LinkBack URL
About LinkBacks
Reply With Quotejasonthat (14th July 2009)
I am trying to use this script for binding mac clients (10.5.7) to AD and OD (10.5.7) to be included in the master image. However the script keeps giving me this error most of the time (works rarely):
attribute status: eDSNodeNotFound
DS Error: -14008 (eDSNodeNotFound)
Strange thing is that it works sometimes, like when I make some small changes to the script, save it and run again through the terminal, on the exact same computer that it doesn't work. The binding to both AD & OD works fine though - it is only the search path for AD that does not get added automatically. HELP!
Here is the script I am using:
Could someone please tell me whats wrong with this script? Have been trying to fix it for so long but just can't seem to get this working properly. Thanks.PHP Code:[SIZE="1"]#!/bin/sh
#Give the network time to come online
logger "Sleeping 30 seconds"
sleep 30
systemsetup -setusingnetworktime off
systemsetup -setnetworktimeserver myAD.com
systemsetup -setusingnetworktime on
#Set Bonjour and Computer Names
logger "Setting Bonjour and Computer Names"
computerid=`/sbin/ifconfig en0 | awk '/ether/ { gsub(":", ""); print $2 }' | cut -c 7-19` # last 6 digits MAC Address
computerid2="""$computerid"
logger "Computer name is $computerid2"
scutil --set LocalHostName "$computerid2"
scutil --set ComputerName "$computerid2"
sleep 3
computerid=`/usr/sbin/scutil --get LocalHostName`
# Standard parameters
domain="myAD.com"
udn="myAD admin"
password="myAD password"
ou="CN=Computers,DC=myAD,DC=com"
la="local administrator"
lp="local password"
# Advanced options
alldomains="enable"
localhome="disable"
protocol="smb"
mobile="disable"
mobileconfirm="disable"
useuncpath="enable"
user_shell="/bin/bash"
preferred="-nopreferred"
admingroups="myAD\Domain Admins,myAD\Enterprise Admins"
### End of configuration
# Activate the AD plugin
defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"
plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist
sleep 20
# Bind to LDAP
dsconfigldap -v -f -a myOD.com -c OD_$computerid -n "myOD" -u myOD admin -p myOD password -l local administrator -q local password
sleep 10
# Bind to AD
dsconfigad -f -a $computerid -domain $domain -u $udn -p "$password" -ou "$ou" -la $la -lp "$lp"
# Configure advanced AD plugin options
if [ "$admingroups" = "" ]; then
dsconfigad -nogroups
else
dsconfigad -groups "$admingroups"
fi
dsconfigad -alldomains $alldomains -localhome $localhome -protocol $protocol \
-mobile $mobile -mobileconfirm $mobileconfirm -useuncpath $useuncpath \
-shell $user_shell $preferred
# Restart DirectoryService (necessary to reload AD plugin activation settings)
killall DirectoryService
# Add the AD node to the search path
if [ "$alldomains" = "enable" ]; then
csp="/Active Directory/All Domains"
else
csp="/Active Directory/$domain"
fi
dscl /Search -read
dscl /Search -create / SearchPolicy CSPSearchPath
dscl "Active Directory/All Domains" -list /Computers > /dev/null
dscl /Search -append / CSPSearchPath "/Active Directory/All Domains"
dscl /Search -append / CSPSearchPath /LDAPv3/myOD.com
dscl /Search/Contacts -create / SearchPolicy CSPSearchPath
dscl /Search/Contacts -append / CSPSearchPath "/Active Directory/All Domains"
# This works in a pinch if the above code does not
defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Node Custom Path Array" -array "/Active Directory/All Domains"
defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Node Custom Path Array" -array "/LDAPv3/myOD.com"
defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Policy" -int 3
defaults write /Library/Preferences/DirectoryService/ContactsNodeConfig "Search Node Custom Path Array" -array "/Active Directory/All Domains"
defaults write /Library/Preferences/DirectoryService/ContactsNodeConfig "Search Policy" -int 3
plutil -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist
#Exit
exit 0[/SIZE]
Not sure about error's in the script its a bit over my head unfortunatly.
However have you considered Deploy Studio for imaging? The creation of a workflow with the OD and AD binding is incredably simple. Its basically a case of pointing it to the right server(s) and giving it correct admin credentials.
jasonthat (14th July 2009)
Thanks skawarrior. Nevermind I figured it out, it might have been because I did not add "sudo" to the dscl commands (that's strange even though we run the script as root) and also corrections to the writing of the SearchNodeConfig.plist files - we do not need to add LDAP search paths in there. These are the corrections that had to be made to the script (if it will help anyone):
#Add LDAPv3 to od server
odcsp="/LDAPv3/$odserver"# Bind to OD
sleep 10
dsconfigldap -v -f -a "$odserver" -n "$odserver" -c OD_$computerid -u $odudn -p "$odpassword"
sleep 20sudo dscl "/Active Directory/All Domains" -list /Computers > /dev/null
sleep 10
sudo dscl /Search -append / CSPSearchPath "$csp"
sudo dscl /Search -create / SearchPolicy dsAttrTypeStandard:CSPSearchPath
sudo dscl /Search/Contacts -append / CSPSearchPath "$csp"
sudo dscl /Search/Contacts -create / SearchPolicy dsAttrTypeStandard:CSPSearchPath
sudo dscl /Search -append / CSPSearchPath "$odcsp"
sudo dscl /Search/Contacts -append / CSPSearchPath "$odcsp"
# This works in a pinch if the above code does not
#defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Node Custom Path Array" -array "/Active Directory/All Domains"
#defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Policy" -int 3
#plutil -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist
#killall DirectoryService
Yes we have been very much looking into the possibility of using Deploystudio for our imaging, but has been put in the backburner for now, since we haven't had enough time to test it out before start of the acamedic year. Thanks again for the reply!
Hey Jasonthat, I found your binding script and am very interested... I am currently trying to apply your script to our environment but I was wondering if you had the completed script with corrections? I couldn't figure out where you defined $odserver, $odudn, etc in your script. Would you be able to share your script?Originally Posted by jasonthat
Sure no problem. Here you go:
PHP Code:[SIZE="1"]#!/bin/sh
#Give the network time to come online
logger "Sleeping 30 seconds"
sleep 30
systemsetup -setusingnetworktime off
systemsetup -setnetworktimeserver myAD.com
systemsetup -setusingnetworktime on
#Set Bonjour and Computer Names
logger "Setting Bonjour and Computer Names"
computerid=`/sbin/ifconfig en0 | awk '/ether/ { gsub(":", ""); print $2 }' | cut -c 7-19` # last 6 digits MAC Address
computerid2="(Optional)Prefix for computer name""$computerid"
logger "Computer name is $computerid2"
scutil --set LocalHostName "$computerid2"
scutil --set ComputerName "$computerid2"
sleep 3
# Standard parameters
domain="myAD.com"
udn="AD Administrator"
password="AD password"
odudn="OD Administrator"
odpassword="odpassword"
ou="CN=Computers,DC=myAD,DC=com"
odserver="myOD.com"
# Advanced options
alldomains="enable"
localhome="disable"
protocol="smb"
mobile="disable"
mobileconfirm="disable"
useuncpath="enable"
user_shell="/bin/bash"
preferred="-nopreferred"
admingroups="myAD\Domain Admins,myAD\Enterprise Admins"
packetsign="allow"
packetencrypt="allow"
namespace="domain"
### End of configuration
# Activate the AD plugin
defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active"
plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist
# Bind to AD
dsconfigad -f -a $computerid -domain $domain -u $udn -p "$password" -ou "$ou"
# Configure advanced AD plugin options
if [ "$admingroups" = "" ]; then
dsconfigad -nogroups
else
dsconfigad -groups "$admingroups"
fi
dsconfigad -alldomains $alldomains -localhome $localhome -protocol $protocol \
-mobile $mobile -mobileconfirm $mobileconfirm -useuncpath $useuncpath \
-shell $user_shell $preferred -packetsign $packetsign -packetencrypt $packetencrypt \
-namespace $namespace
# Bind to OD
sleep 10
dsconfigldap -v -f -a "$odserver" -n "$odserver" -c OD_$computerid -u $odudn -p "$odpassword"
sleep 20
# Restart DirectoryService
killall DirectoryService
# Add the AD node to the search path
if [ "$alldomains" = "enable" ]; then
csp="/Active Directory/All Domains"
else
csp="/Active Directory/$domain"
fi
sudo dscl "/Active Directory/All Domains" -list /Computers > /dev/null
sleep 10
sudo dscl /Search -append / CSPSearchPath "$csp"
sudo dscl /Search -create / SearchPolicy dsAttrTypeStandard:CSPSearchPath
sudo dscl /Search/Contacts -append / CSPSearchPath "$csp"
sudo dscl /Search/Contacts -create / SearchPolicy dsAttrTypeStandard:CSPSearchPath
#Add LDAPv3 to od server
odcsp="/LDAPv3/$odserver"
sudo dscl /Search -append / CSPSearchPath "$odcsp"
# This works in a pinch if the above code does not
#defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Node Custom Path Array" -array "/Active Directory/All Domains"
#defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Policy" -int 3
#plutil -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist
#killall DirectoryService[/SIZE]
Now there is a possibility that this script might sometimes not work for you, as I have seen the scripts that work for others do not work for me and end up modifying it (the above is originally from Bombich's binding script). It all depends on your setup environment, what you are trying to achieve and sometimes different versions of the components involved in the "triangle" setup. Are you trying to manage your Mac machines and do you plan to apply MCX policies on computer-based groups or just user-group policies ? Anways if it helps, I will just tell you a bit about my setup,:
- Initially, only an AD server (Win 2k3) on the network and later on, we decided to setup a Mac OS X server(Leopard 10.5.7) - Done by joining the AD domain first and promoting to OD master later (guessing you have covered all the AD & OD setup topics properly)
- The Search policies on OD master is in the order - OD first & AD second under Authentication and under Contacts, only the AD entry. While it is exactly the opposite on the client machines, i.e, AD first & OD second under Authentication and only AD entry under Contacts tab.
Also to note, using the above script, I bind clients to the AD first & then OD - reason for this is because while I had tried both ways - it seems the "Other" option at login window, for domain users to login, took more time to show up (approx.5-6 seconds) when I do a OD bind first whereas it takes only like 1-2 seconds for the "Other" option to show up when I do AD bind first. Anway see what works for you.
- One change that you would need to make to the above script is the dsconfigldap -f switch, depending on whether you need authenticated or unauthenticated binding. If unauthenticated, replace in script with something like this:
Again, this needs to be decided based on what you plan to do with MCX policies.HTML Code:[SIZE="1"]# Bind to OD sleep 10 dsconfigldap -v -a "$odserver" -n "$odserver" -c OD_$computerid sleep 20[/SIZE]
I know for me doing an unauthenticated bind on clients works perfectly (some tell otherwise) for applying user-group based policies whereas if you are thinking about computer-based policies, you might need to think about authenticated binding which makes the computers show up automatically in Workgroup manager.
Of course, there are ways to get around this so as to make the computers show up in WGM like manually adding the computers in WGM along with their mac addresses by either typing each one individually or using scripts to add them to WGM Computer Groups. But I prefer not to go much in that direction just because I am not in favor of it.
- Another interesting observation that I found along the way is the fact of running the script (through ARD) on clients over a wired or wireless connection. This is also related to the authenticated/unauthenticated binding - seems that when I have the -f switch in there and running it wirelessly gives out the dscl errors and with failed binding to OD most of the times. Again running over wired, the script works like a charm for all the machines.
On the other hand, if you the remove the -f switch (unauthenticated) it works properly on both wired or wireless. This might have something to do Apple's binding technology looking only for an ethernet mac address or simply put, just dont bind wireless
Long story short, see how the script works out for you - I use it both as a login hook on master images and ARD. If you are using ARD, you could just rename the computers there itself and do not need the "#Set Bonjour and Computer Names" and replace with
HTML Code:## Host-specific parameters computerid=`/usr/sbin/scutil --get ComputerName`
Thanks for the help!!
Our setup is pretty much the same albeit a bit larger, we have 2 sites with 4 win2k3 DC's and 5 mac servers (ODM/ODR/Wiki/Sandbox/SIU&SUS) split up on each. My directory settings for the ODM/R and clients are exactly as you specified and I have been applying MCX to computer groups. The first set of laptops I imaged, I had to manually bind to OD because I could only get the bombich script to bind to AD through ARD.
This is round 2, so I will let you know how the script goes and if I had to make any changes.
Again, thank you for the response!
The script works great! Thanks!
The only change I needed to make was for the name of the computer, since I have a tab delimited text file of each laptops mac address and computer name, I have them named as part of the workflow. I had to use the "LocalHostName" instead of the ComputerName.
Other than that, there were no major changes! Worked great from ARD with a wired connection!Code:## Host-specific parameters computerid=`/usr/sbin/scutil --get LocalHostName` sleep 3
emamjomeh - good to hear that it worked for you. Yea we really couldnt do the text file thing for computer assigning using mac addresses, since our laptop distribution method is a mess. our boss has his own way of doing things
Hey all,
I have made a great little script which will reset your time settings to make sure you have no time sync issues and then clean out an exisiting settings to make sure no conflicting settings. Then join your computers to Open Directory and Active Directory.
| How-To-Mac
Hope it helps.PHP Code:#!/bin/sh
#####################################
#Created by Ross Hamilton
#Clock restart / Remove existing settings
#Join to Open Directory and Active Directory
#
#####################################
#Restart ntpdate
StartService ()
{
if [ "${TIMESYNC:=-YES-}" = "-YES-" ] &&
! GetPID ntpd > /dev/null; then
CheckForNetwork
if [ -f /var/run/NetworkTime.StartupItem -o "${NETWORKUP}" = "-NO-" ]; then exit; fi
touch /var/run/NetworkTime.StartupItem
echo “Starting network time synchronization”
# Synchronize our clock to the network’s time,
# then fire off ntpd to keep the clock in sync.
ntpdate -bvs
ntpd -f /var/run/ntp.drift -p /var/run/ntpd.pid
fi
}
# Remove exisiting
logger “Removing existing DS Config”
if [ ! -d "/Library/Preferences/DirectoryService/ActiveDirectory" ]; then
rm -R /Library/Preferences/DirectoryService/ActiveDirectory*
fi
if [ ! -d "/Library/Preferences/DirectoryService/DSLDAPv3PlugInConfig" ]; then
rm -R /Library/Preferences/DirectoryService/DSLDAPv3PlugInConfig*
fi
if [ ! -d "/Library/Preferences/DirectoryService/SearchNode" ]; then
rm -R /Library/Preferences/DirectoryService/SearchNode*
fi
if [ ! -d "/Library/Preferences/DirectoryService/ContactsNode" ]; then
rm -R /Library/Preferences/DirectoryService/ContactsNode*
fi
if [ ! -d "/Library/Preferences/edu.mit.Kerberos" ]; then
rm -R /Library/Preferences/edu.mit.Kerberos
fi
# Restart DirectoryService (necessary to reload AD plugin activation settings)
killall DirectoryService
# BInd machine to OD
dsconfigldap -v -sgme -a MACSERVERNAME # fully qualified DNS name of Macserver
computerid=`/usr/sbin/scutil –get ComputerName`
# Standard parameters
domain=”DOMAIN>COM” # fully qualified DNS name of Active Directory Domain
udn=”DOMAIN USERNAME” # username of a privileged network user
password=”PASSWORD” # password of a privileged network user
ou=”CN=Computers,DC=DOMAIN,DC=COM” # Distinguished name of container for the computer
# Advanced options
alldomains=”enable” # ‘enable’ or ‘disable’ automatic multi-domain authentication
localhome=”disable” # ‘enable’ or ‘disable’ force home directory to local drive
protocol=”smb” # ‘afp’ or ’smb’ change how home is mounted from server
mobile=”disable” # ‘enable’ or ‘disable’ mobile account support for offline logon
mobileconfirm=”disable” # ‘enable’ or ‘disable’ warn the user that a mobile acct will be created
useuncpath=”enable” # ‘enable’ or ‘disable’ use AD SMBHome attribute to determine the home dir
user_shell=”/bin/bash” # e.g., /bin/bash or “none”
preferred=”-nopreferred” # Use the specified server for all Directory lookups and authentication
# (e.g. “-nopreferred” or “-preferred ad.server.edu”)
admingroups=”" # These comma-separated AD groups may administer the machine (e.g. “” or “APPLE\mac admins”)
# Login hook setting — specify the path to a login hook that you want to run instead of this script
### End of configuration
# Activate the AD plugin
defaults write /Library/Preferences/DirectoryService/DirectoryService “Active Directory” “Active”
plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist
sleep 5
# Bind to AD
dsconfigad -f -a $computerid -domain $domain -u $udn -p “$password” -ou “$ou”
# Configure advanced AD plugin options
if [ "$admingroups" = "" ]; then
dsconfigad -nogroups
else
dsconfigad -groups “$admingroups”
fi
dsconfigad -alldomains $alldomains -localhome $localhome -protocol $protocol \
-mobile $mobile -mobileconfirm $mobileconfirm -useuncpath $useuncpath \
-shell $user_shell $preferred
# Restart DirectoryService (necessary to reload AD plugin activation settings)
killall DirectoryService
# Add the AD node to the search path
if [ "$alldomains" = "enable" ]; then
csp=”/Active Directory/All Domains”
else
csp=”/Active Directory/$domain”
fi
sleep 5
# This works in a pinch if the above code does not
defaults write /Library/Preferences/DirectoryService/SearchNodeConfig “Search Node Custom Path Array” -array “/Active Directory/All Domains” “/LDAPv3/FILL IN MAC SERVER LDAP k” # ‘Fill in this section with mac server
defaults write /Library/Preferences/DirectoryService/SearchNodeConfig “Search Policy” -int 3
plutil -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist
Dsconfigad -passinterval 0
sudo killall DirectoryService
Ross
I can't figure this out, can someone point me in the right direction?
I copy and paste the script above into apple script editor, and cannot save it. I get syntax errors, etc. What do I need to do to test one of these scripts? I need to bind 200 Macbooks to OD asap.
Any help would be apprecaited!
You would be best to use ARD to send out the command to all of the laptops at once.
Get the laptops all set up and connected to the network and then use the Unix tool in ARD.
To do this copy the script above (edit to your own requirements) and then select all of the laptops from the list of available computers and then click on the Unix option. A dialog box should pop up. In the top half is where you would paste the script and the lower half should show all of the machines that you wish to send the script out to. You may also want to specify the root user instead of the current console user.
If you don't have ARD then to be honest the task is going to be more difficult. The script above is for terminal not an apple script. You may be able to call it using Applescript. What you could do in that respect is copy the binding script and the applescript app over to the clients you wish to bind and then run the apple script app or using SSH, copy the bind script over and then run it manually one at a time. But then doing that you may as well just use ARD in the first place.
Once again, if you don't have ARD then I would seriously recommend that you do get a copy. The difference this makes in managing Apple machines is massive. Also it is not overly expensive for an educational license. Unlimited client license comes in at around Ł230?
Last edited by HodgeHi; 31st August 2010 at 06:41 PM.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
