[jaharmi]

When I rebuild the same image with the same Leopard source system disk and InstaUp2Date catalog files on a Power Mac G5 running Leopard, I do get an InstaDMG image that restores to a target volume and is bootable.

If I may ask, what (besides chrooting) has been added since the 1.4 days that would cause problems with building images for older systems on a newer Mac? I’m really curious.

It is likely I will always have older Macs to support. With Apple changing the supported systems on a pretty regular basis in the last few releases, that may mean keeping several Macs of appropriate vintage around just for building images. That is in addition to possibly keeping older Macs as test units and spares.

If InstaDMG could successfully build restorable images for older OSes on a newer OS, that would mean real savings to my organization.

[jaharmi]

I have seen no evidence of preference manifests.

As for customization, it does seem per-user. I think I’ve seen settings carry over even after I’ve removed all plist and settings files, so I’m not sure what’s going on there yet.

[jaharmi]

We have experienced slow logins in our environment, and this was discussed as one solution for slow logins and queries during an Apple presentation.

If I had to make a guess based on that presentation and the OD Admin Guide, I’d say the only unindexed attribute that we should consider indexing is “MacAddress.”

So, are the AD attributes used in computing the UniqueID and PrimaryGroupID are indexed by default in AD? Which attribute(s) are used as the basis of that computation? The OD Admin Guide lists it only as the “GUID.” Is it the SID?

[jaharmi]

Yes, we’ve had the R2 schema extensions for a while, so I don’t anticipate it was due to simply having the extended schema. The changes may have been due to further restrictions from the Security Configuration Wizard or another factor; we have yet to determine this in our post-mortem. There were also some problems with the DNS SRV records, which weren’t readily apparent to me but which have been fixed in the interim.

Since we rolled back policies to match the existing domain controllers, things have settled down for Tiger clients. I’ll just drop a number for something else I’ve uncovered: 5429392.

[jaharmi]

We had rolled out the AD 2003 R2 schema extensions prior to this, and are using Windows Server 2003 R2.

I was only specifically seeing the “error” (quotes because it says “no error” in the text!) when connecting to one of our newer domain controllers. I didn’t see it when I forced a connection (using the preferred DC option in the AD plugin) to one of the older domain controllers.

All of our domain controllers were rolled back to the same security policies as the older ones in the meantime, and that seems to have cleared quite a bit up. I’d like to know what specific policy or set of policies might have been the cause.

[jaharmi]

BTW, if you have links to specific KB articles handy–Apple or Microsoft–and feel like dropping them in a reply, I’d appreciate that. I’ll be looking myself but it never hurts to get a pointer.
Thanks!

[jaharmi]

Well, my thread was hijacked, but thanks for the response.

If anyone is actually running in an Active Directory that has had other auth types disabled and had experiences with their Macs in that environment (good/bad) I’d like to hear it. I totally understand that the ADPlugin is doing Kerberos, but I’m concerned about the fringe cases.

[jaharmi]

We’re having the same kinds of problems with Mac OS X 10.3/10.4 clients connecting to an ExtremeZ-IP 4.0 server (not upgraded to 4.1 or 4.2). Same kinds of log entries.

[jaharmi]

For many of us, ADMitMac costs more than the operating system. Well, it did last time I asked for a quote. It’s also an additional expense that a Mac “needs” in order to play in the Active Directory sandbox … when Windows computers don’t need anything else.

[jaharmi]

I’m interested in this, and also having the ability to allow/deny users from logging in via other means than the loginwindow. In other words, I want the Open Directory allow/deny access lists to work with all authentication methods.

Has anyone tried this? My only attempt has not worked out well, but my test Open Directory is not terribly well set up yet.

[jaharmi]

We wrote a script to help migrate local user accounts — both the accounts and the home directories, which change ownership based on the new UID assigned from the directory — for my university.

Contact me at [email protected] and I can supply it to you, with no warranty.

[jaharmi]

I came across this problem, too, but I created my groups manually. WGM didn’t warn me at all.

[jaharmi]

By ‘top level,’ do you just mean groups that aren’t nested, or groups that must exist in some specific spot in the Active Directory hierarchy?

The lack of nested groups support is a major problem for me, from several standpoints. Just the inability to follow nested groups for setting which users have admin privileges on a local computer is terribly limiting. In my environment, a lot of groups are built automatically by scripts or tools like ActiveRoles, and they are *all* nested.

[jaharmi]

Jaguar supports PPTP through the Internet Connect GUI.

Panther supports PPTP and L2TP/IPSec through the GUI. (Unfortunately, there’s no support for concentrators like the Cisco 3000 series; you still need to use the Cisco client.)

I hope that Apple will merge VPN functionality with the loginwindow at some point. We use the same accounts, and I would like users to get a VPN connection first, and then authenticate to our Kerberos/OpenLDAP environment second, even when remote.

[jaharmi]

Your problem is most likely your text editor. I had the exact same problem, but then I went back into BBEdit and set the line ending type to “UNIX” rather than “Mac” (the default). I saved the document and then used the vpnsetup.txt file and it worked.

[Author]

Posts