my experiences with 10.5.4 in an ad-of environment

[HodgeHi]

I thought I would post my experiences I have just had when integrating 25intel iMacs into an active directory and open directory. After net-restoring the machines (eventually) I then proceeded to copy and install the required software via ARD. This was the easy bit.

After this I tried to bind them to the AD and OD. I run a script through ARD. unfortunately each machine had an issue where they all thought they were the same. It turned out to be the local kerberos db that was the issue. So to disable this you need to run the command

Code:

sudo dscl /local/default delete /Config/kerberosKDC

This should remove the local kdc and also remove the duplicate machine issue when trying to bind to the OD.

I also had an issue with binding to the AD as well. The biggest issue was that the plugin is not enabled by default when you add it via a script. You need to use the defaults write command to activate the plugin.

Code:

# Activate the AD plugin
defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"

Code:

#convert the plist back to xml for editing
plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist

Code:

# Restart DirectoryService (necessary to reload AD plugin activation settings)
killall DirectoryService

Code:

#I had to use these to write my search paths as the AD dscl command wouldn't take.
defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Node Custom Path Array" -array "/Active Directory/All Domains"
defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "OD-Server path"
plutil -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist
killall DirectoryService

After manually finding all this and then editing the plist files until i got it working, i then came across Bombich's website which had a script for Ad-binding Leopard. I have uploaded this for convenience as well.

The next major PITA was logging on remotely using the osascript command. I have still not managed to get this to work on leopard.

So these are just a few of the issues (but the main ones). If anyone has not seen these issues I would be interested to hear. Especially the last one or if you know how to get around this issue.

[kingswood]

I thought I would post my experiences I have just had when integrating 25intel iMacs into an active directory and open directory. After net-restoring the machines (eventually) I then proceeded to copy and install the required software via ARD. This was the easy bit.

After this I tried to bind them to the AD and OD. I run a script through ARD. unfortunately each machine had an issue where they all thought they were the same. It turned out to be the local kerberos db that was the issue. So to disable this you need to run the command

Code:

sudo dscl /local/default delete /Config/kerberosKDC

This joule remove the local kdc and also remove the duplicate machine issue when trying to bind to the OD.

I also had an issue with binding to the AD as well. The biggest issue was that the plugin is not enabled by default when you add it via a script. You need to use the defaults write command to activate the plugin. I will add the commands when I get to a computer as I can't remember them off the top of my head.

The next major PITA was logging on remotely using the osascript command. I have still not managed to get this to work on leopard.

So these are just a few of the issues (but the main ones). If anyone has not seen these issues I would be interested to hear. Especially the last one or if you know how to get around this issue.

Sorry to hear about all your issues with integration mate!

We bound 30 Intel iMacs running 10.5 with both AD and a 10.4-based OD server around April time this year and had no problems at all, but we didn't use a cloned image to install from. We have another 90 or so to do over the summer which will be using an image, so I will let you know how that goes.

There is reference to this issue with cloned Macs in the new 10.5 deployment guide. When a post-imaged Mac boots it should write a new Kerberos KDC configuration, making it unique on the network. The KDC information is retained (as you found out) and has to be reset post-installation. You can reset the KDC by using the following two commands:

sudo rm -fr /var/db/krb5kdc
sudo /usr/libexec/configureLocalKDC

Apple KB TS1245 covers this too.

Hope that helps- even a little?

Paul

[HodgeHi]

Thanks for the info.

When i had imaged the machines and went to bind, i was unaware that there would be any problems. Maybe i should have researched it more? But when the problem arose it was hard to pin-point the exact cause. I googled for quite a while to find out what the problem was and my brother came across the local KDC article which pointed to the local KDC possibly being the problem.

On following that i then found the command on bombich's website but the ones you post did not come up. Maybe as i said because i wasn't sure what i was looking for at the time. It's still good to know though.

You say you bound to 10.4 Tiger server. I was using 10.5.4 Server (which is OD Master). Don't know if this makes much of a difference, but the server side of things seemed to be fine generally, except the admin tools being soooo slow.

The other problem i have yet to add the commands for was the addition of the search paths for the AD and OD servers in the directory utility. This caused me a right headache.

The issue was this. When i ran the dscl command to add the AD, it said that it did not exist or something like that. But when i bound manually to the AD it used the dscl path that i was tring to add by a script??

When i managed to get the script to take on the dscl level, when i activated the AD plugin and it said:

The AD server is responding normal but the server is not in your authentication list.

So it wouldn't look for the users on the AD in the authentication process.
The only way to get around this was to run the commands in ran now shown in the original post as promised.

So a few issues found and solved but the osascript is still outstanding. Have you had any luck with this one?

[Rozzer]

Ive been having fun with the lastest version of net restore and bootpicker. But hoping tomorrow will clear that as i am imaging 120 iMacs :|

[gaz350]

wish i was imaging 120 mac's instead of the 60 pc's im doing. soooo many boxes, soooo many cables, soooooo many cable ties

[Rozzer]

Just the 35 which are new just updating the previous lot we have.

Ross