -append / CSPSearchPath “/Active Directory/[ADS domain]”
root#
[/code]

So, somehow, going into the dscl and poking around does the trick. Although, how I’m going to do this all with a loginHook, I’m not sure. Maybe running some -list commands or something will “wake it up” so to speak. I haven’t tried this with the “All Domains” option, but I suspect it’s going to be similar behavior since it worked, but only with the GUI intervention… It seems like there needs to be some directory listing “refresh” command, even though I’m doing the killall DirectoryService command.

any ideas?

[amsterdam]

Two things that I’m using StartupItems for:

– binding to our OD
– setting the timezone, and ntp server

I tried to do it with a launch daemon, but it didn’t work because of the whole dependency issue. Right now, I’m tackling the ARD issue. I was using a “no local user” system, and only using a admin from OD. It was working great, but our support people didn’t like not having a local admin in case things didn’t work. So, I’m using the createUser script that was posed here. It’s working well, but I’m now running up agains the ARD issue again. I’ll be interested to see what you all find works best.

[amsterdam]

Follow up:

Since my computer records are already in OD, I can use this script, without a password:

[code]
dsconfigldap -v -sgme -a [ODservername]
[/code]

And get it to bind with some nice security bits as well. Is anyone using InstaDMG to create scripts that run once at boot to do such things? Are there other solutions?

[Author]

Posts