[Patrick Gallagher]

Only en0 needs to be added which is built-in ethernet on everything except the MB Air.

Kerberos gets killed on the server, yes. That doesn’t affect what the clients try to do.

[Patrick Gallagher]

Are you sure the network is up when the script runs?

[Patrick Gallagher]

[QUOTE][u]Quote by: jasonthat[/u][p]While waiting for some replies on my previous post in this thread, I am just going to drop in a few more questions hoping someone would take the time to reply:

1) At the time of joining OD into AD, do I need to hit the Join Kerberos button before turning the server into an OD Master?
2) On the OD Master, does the LDAP entry have to be before the AD in order (in search policy – authentication) ?
On the Mac client, does it have to be the other way around? Search Policy order – AD first & OD second?
3) The “Enable authentication to directory binding” option in Open Directory – Server Admin – does this have to be enabled or does it matter?
4) I was looking at WGM, after a test client was bound to AD first and OD second – my confusion is, once the client is bind to an OD, wouldnt that computer record show up in the list of “Computers” in WGM (not the AD records) ?

These are the main ones for now but………If any of you know the answers to these questions or could explain, please do fill in. Thanks![/p][/QUOTE]

1. No. This would be used by a member server to kerberize services. If your Mac server is going to provide other services that should be kerberized, run “sudo dsconfigad –enableSSO”
2. I don’t know if there is a definitive answer to that. The AD-OD guide on this site (written for Tiger) says AD first, then OD. The paper by John DeTroye (written for Leopard) says OD first, then AD. I have not seen a difference.
3. You don’t want to do an authenticated binding to OD because that would mess up kerberos on the clients so I would just disable that so your techs are tempted to enter their credentials when joining machines to OD.
4. The machine only shows up in WGM with a secure bind (authenticated) which we can’t do with a triangle config because kerberos would get messed up. You will either need to add each machine manually into WGM or script the OD joining so that it also adds the computer account to OD.

[Patrick Gallagher]

try: dscl -u diradmin -p secret /LDAPv3/127.0.0.1 append /Groups/adusers users adclient

[Patrick Gallagher]

Are you on the OD master when you run that command?

try: dscl -u diradmin -p secret /LDAPv3/127.0.0.1 append /Groups/adusers GroupMembership adclient

[Patrick Gallagher]

[QUOTE][u]Quote by: tidepooler[/u][p]Hi,

EDIT: I’m having a problem that has to do with my InstaDMG build process. The first time I made an InstaDMG image, it took a good long while to make the image (about an hour). Now, it’s less than a minute and it claims to be done. When it starts, the log shows the following: “hdiutil: mount failed – not recognized”.

I wonder am I doing something wrong? When I attempted to run InstaDMG, I typed in “cd”, then space, then dragged the InstaDMG folder into the terminal window and pressed return. Then I typed “sudo ./instadmg.bash” and pressed return. It asked for a password, and I typed that in.
[/p][/QUOTE]

You probably have your OS X disk image named something other than the default “Mac OS X Install” or whatever the default is. If that’s not the problem, you would probably be better off asking this question again in the InstaDMG forum https://www.afp548.com/forum/index.php?forum=45

[Patrick Gallagher]

[QUOTE][u]Quote by: spaceout[/u][p]I am assuming that removing com.apple.pkg.iLifeMediaBrowser_203.bom will allow the ilife update to install as well? What is everyone else doing right now to have a fully updated image (10.5.7, Safari 4.1 and ilife media browser)? It seems as though older revisions of instaDMG have trouble with the 10.5.7 installer and the newer revisions have issues with some of the later System Updates (eg Safari 4).[/p][/QUOTE]

I’m still using 1.4b4 and I haven’t noticed a problem yet with iLifeMediaBrowser. But I did have the Safari4 installer hang up and I remembered seeing your post so I trashed that bom file. I’m using a 10.5.7 disk on this particular image (new 13″ MBP). But my previous image was a 10.5.6 disk with a 10.5.7 delta updater and I didn’t have a problem.

[Patrick Gallagher]

[QUOTE][u]Quote by: spaceout[/u][p]So could a potential solution be to run InstaDMG on a vanilla 10.5.0 machine with no updates, that way when it checks to see what has to be installed, it sees a machine that needs both of those updates (safari 4 and ilife)[/p][/QUOTE]

Or you can delete the /Library/Reciepts/com.apple.pkg.Safari.bom file on your host machine. This gets the install to move on. But this will prevent your host machine from detecting future Safari updates so move the file back when you’re done.

[Patrick Gallagher]

[QUOTE][u]Quote by: tidepooler[/u][p]Okay, good! Thank you for this information. It is definitely a start.

My next question though, is that so far while reading through the instaDMG manual, it is referencing Mac OS X 10.5 only. Can I use this process for my Mac OS X 10.4 macs too?[/p][/QUOTE]

There’s been some discussion about that recently on the dev list and the consensus is that it should still work with older versions of InstaDMG but current and future versions will not be tested or supported and likely will NOT work.

[Patrick Gallagher]

88 kerberos
389 ldap
636 ldap SSL
3659 sasl auth (might be optional, not sure).

However, OD (or AD for that matter) over the internet is likely going to be very unreliable if it works at all. It will be more consistent if you just allow the clients to cache their credentials and MCX.

[Patrick Gallagher]

[QUOTE][u]Quote by: torona318[/u][p]From what I can tell there really seems to be no easy way to deny desktop access on a mac. You can setup an ACL on the user templates folder to deny access to the desktop. This will only affect new users. For existing users you would have to add ACLs on their desktop folder. Keep in mind this might affect 3rd party apps like Firefox whose default downloads location is the desktop.

-Thomas[/p][/QUOTE]

Setting permissions on the user template won’t work because the newly created home folders get chmod’ed when created. The permissions would need to be set after the home folder is created. Perhaps a login hook.

[Patrick Gallagher]

I have the Apple provided “iLife ’09.pkg” (also have an 08 version) in my custom install folder. Is it possible you may have had some iLife updates installing before the full iLife pkg? iLife updates should be in custom as well, after the main pkg.

[Patrick Gallagher]

Our naming convention is 3 parts:

1. Three letter dept code (such as che for chemistry, psy for psycology, etc.)
2. network ID – 7 character max
3. # that indicates machines purpose sequentially and type of hardware, 01A is a faculty/staff primary desktop Mac, 01P is PC, 01M is pc laptop, 01i is mac laptop, then we go up in #’s from there for those that have more than 1 machine. Lab/classrooms start a 11.

Example faculty/staff primary desktop mac would be col-pgalla2-01a
Example classroom desktop pc would be che-genchem-11p

So in most cases, we can tell where a computer is or who owns it based only on it’s computer name without having to dig into our inventory.

If I had to do it all again, I would probably eliminate the hyphens, sometimes 14 characters aren’t enough for certain classrooms or labs where I would prefer to be more descriptive. But overall, it’s worked out.

[Patrick Gallagher]

me=`whoami`

You’re not going to get the password without installing a keylogger, big no-no. Does kerberos not work in your environment?

[Patrick Gallagher]

Can you mount your OS X disk image in the Finder? Make sure you allow it to checksum, don’t skip.

[Author]

Posts