Project to resolve the bind/unbind problem with our MacOSX labs

Master ST item




Edward, Stephen, Trevor


  • client-side
    • dsconfigad -show
    • script location: /Users/cscfadm/Documents

  • server-side
    • dsquery ...

remote execution

  • on Mac clients via ssh
    • non-root
    • only iMac300 and up have the cscf.cs root public key in cscfadm
      • ssh -l cscfadm imacNNN
      • must log in locally to get a root shell (via sudo)

  • on Mac clients via ARD
    • required licenced software, runs only on a Mac

  • on Windows AD server
    • sshd running on canadenis, credentials not obbious

solutions to try

  1. Edward
    1. dsconfig -passinterval
    2. debug option
  2. Stephen
    1. deploystudio bind function
  3. trg
    1. root execution from to mac clients


  • Progress reports
    • Stephen
      • deployStudion documentation: bind option only applied when images are being created.
      • asked apple for pointers to documentation
      • on Mac client, talked to Kerberon DC (KDC) via port 749
        • appears that we do not define this port on the mac clients (we do appear to use 88 & 464)
        • test this asap
      • ARD remote desktop login
        • observed a change in the login herald: used to say "cs-teaching", now says "empire"
      • we appear to be binding everything to canadenis, despint the fact there there are three ADs
        • we appear to be binding to different servers for kerberos realms
        • the mac clients are bound to all three kerberos realms (CS.UWATERLOO.CA, STUDENT.CS.UWATERLOO.CA, CSCF.UWATERLOO.CA)
          • imacNNN> dscl . -read /Config/Kerberos:
        • should we partition the AD binding target like we did for linux.student (1/3 of clients to each of the three AD servers)?
    • Edward
      • mc3004 set to "passinverval 0", happened on 2012-12-5 -- check back on Thursday 2012-12-20
      • still to try debug option
    • trg
      • confirmed approach: passwordless suo entries for restructed commands
      • test permission inheritance for commands in scripts
    • other discoveries

  • action items
    • Edward:
      • look at lignon for managing cron
      • use ARD to copy the root@cscf.cs public key to systems where it is missing copy the (to /Users/cscfadm/.ssh/)
      • test binding a couple of systems to eponina instead
    • Stephen
      • test port specifications
      • discuss with Clayton
        • why the three KDC definition?
        • and issues with using the three student AD controllers "1/3 mode"
    • trg * set up root access from root@cscf.cs to cscfadm@imacNNN for passwordless resrtricted command-set


  • Progress reports
    • trg
      • minor progress on root command stuff -- subtle merging of permissions
    • Edward
      • mc2062 & mc2063 - single script to do unbind+bind
      • test using eponina worked
    • Stephen
      • scripting
        • scripts to drive ARD
        • use scsmac15 to send commands to Mac systems
          • ssh to scsmac15 -> ardscript -> client Macs
        • use applescript or whatever on the client
Action items:
    • trg
      • continue root access stuff
      • start looking at cron/launchctl
      • set up a cron entry to do a `dsconfigad -show` * Edward * get cscf.cs root public key distribute * test the third AD controller cyana * develop scripts as pair * add facult tolerance for AD communication failure * add auto-rotate "mod three trick" based on system name * Stephen * look in to global catalog efrfect * check on firewall port issue * check on mc3004 (14 day period elapses on the 19th) * were bound with "passinterval=0"
Edit | Attach | Watch | Print version | History: r6 < r5 < r4 < r3 < r2 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r6 - 2013-11-13 - BillInce
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback