[dds]

This has affected my laptop users too. I just make sure to make them local admins when Im deploying their system. This can be done by hand, via SSH or through some outomated/scripted process. I dont have too many laptop/mobile users so its not a huge deal.

dscl . -append /Groups/admin GroupMembership

[dds]

Any chance that 1.4 will be released soon, Joel?

[dds]

Joel: If Lindsay already had an IP range or domain in the proxy exception list configured on the Mac clients would she really need to explicitly list the SUS server too?

Examples:

*local, 10.1.1/24, *.ournet.ourcountry.com

If your SUS server fell into any of the above network topologies, why would you need to add the SUS server explicitly?

Example: lets say your SUS server was had the FQDN “sus.ournet.ourcountry.com” and had the IP of 10.1.1.100, would it need to be explicitly listed as a proxy exception?

If you have a proxy server, couldnt you put the exception in the proxy server config rather than locally? (i.e.; allow direct LAN access to the SUS server’s IP or host name)

Thanks!

[dds]

I have been able to get AppleScript to talk to System Events and provide me with a list of current login items. Its a simple script to show me what items are currently considered login items. This would be a good starting place for my project.

Unfortunately, it wont show me the details on the MCX login items which are my network mounts. The script considers them “missing”. I can however, use AppleScript to show me local login items such as the iTunes helper, the Entourage Database daemon, etc. For some reason, AppleScript cant get MCX info.

Here is the AppleScript source code:

tell application “System Events”
set itemsList to name of login items
end tell
set text item delimiters to return
display dialog “Current Login Items:” default answer (itemsList as text)

When executed, the AppleScript above gives me this information:

missing value
missing value
missing value
missing value
missing value
missing value
missing value
missing value
AdobeResourceSynchronizer
Microsoft Database Daemon
iTunesHelper

The “missing values” are my SMB volumes which are mounted via an MCX policy at login time. I happen to have 8 SMB volumes that I mount at login – I assume they correspond with the 8 missing items.

Any ideas as to why AppleScript cant figure out what the “missing values” are?

[dds]

Agreed.

Leopard is NOT caching AD group membership. Works fine when connected to the LAN and AD domain, but as soon as I take the machine out of network I lose all my AD group membership info.

I filed a bug report on February 5th. (5725079). The ticket has been opened for 6+ weeks(!) and I have yet to have anyone at Apple respond. ‘All quiet on the western front.’ Feel free to cross-reference my bug report.

-D

[dds]

The bad part about the workaround above for Admins like me who manage a master NetRestore image is that while you can configure a NetRestore master image with the local admin group using WGM/DSCL, you cant nest the AD group into the local group until the Mac has been imaged and bound to AD. Thus you still have to add the AD group later and this is an extra step in the deployment process. The whole point of having my local admins in an AD group is that once the Mac is bound to AD, I can manage that group from a central location and it requires no extra steps (other than joiningg to AD of course, which is pretty painless)

My environment:

I assign local admin rights to certain users based on an AD group called “Mac Power Users” (original, eh?). If you are in that group, lucky you!, because that means you are a local admin. Its designed for managers and executives etc. I work with a lot of scientists and programmers who need full system access (and they usually can be trusted too)

However, most of my Mac power users happen to also be laptop users with MacBooks (mobile users). Heres the rub. When they leave the AD domain on road trips, (and thus arent connected to the AD domain anymore), their AD group memberships are lost and they considered arent local admins anymore. Which means they cant run sudo, they cant add printers, they cant change time zone info, they cant install apps from packages, etc. Denied!

Their AD name and passwords are cached locally, but their groups are not. They have no problem logging into the MacBooks on the road, they just can acquire the local admin status since the AD groups info isn’t available.

So…is this a bug or is this normal behavior? I ask because I swear that back in the Tiger days my Macs would retain AD group info – even when they were off the LAN remotely.

[dds]

Where did everyone go?

[dds]

topcat

Just to confirm that I’m not crazy, did you bind your 10.5 server to AD *first* and THEN you made the server an OD master? This seems totally backwards to me. Enlighten me as to how you discovered to do the DS stuff in this specific order.

[dds]

According to Mike Bombich and Apple, when I do a “klist -ke” on my OD server, I *should* see 3 (three) entries per kerberos realm of each service on the server. However, when I am bound to AD and running an OD master on the same server and I type “klist -ke”, I see 6 or more entries per server, all in the same realm (!). I assume this is a KDC problem. I dont know how to get rid of these extra entries. My OD master is a dedicated OD master server for the purpose of MCX policies, and it probably wont ever be used for CIFS or AFP.

[dds]

I used the Bombich 10.4 guide for my 10.5 server too, but it appears that some of my Windows PC are having what looks like KDC/SSO conflicts on my LAN. User accounts are being locked in AD. So far my troubles lead back to the new OD 10.5 server. I think it still has a lingering KDC service running. WHen the OD server is taken offline the errors stop. Havent tracked it down yet. Any advice would be helpful.

Here is a sample of the auth errors I am seeing on my AD DCs when my OD server is online (the 10.0.50.171 IP is my OD server) Obviously, it appears that perhaps the KDC service is still running on my OD server, even though I think I successfully disabled it:

675,AUDIT FAILURE,Security,Wed Nov 28 07:30:57 2007,NT AUTHORITY\SYSTEM,Pre-authentication failed: User Name: MCS User ID: %{S-1-5-21-1557471342-1885686607-751859383-2250} Service Name: krbtgt/DOMAIN.ORG Pre-Authentication Type: 0x2 Failure Code: 0x12 Client Address: 10.0.50.171
675,AUDIT FAILURE,Security,Wed Nov 28 07:30:56 2007,NT AUTHORITY\SYSTEM,Pre-authentication failed: User Name: MCS User ID: %{S-1-5-21-1557471342-1885686607-751859383-2250} Service Name: krbtgt/DOMAIN.ORG Pre-Authentication Type: 0x2 Failure Code: 0x12 Client Address: 10.0.50.171
675,AUDIT FAILURE,Security,Wed Nov 28 07:30:56 2007,NT AUTHORITY\SYSTEM,Pre-authentication failed: User Name: MCS User ID: %{S-1-5-21-1557471342-1885686607-751859383-2250} Service Name: krbtgt/DOMAIN.ORG Pre-Authentication Type: 0x2 Failure Code: 0x12 Client Address: 10.0.50.171
675,AUDIT FAILURE,Security,Wed Nov 28 07:30:56 2007,NT AUTHORITY\SYSTEM,Pre-authentication failed: User Name: MCS User ID: %{S-1-5-21-1557471342-1885686607-751859383-2250} Service Name: krbtgt/DOMAIN.ORG Pre-Authentication Type: 0x0 Failure Code: 0x12 Client Address: 10.0.50.171
675,AUDIT FAILURE,Security,Wed Nov 28 07:30:39 2007,NT AUTHORITY\SYSTEM,Pre-authentication failed: User Name: SAS User ID: %{S-1-5-21-1557471342-1885686607-751859383-5452} Service Name: krbtgt/DOMAIN.ORG Pre-Authentication Type: 0x2 Failure Code: 0x12 Client Address: 10.0.50.171

(This is a small sample – I saw hundreds and maybe thousands of these lockouts until I killed my OD server. Good thing my AD server unlocks accounts after 30 min of being locked or I would have a lot of angry users.)

[dds]

[QUOTE][u]Quote by: MacTroll[/u][p]No -enableSSO is only needed no the server.

And in 10.5 if you join AD and then create an OD Master you shouldn’t have to worry about disabling Kerberos as this should be done automatically.[/p][/QUOTE]

Joel – are saying that now in 10.5 we should bind the server to AD *BEFORE* we create the OD master on the server? This is the reverse order from 10.4 and earlier, correct? Has Apple documented this anywhere?

[dds]

I would suggest this order:

0: install admin tools and set up server & admin station(s)
1: make server od master, create an od group. Disable KDC if you are using Kerberos via AD
2: bind server to AD
3: bind a clinet to OD (LDAP) and AD
4: ad users/groups as needed
5: get sso working “dsconfigad -enableSSO”

[dds]

I wondered the same thing. I’m trying to send out a UNIX command via ARD 2.0 to my 100+ OS X Macs. I need a placeholder var for the local logged-in user, so I can modify their /Library folder

example:

rm /Users/%Logged-in-user%/Library/some_file

Can I do this?

[Author]

Posts