[rmleonard]

okay -I’ll leave this as academic to finish

plistbuddy can write the dictionary items out and add what is needed

can anyone see a “better” way of doing this?

WGM and mcx settings per se are not an option
All I can think of is the following brute force method, ugly as it is

ARD can copy this file to a blanket load of machines, and then execute it….
This should fix all MacMail folk…. (once i add the fixits to writeback the data)

[code]
#!/bin/bash

plistbuddy=$(stat -f “%N” $(find /Library/Receipts -name “PlistBuddy” -print) 2>/dev/null | sort -n | tail -1 | cut -f2-)
mailfile=”/Library/Preferences/com.apple.mail”
mailplist=”$mailfile.plist”

function testhostname {
COUNTER=$1
USERNAME=$2
servername=$($plistbuddy -c “Print :MailAccounts:$COUNTER:Hostname” /Users/$USERNAME/$mailplist)
if [ “$servername” = “exchange.csupomona.edu” ]; then
echo “Account $COUNTER is pointing at Exchange”
echo “The Account type is $($plistbuddy -c “Print :MailAccounts:$COUNTER:AccountType” /Users/$USERNAME/$mailplist)”
echo “the SSL Settings are”
echo “… Port Number $($plistbuddy -c “Print :MailAccounts:$COUNTER:PortNumber” /Users/$USERNAME/$mailplist)”
echo “… SSL enabled $($plistbuddy -c “Print :MailAccounts:$COUNTER:SSLEnabled” /Users/$USERNAME/$mailplist)”
fi
}

AC=0

ls -1 /Users | while read i
do
if [ -f “/Users/$i/$mailplist” ]; then
echo “working on user $i and file /Users/$i/$mailplist”
defaults read /Users/$i/$mailfile MailAccounts | {
AC=0
USERNAME=$i
while read i
do
if [ ${#i} -gt 8 ]; then
left8=$(echo $i | cut -c 1-8)
if [ “$left8” = “Hostname” ]; then
let AC=AC+1
testhostname $AC $USERNAME
fi
fi
done
echo “total accounts = $AC”
}
fi
done

[/code]

[rmleonard]

does the user’s home directory exist?
What is the OD-MCX setting for the user who us logging in?
is the user set to be a mobile user? a network user? a local user?

[rmleonard]

[QUOTE][u]Quote by: smb445[/u][p]No – the AD plug-in doesn’t support SSL connections…you might be able to monkey around with ssh tunneling, but you have to do a lot of heavy lifting on both sides of the fence and wandering fall afield into the unsupported territories.

Out of curiosity – if a user could determine someone’s group memberships, what does that buy them (from a security breach perspective) ? [/p][/QUOTE]

Our gloriously tinfoil hatted leader – the campus ISO – (usually a nice guy… but in this case…)

believes that if one could glean, for instance, a class roster, then one could begin stalking a particular subset of said class roster… these smaller units are usually termed “Students”..

I have found over time, that these are interchangeable, transient, and very ephemeral particles. around here they only seem to last 9-10 weeks at most, and then rotate.

That being said, “Policy” is still being decided.

the ability to use auto-populated group lists means that I can use AD to define a group in OD of, say, Basketweaving101 users, and then lock lab use to only students in basketweaving classes, set up once and each and every quarter – the “system” auto resets itself to a new batch of students…

This process has been running on autopilot for several years, now with this new security push – I’m getting a bit stressed out.

if the OD server had permissions to view the group, and the client simply got a kerb ticket from the OD server to pass back to AD, then life would be good. Students have no CLI access to the server.

Overall the Golden Triangle has been rock solid for quite some time…

[rmleonard]

Several Questions
What version of OS?
Is the unit bound to any directory services?

once you get in – what do the log files show?
(specifically – /var/log/system.log)

More Info Please!

[rmleonard]

The problem with granting the machines access via a “Pre Win2K” to credential level is that anyone with access to terminal could then use DSCL to browse the memberOf attribute – So we are in a catch-22 position – on the one hand the desire to be “secure” and then the inability to make it so due to the limitations of “how things work”.

A lab is where the security needs to be the tightest, and yet, to make it work – we need to make the labs insecure –

Is there a way to encrypt all of this? So that the “machine” can understand what goes where, but that it is human “unreadable”?

Rich

[rmleonard]

[QUOTE][u]Quote by: Anders+Blomdell[/u][p]This works for me:

[code]

AdditionalSpeechVoices
AsianLanguagesSupport
MediaFiles
Mail
AddressBook
Automator
DVDPlayer
iTunes
Java
Safari
iChat
OxfordDictionaries
PrinterDriversGroup
AdditionalFonts

[/code]

But to install a small system, i feel that this small script is even simpler:

[code]
#!/bin/sh
VOL=’/Volumes/Mac OS X Upgrade DVD/System/Installation/Packages’
PKGS=”BaseSystem Essentials BootCamp BSD AdditionalEssentials MigrationAssistant iCal X11User OSInstall”

for pkg in $PKGS ; do
echo $pkg ‘->’ $1
installer -pkg “${VOL}/${pkg}.pkg” -target $1
done
bless -verbose -folder “$1/System/Library/CoreServices” -bootinfo -bootefi
[/code]
[/p][/QUOTE]

okay – I tried this ->
sudo installer -verbose -showChoicesAfterApplyingChangesXML ./inputs.xml -pkg /Volumes/Mac\ OS\ X\ Install\ Disc\ 1/System/Installation/Packages/Bundled\ Software.mpkg/

where inputs.xml looks like this ->
[code]

OmniOutliner

[/code]

the output was this ->
installer: choices file ‘./inputs.xml’ either could not be found or was malformed.

I used pico to create the xml file – the file is bereft of any headers other than the array line

Thoughts?

[rmleonard]

I have been fighting with the XML format since day one… still can’t figure it out…

maybe some more brain power here will help –

Josh said he’d look into it but then well… this Leopard thing hit the streets and he got busy… can’t imagine how or why…

Rich

[rmleonard]

interesting…..

ummmm…..

it would seem that something isn’t as it appears

how are you invoking the command?

ifthe file is executable, it should be called up thus:
sudo ./instadmg.bash or
sudo ./instadmg-rmlcll-revision.bash

depending…

don’t run it as root – run it as a priviledged user via sudo

the reason is in the pathing
if you are root – then your $PATH may get wonkie
you need at least
/bin:/sbin:/usr/bin:/usr/sbin
in the path

I think…

[rmleonard]

what do you have the destination volume set to?

and did it mount the disk InstaDMG?

I think I found that on the PPC systems – I had to create a physical partition on the hard drive or use an external HD to make it work – 10.4 doesn’t seem to want to install off to a disk image

I have yet to incorporate any of the flurry of changes into the mod i did…

but try using my code and point it at a “real” hard disk, not an image file….

Rich

[rmleonard]

G4s behave differently than the Intels –

take a look at my version – and see the differences in the diskutil and hdiutil commands

in my version – with G4 settings in place –
I invoke it thus
[code]$DISKUTIL eraseVolume JHFS+ $DMG_FS_NAME bootable $CURRENT_IMAGE_MOUNT_DEV >> $LOG_FILE[/code]

where in the original code he calls it up one of two ways
[code]
# Format the DMG so that the Installer will like it (Intel Mac)
/usr/sbin/diskutil eraseDisk “Journaled HFS+” $DMG_FS_NAME GPTFormat $CURRENT_IMAGE_MOUNT_DEV
CURRENT_IMAGE_MOUNT=/Volumes/$DMG_FS_NAME

# Format the DMG so that the Installer will like it (PPC Mac)
# /usr/sbin/diskutil eraseDisk “Journaled HFS+” $DMG_FS_NAME bootable $CURRENT_IMAGE_MOUNT_DEV
# CURRENT_IMAGE_MOUNT=/Volumes/$DMG_FS_NAME
[/code]

I found that using the GPTFormat doesn’t always work, and flat out can’t be invoked on a PPC platform…

so make sure that in your operation – you have the code block set to PPC…
YMMV
Rich

[rmleonard]

after about 15 minutes of playing
– indeedy do! the line
[code] for update_pkg in `ls $update_folder`[/code]
will behave poorly or not at all if there is a space in the file name(s)

so instead of the lengthy code blob suggested – how about replacing the line with this?

[code]ls -1 $UPDATE_FOLDER | while read UPDATE_PKG[/code]

do the same in the custom_pkg section

does that completely solve the issue?
– would there be a case where some other character than a space in a filename might much this?

Rich

[rmleonard]

[QUOTE][u]Quote by: mikemchargue[/u][p][QUOTE][u]Quote by: rmleonard[/u][p]I am presently booked at the Parc55 but want to save money – ($200 a night bothers me, even though I’m not paying)

rather than a rats nest – el cheapo place – I’d like a nice clean ( Free wireless ) place that caters to people who like hot showers, no mold or bugs….

This way – we can eat out and enjoy the area….

Any Ideas?

Rich[/p][/QUOTE]

Try Hotel Pickwick. It’s older, but it’s clean and the staff is friendly. You can often get a room for $99 a night and your still right next to Moscone West.[/p][/QUOTE]

I got state rates at $140 a night over at Hotel Palomar – I’m Happy!

Anyone know if spouses will be allowed at the Bash Thursday night? or badged folk only?

[rmleonard]

just blanking out the Directory Access points (one for AD and one for OD) doesn’t seem to make a difference…

we have tried just disabling them and removing the entries – it makes no difference – if wireless is on and the system needs to authenticate in – it gets shot to #$%@#$%

it is only when you need to login or wake from sleep –

i’m probably not explaining as well as i should…

but on my Dean’s laptop – I’ve completely removed Directory Access points and made sure that entries are removed the services (LDAP and Active Directory) and that only /netinfo/defaultlocalnode is in Authentication and no contacts entries other than defaultlocalnode…

and looking at the log files – shows sequential timeouts still

I timed it at about 45 minutes to finally auth in.

after the python script to shorten things up I got it under 5 minutes

Rich

[rmleonard]

I am getting these errors too…

did you ever solve the problem?

though in my case – the machine just about “hangs” and I have to kick it over… (killall DirectoryServices/and lookupd) – _IF_ I can get into it… when the errors start – the ssh process starts hanging – which makes logins near impossible. – so i have a box set up to do keyless logins via dsa keys – hopefully that will let me in otherwise I have to reboot it… its a headless Xserve – so if ARD can’t get me in I’m forced to reboot the hardway…

[Author]

Posts