Project to resolve the bind/unbind problem with our MacOSX labs

Master ST item

84510

Meetings

2012-11-30

Edward, Stephen, Trevor

query/interrogate

• client-side
  • dsconfigad -show
  • script location: /Users/cscfadm/Documents

• server-side
  • dsquery ...

remote execution

• on Mac clients via ssh
  • non-root
  • only iMac300 and up have the cscf.cs root public key in cscfadm
    • ssh -l cscfadm imacNNN
    • must log in locally to get a root shell (via sudo)

• on Mac clients via ARD
  • required licenced software, runs only on a Mac

• on Windows AD server
  • sshd running on canadenis, credentials not obbious

solutions to try

1. Edward
   1. dsconfig -passinterval
   2. debug option
2. Stephen
   1. deploystudio bind function
3. trg
   1. root execution from root@cscf.cs.uwaterloo.ca to mac clients

2012-12-7

• Progress reports
  • Stephen
    • deployStudion documentation: bind option only applied when images are being created.
    • asked apple for pointers to documentation
    • on Mac client, talked to Kerberon DC (KDC) via port 749
      • appears that we do not define this port on the mac clients (we do appear to use 88 & 464)
      • test this asap
    • ARD remote desktop login
      • observed a change in the login herald: used to say "cs-teaching", now says "empire"
    • we appear to be binding everything to canadenis, despint the fact there there are three ADs
      • we appear to be binding to different servers for kerberos realms
      • the mac clients are bound to all three kerberos realms (CS.UWATERLOO.CA, STUDENT.CS.UWATERLOO.CA, CSCF.UWATERLOO.CA)
        • imacNNN> dscl . -read /Config/Kerberos:
      • should we partition the AD binding target like we did for linux.student (1/3 of clients to each of the three AD servers)?
  • Edward
    • mc3004 set to "passinverval 0", happened on 2012-12-5 -- check back on Thursday 2012-12-20
    • still to try debug option
  • trg
    • confirmed approach: passwordless suo entries for restructed commands
    • test permission inheritance for commands in scripts
  • other discoveries

• action items
  • Edward:
    • look at lignon for managing cron
    • use ARD to copy the root@cscf.cs public key to systems where it is missing copy the (to /Users/cscfadm/.ssh/)
    • test binding a couple of systems to eponina instead
  • Stephen
    • test port specifications
    • discuss with Clayton
      • why the three KDC definition?
      • and issues with using the three student AD controllers "1/3 mode"
  • trg * set up root access from root@cscf.cs to cscfadm@imacNNN for passwordless resrtricted command-set

2012-12-14

• Progress reports
  • trg
    • minor progress on root command stuff -- subtle merging of permissions
  • Edward
    • mc2062 & mc2063 - single script to do unbind+bind
    • test using eponina worked
  • Stephen
    • scripting
      • scripts to drive ARD
      • use scsmac15 to send commands to Mac systems
        • ssh to scsmac15 -> ardscript -> client Macs
      • use applescript or whatever on the client

• • trg
    • continue root access stuff
    • start looking at cron/launchctl
    • set up a cron entry to do a `dsconfigad -show` * Edward * get cscf.cs root public key distribute * test the third AD controller cyana * develop scripts as pair * add facult tolerance for AD communication failure * add auto-rotate "mod three trick" based on system name * Stephen * look in to global catalog efrfect * check on firewall port issue * check on mc3004 (14 day period elapses on the 19th) * were bound with "passinterval=0"