[sgstuart]

Hi all,
I found out finally what was causing this problem. It was the custom built install of VMWare Fusion 3.1.2, that was causing the problem. So I will be creating a new install of it with Composer to make sure that it does not contain any user information.

Thanks,
Steven Stuart

[sgstuart]

Hi All,
I just ended doing some more testing, which shows that it is not the clearreg, createuser, or my firstboot scripts that are doing this. I am now finding out that it is one (or I guess more) of my 15 – 3rd party applications that are being installed.

I will keep people updated.

Thanks,
Steven Stuart

[sgstuart]

Hi Allister,
That sounds great.

Thanks,
Steven Stuart

[sgstuart]

Hi Andy,

So are you saying that this is fixing the problem that you were initially having? If so that is great. On the rebinding part, I am assuming that you have ARD. What I use is a script for binding all of my Mac’s to AD (granted I do not have OD), however, I am sure that there is a way to script that and send it thru ARD to each computer, and it should make that portion quick, easy, and relatively painless. My guess is you are mostly done anyways, however, if this type of thing happens again, and you want to rebind quickly, you could already have it ready to go.

Thanks,
Steven Stuart

[sgstuart]

Hi Westnab,
I misunderstood that the xserve that you were going to unbind was the OD master itself. Yes, anything bound to the OD would need to be reset and so forth in a situation like that. I feel extremely bad that I assumed it was just a regular xserver that you were talking about unbinding. I apologize profusely for being the cause, in this case many things could definitely go wrong.

Thanks,
Steven Stuart

[sgstuart]

Hi,
Unfortunately, I have no words of wisdom. I think the unbind – > bind sounds like a good thing to try. It at least can not hurt.

Thanks,
Steven Stuart

[sgstuart]

Hi Westnab,
How AD and Macs work together is still something I am fully trying to understand myself. I do not have OD in the mix either. I am glad that you are finding some workarounds as well.

I have also seen things that are saying there are problems with AD 2008. Maybe some of these may assist more, especially for your problem.

Here is one article:
http://support.apple.com/kb/TS2967

Here is another link for info: with many links off of it:
http://www.macwindows.com/snowleopardAD.html

Thanks,
Steven Stuart

[sgstuart]

How long were your machines successfully login on? How often does your AD require your Computer accounts to “re-authenticate”? Is your computers DNS name ending the same as your AD Domain Name?

Thanks,
Steven Stuart

[sgstuart]

HI All,
I am hoping people will see this. This is exactly what is happening with al of my OSX clients. So whatever the resolution is I will have to do it many times. However, it is better than not working.

My question is how do I change the AppleFileServer plist to the right kerberosPrincipal. It looks like it is hashed at least in mine. It has one entry which is afpserver://LKDC:SHA1.(long string here)@LKDC:SHA1.(same long string here).

How would I get this?

I had found the ADSIedit.msc tool before and have changed the DSNName, but after I do that it has not let me authenticate at all back to AD.

Thanks,
Steven Stuart

[sgstuart]

Hi all,
I did not see this until now. However, IIS can be congiured without a problem to accept kerberos and NTLM. Follow this article.

http://support.microsoft.com/kb/215383

Thanks,
Steven Stuart

[sgstuart]

Hi Brian,
It makes a security hole by setting the “root” password. It is recommended never to set it. If you really do need it, there would be changes needed to be done to the sshd_config file.

However, most things you can do with just sudo, and if you really need more sudo -s. I would recommend trying those types of commands for a while first.

Thanks,
Steven Stuart

[sgstuart]

Hi nobrainer,
That is good information that you only need to put the “\” in front of it to make it work. I agree it would be good to add that to the documentation. This script is “owned” by someone else, but I think updating the documentation would be okay. I will look into that tomorrow.

Thanks,
Steven Stuart

[sgstuart]

Hi Brain,
Yes that is what I am doing.

Here is the .plist code which is put into /Library/LaunchDaemons. Change the XXXX to your company, and the /path/to/file to the correct path for where you put your .sh, if you have a different name for your .sh, change that as well.

[code]

Disabled

Label
com.XXXX.ARDSettings
ProgramArguments

sudo
/path/to/file/ARDSettings.sh

RunAtLoad
[/code]

The meat of the .sh is this. Change the XXXXX to the user that you want. This will run every boot, so you may want to write a rm -f command to delete the LaunchDaemon after it runs the first time.

[code]# Set the Access to only be for specifiedUsers.
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -allowAccessFor -specifiedUsers

# Activate Remote Management, configure user XXXXX to have all privs and to restart the ARD agent.
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -users XXXXX -privs -all -access -on -restart -agent

[/code]

Thanks,
Steven Stuart

[sgstuart]

Hi Rusty and all,

I was able to get the ARD portion working by creating a .sh with 2 kickstart lines, pretty much the two lines that Rusty said above, and in that order. That way it only needs to activate and restart once. I did not put in a sleep command.

Then I placed a .plist into /Library/LaunchDaemons that has two parameters, “sudo” & the full path to the script. It is set to RunAtLoad.

I should probably put a rm of the .plist at the end of the .sh, but I did not do that at least yet. I will probably add those deletions to my ARD script that is for post Build anyways. Which will be pushed thru NetBoot (not a OSX server).

Thanks,
Steven Stuart

[sgstuart]

Hey Rusty,
I am going the LaunchDaemon way. I believe I have created a valid one, and tested it on one of the bad builds, restarted it, and it came back properly. So I will hope that takes care of it. I am adding it to build now, and hope all goes well.

Thanks,
Steven Stuart

[Author]

Posts