[kennyj]

In order to manage print jobs, you can add the everyone group to the _lpadmin group on the local directory… you can write a simple script to do this on all your machines.

Non-Admin users should probably not be running their own software updates. Please look into ways of automating this, or managing it with a management suite. We use Casper Suite here and have had great success. You could allow your users to update their machines if you want them to do it through the command line by configuring /etc/sudoers with the visudo command. You will most likely need to write a quick script that calls sudo to run softwareupdate.

As far as opening documents from SAP, where does the application want to place this temporary directory and what do the permissions of this location look like?

There are a lot of great scripts included with the Casper Suite resource kit that you can use even if you don’t have the suite. Check it out at jamfsoftware.com

[kennyj]

I resolved this by finding a white paper from apple on AD Best Practices. I forwarded this to our Windows Engineer and he saw a part saying something about you may need to modify ACE for LDAP lookup. We have an LDAP lookup group for certain users that we placed the computer accounts for the serves in. Once this was done… voila Everything was working like magic!

[kennyj]

HAs anyone resolved this one yet? I’m seeing a similar situation in which it seems that AD group membership isn’t being properly resolved. So when a user tries to auth to a share, they receive a message saying there are no shares available for that user

[kennyj]

Thanks, sfr, I’ll have to look at that.

An alternative way I just found is to use Firefox to download. Once the download begins, pause it and you shoud be able to right-click it and copy the download url

[kennyj]

I’ve seen the same thing in the past… I have noticed that the AD plug-in in 10.6 seems to work a lot better to resolve issues like this… although it seems to create other issues as well. I’m not sure if there is a way to “fix” the implementation in 10.5, unfortunately there don’t seem to be a lot of people binding only to AD and not utilizing the “Golden Triangle” approach.

The only thing I can think of is to try and download a evaluation copy of centrify or likewise and try binding your machine using that rather than the built-in AD plugin in 10.5. I don’t like the idea of using a third party plugin for this… but if it may be a solution.

In our situation it will be difficult to get designers to pay for and switch to new software as some of them are still running old versions of quark and creative suite that will not work on 10.6. If 10.6 turns out to work well though, I think they may have no other choice.

[kennyj]

I’m still seeing this issue happen…

I’ve tested different smb packet signing and encryption settings using dsconfigad… no dice. I also thought… hmmm, is the kerberos ticket bad or not being genereated… nope, everything looks fine there.

Any suggestions or others having similar issues? I have been unable to have the windows server team here find any difference between working shares and non-working shares.

Thank you,
Ken

[kennyj]

1. If you are binding a server and want it to be part of the kerberos realm, you need to have access to join the AD kerberos realm.
2. I’ve noticed on the 10.5.x clients an issue with writing files to certain windows smb shares when bound to AD… see my post for more info…
https://www.afp548.com/forum/viewtopic.php?forum=29&showtopic=25629

[kennyj]

Check out CrashPlan… it can do unix, windows, and mac. The server can be various os’s, or it could also be run in a vm with the image they provide. CrashPlan offeres encryption and per-client deduplication. The biggest spend here will be disk space for everything. I’ve been testing it for our environment, and it looks pretty cool and simple.

[kennyj]

Argh, I need to do some more testing. It seems that Symantec is wrong in their knowledgebase article. The services they refer to not being able to run under a managed user is incorrect. I do see them running when use ps and grep for them. Some run as the logged in user, one runs as root.

[kennyj]

I noticed a kill DirectoryService seems to do the trick for a while. Not really a fix, but a good work around. Anyone have more insight?

Thanks,
Ken

[kennyj]

Removed /Library/Preferences/com.apple.AppleFileServer.plist again. This seemed to work after a reboot (I suppose you could probably just stop/start the afp service too). Something must have not come over properly after promoting to a replica in this file. Everything has been fine all day today.

[kennyj]

I’m having a similar issue, have you been able to fix this?

[kennyj]

Argh, after posting this, it started up again… however the wait time was not as bad as it was originally. Now users are seeing anywhere from 1 to 10 minutes to authenticate to the server via afp.

[kennyj]

Promotion seems to have gone well. I think there were two major issues here that I fixed. One was having the replica bound to itself in Directory Access. The other was removing or renaming /Library/Preferences/com.apple.AppleFileServer.plist

[kennyj]

I had great success so far with CS3 using InstallEase and iceberg. You can output your diff from InstallEase into iceberg where you can modify it a bit more by hand. I have not tried CS4 yet, but I wouldn’t think it is much different.

[Author]

Posts