[dom9inic]

Thanks for the concise response. I did know about putting the netboot server in the IP Helper Table, but our net admins don’t do that so don’t want to. They use the DHCP scope for the windows clients, so just wanted to check whether or not the Macs could follow that, and now I have my answer. Thank you.

I’ll have to convince them that this is the only option.

Dom

[dom9inic]

Thanks for responding knowmad, and I did do some googling before posting, but found nothing fitting my problem. Also, as a beginner to InstaDMG I was unsure if I was even attempting the procedure correctly.

So more information needed. I’ve run instadmg.bash a few times and I never get an asr image file – presumably because it is failing to create the read-only image in the first place.

The tmp folder I simply created inside the InstaDMG_1.4b4 folder with the same folder permissions as all the others in that directory. I then hand edited the instadmg.bash to point to that folder as the TEMP_LOCATION variable.

[code]TEMP_LOCATION=”./tmp”[/code]

Should I give a full path here? Don’t think so as it is definitely using this folder when I run the script. That’s the only modification I’ve made to the script.

Not sure what other information is needed. The image creation partition is mounted with the Ignore Permissions on this Volume checked, but I don’t see why that would interfere here.

I think I shall try building the image with just the base OS DVD, then if that works, move onto including the Apple Updates etc etc.

Thanks for the response.

[dom9inic]

Right, that’s me setting up a test Leopard Server partition when 10.5.3. hits. The message does take the tone that the fault lies at Apple’s feet, but seems contrary to what others have said here, that nested groups works as of 10.4.3 Tiger.

I remain confused.

[dom9inic]

Hi there,

I’ll add myself as getting the same behaviour, a whole list of AD users.

Setup:

Magic Triangle
10.4.11 ODM Server
AD 2000 environment
10.4.11 Client

Not a good thing.

[dom9inic]

I’m going to bump this as until now I’ve been able to live with manually adding AD users to OD groups, but it is becoming unwieldy. Still not sure what you mean (Joel) by OS X Machine Accounts. Do you mean the Computer Objects in AD or the account I use to join/bind to the domain? Or none of those.

Does anyone know why I can’t get nested AD groups in my OD groups working. I’m running Server 10.4.11 and client 10.4.11. OD Group is called AD_TEST and AD Group is called DOMAIN\kt students

Any ideas?

[dom9inic]

My apologies, it is in fact an old original G4 Xserve dual 1GHz. I have seen the reports of Intel 10.4 SNMP misery. There’s always one detail I forget to include.

I am currently looking at Leopard server which if word is to be believed has a better SNMP implementation, so I may hold off until then.

[dom9inic]

After a brief chat with Apple Support, the gentlemen I spoke to said this was not possible yet. Any evidence to the contrary out there in the real world?

[dom9inic]

Hi Joel,

Sorry to be ignorant, but how would I check that the machine accounts can read the group membership info? Is that a AD permissions issue?

Thanks for all the help.

[dom9inic]

Thanks for that, now I do recall that 16 group problem, so I shall ask the Windows Admins on Monday. And it’s probably a good time to update the server anyway.

Thanks

[dom9inic]

I now seem to have a previously unexperienced MCX problem.

For 2 years my Macs have used the following setup. Magic Triangle sans Windows Home Folders as it wasn’t working, instead custom local home folders. Today, our students cam back and some existing users on some machines were getting some MCX prefs but with an added standard suite of applications in the dock.

My only clue to this (and it could be coincidence) is that 3 days earlier I got our Windows Admin to check the “can read logon information” on a user profile on the AD server for a test student account. I tested it on a couple of machines to see if we could get WIndows Home Folders. We could, but it wasn’t playing well with my current system described above. It did, however, add all the standard application suite icons to the dock.

Flushing the machine cache and deleting the user account restored normal behaviour in some cases. But I’m still uncertain as to what to expect tomorrow.I wish there was more information on MCX cacher, as it seems to be a toxic combo that’s screwing with things here.

Any ideas on how to proceed would be welcomed.

[dom9inic]

Glad that solved your problem, however I have a similar issue. Magic Triangle setup but only one level of nesting going on. MCX is applied, but every now and again, and it does seem random, MCX will just not take and the user logs in to an unconfigured wide open Desktop. I have the cache in WGM set to 17 days.

Any ideas what may be causing this, or how to go about finding out what happens on those unssuccessful logins?

[dom9inic]

Hi danbgood,

thaks for answering that. I do understand and am generally for tight policing of directory changes. But I’m also for good discussion surrounding very valid needs for directory attriubute changing. Without the possibility of dialogue it seems to create the us v them departmental gridlock that seems unfortunately entirely inevitable in IT.

Sorry, that sentence ran away from me. Sometimes it can feel that more of my job is political than managing computer systems. Very thrustrating and tedious.

[dom9inic]

Hi danbgood,

may I ask what you mean when you say

[quote]Two troubles that I have experienced with university having similar issues is that neither the UIDs nor the home areas in an acceptable form. [/quote]

I am in a similar situation to abrose, but only need to use the Windows SMB Home, which is not DFS, but nevertheless does not mount, or even attempt to mount.

I agree with Ross when he says that it ought not to be against policy for the Home path to be adjusted in the profile. The only issue I can see is if those users also use Windows and there are issues with home connection your AFP Home share.

Goos luck.

[dom9inic]

Hi Joel,

thanks again. One should never assume, I really ought to learn that lesson sometime soon. I shall see if this is the case, and if so, whether it does the trick.

Thanks.

[dom9inic]

I suppose I don’t officially, I shall ask the bods in charge. However, it is an all MS AD shop, so I assume that it is running Kerberos SSO. I’ll be back with the info.

Thanks.

[Author]

Posts