Category Archives: Deployment

AD Plugin Join Replication Issues

Posted on by

I was getting random AD plugin connection issues after joining to Active Directory. dsconfigad showed no errors, but sometimes I would not get a connection and I would have to rejoin. The problem turned out to be related to replication.

The AD plugin initially has no knowledge of which AD site and domain controllers are considered local to your subnet, so it discovers any domain controllers and contacts one to lookup the site information. During this process, and in general, the AD Plugin keeps an LDAP connection open to the domain controller. The AD plugin likes to reuse these LDAP connections, presumably for performance reasons. When it is time to actually add the computer to the domain, the AD Plugin reuses this existing connection. The problem is that this domain controller is not necessarily one within your AD site.

At this point, if the Mac is restarted or DirectoryService is killed, any new connections will be made to a DC in the subnet’s AD site, but if your computer was added to a non-local DC, the local DCs may have no knowledge of your computer because the computer account has not yet replicated to them.

This problem can appear to be quite random because sometimes you’ll get lucky and get a local DC for the join, or you might catch the replication at the right time. You might also see bad password errors in the DirectoryService debug logs. I have filed a bug report on this, and I don’t have a good workaround for now other than — don’t reboot or restart DirectoryService after a join. Of course if you know your replication schedules, you could just wait until you are sure replication is completed.

This same issue can present itself with unjoins and rejoins.

You can see what domain controllers you are connecting to during the join using the following shell command assuming your are joining using dsconfigad:

while [ 1 ]; do if netstat -a | grep ldap| grep ESTAB; then ps auxww | grep dsconfigad | grep -v grep; date;fi; done

If you have joined, unjoined, and rejoined and think you may be seeing replication issues, compare the whenCreated attribute of the computer account on different domain controllers using ldapsearch.

ldapsearch -LLL -v -W -x -h domaincontrollerfromsite1.subdomain.forest.com -D username@subdomain.forest.com -b "OU=Computers,DC=subdomain,DC=forest,DC=com" CN=machine-join-name | grep whenCreated:

If an older out of sync computer account exists, its whenCreated date will be different from the domain controller the computer was just added to until the last join has replicated to all the servers.

Fix for slow AD logins/joins caused by macAddress query

Posted on by

I’ve been hassling Apple about this issue for quite a while.

Apple has two workarounds for this problem:

1.) Index the macAddress attribute in AD. Even though the macAddress is not part of the Computer class by default, the AD plugin queries on it for joins ( to ensure the the computer that you are adding doesn’t already exist ), and for MCX ( managed client information ). Normally I would frown on any changes to AD since the Enterprise doesn’t like making changes to their infrastructure just to support Macs. However, supposedly in Windows 2008 Server, the macAddress attribute is indexed by default, so at least their is some justification there.

2.) If you’d prefer to make changes on your client machines rather than bother your AD administrators with a Mac-specific fix, remove the ENetAddress mapping from /Library/Preferences/ActiveDirectory.plist. The lines to remove look like this:

<key>1.3.6.1.1.1.1.22</key>
<string>dsAttrTypeStandard:ENetAddress</string>

The key is the OID for the macAddress attribute in AD.
The string value is the mapping to a native Open Directory attribute, which Apple calls ENetAddress.

Update:
You’ll also need to remove /Library/Preferences/DirectoryService/ActiveDirectoryDynamicData.plist as this file also contains the cached mappings.

Then killall -9 DirectoryService or reboot the machine.

dockutil 1.0 released

Posted on by

As a Mac sysadmin, I’ve had the need to manipulate the dock on hundreds of systems at a time.

I used to cobble together terrible shell scripts to do the job, but now thanks to plistlib and python, plist manipulation is really easy. I am releasing this utility free under the Apache 2.0 license. Hopefully some other sysadmins will find it useful.

dockutil is a command line utility for managing Mac OS X dock items.
It can add, replace, list, move, find, and delete dock items. It supports Applications, Folders, Stacks, and URLs. It can act on a specific dock plist or every dock plist in a folder of home directories.
It is compatible with Mac OS X Tiger and Leopard.

Download dockutil here.

Here is the usage information:

usage: dockutil -h
usage: dockutil --add (path to item) | (url) [--label (label)] [ folder_options ] [ position_options ] [ plist_location_specification ]
usage: dockutil --remove (dock item label) [ plist_location_specification ]
usage: dockutil --move (dock item label) position_options [ plist_location_specification ]
usage: dockutil --find (dock item label) [ plist_location_specification ]
usage: dockutil --list [ plist_location_specification ]

position_options:
--replacing (dock item label name) replaces the item with the given dock label or adds the item to the end if item to replace is not found
--position [ index_number | beginning | end | middle ] inserts the item at a fixed position: can be an position by index number or keyword
--after (dock item label name) inserts the item immediately after the given dock label or at the end if the item is not found
--before (dock item label name) inserts the item immediately before the given dock label or at the end if the item is not found
--section [ apps | others ] specifies whether the item should be added to the apps or others section

plist_location_specifications:
(path to a specific plist) default is the dock plist for current user
(path to a home directory)
--allhomes attempts to locate all home directories and perform the operation on each of them
--homeloc overrides the default /Users location for home directories

folder_options:
--view [grid|fan|list|automatic] stack view option
--display [folder|stack] how to display a folder's icon
--sort [name|dateadded|datemodified|datecreated|kind] sets sorting option for a folder view

Examples:
The following adds TextEdit.app to the end of the current user's dock:
dockutil --add /Applications/TextEdit.app

The following replaces Time Machine with TextEdit.app in the current user's dock:
dockutil --add /Applications/TextEdit.app --replacing 'Time Machine'

The following adds TextEdit.app after the item Time Machine in every user's dock on that machine:
dockutil --add /Applications/TextEdit.app --after 'Time Machine' --allhomes

The following adds ~/Downloads as a grid stack displayed as a folder for every user's dock on that machine:
dockutil --add '~/Downloads' --view grid --display folder --allhomes

The following adds a url dock item after the Downloads dock item for every user's dock on that machine:
dockutil --add vnc://miniserver.local --label 'Mini VNC' --after Downloads --allhomes

The following removes System Preferences from every user's dock on that machine:
dockutil --remove 'System Preferences' --allhomes

The following moves System Preferences to the second slot on every user's dock on that machine:
dockutil --move 'System Preferences' --position 2 --allhomes

The following finds any instance of iTunes in the specified home directory's dock:
dockutil --find iTunes /Users/jsmith

The following lists all dock items for all home directories at homeloc in the form: item(tab)path(tab)(section)tab(plist)
dockutil --list --homeloc /Volumes/RAID/Homes --allhomes

Notes:
When specifying a relative path like ~/Documents with the --allhomes option, ~/Documents must be quoted like '~/Documents' to get the item relative to each home

Bugs:
Names containing special characters like accent marks will fail

Contact:
Send bug reports and comments to kcrwfrd at gmail.

Notes on Leopard AD Plugin 10.5.2

Posted on by

The Active Directory plugin is finally usable in 10.5.2, but some environments require workarounds.

1.) Your domain must resolve to the ip address of a domain controller. This was not a requirement in previous versions, but Apple is apparently making it a requirement as they closed my bug stating that it was a configuration issue with Active Directory since creation of a domain sets up this dns info by default. If your domain does not resolve to an ip, you need to fix it, or as a workaround, edit your /etc/hosts file to point the ip of one of your domain controllers.

for example if you know you have a domain controller at 10.3.1.23 and your fully qualified domain is domain.forest.com, you’d add this line to /etc/hosts

10.3.1.23 domain.forest.com

2.) Allow Authentication from any domain in forest does not work. Uncheck this box in Directory Utility or using the corresponding flag in dsconfigad. If you don’t do this, the join may succeed, but you won’t be able to lookup or authenticate users or even use dscl on Active Directory. When you uncheck this option, just be sure to add the correct domains to your authentication search path in Search Policy of Directory Utiltity.

3.) Allow Administration by Active Directory Groups does not seem to work. In 10.4, this option seems to nest the AD group you want to allow for administration into the local admin group, so the workaround is to do the same in 10.5 manually using dseditgroup.

sudo dseditgroup -o edit -a “DOMAIN\group name” -t group admin

replacing DOMAIN\group name with your domain and group that you want to give admin access.

This group nesting method gives members of your AD group admin access for both Apple’s Authorization APIs and sudo.

These workarounds got me working, logins are painfully slow, but that may be due to the hosts hack.

Update: Under 10.5.3, most of these problems are resolved. If you are still having slow logins/joins, there are possible workarounds.

No ACL granularity for Extended Attributes

Posted on by

Recently I thought I had a great use for storing extended attributes. I needed to store the time a file had been updated by my file management system without effecting the actual file modifications times. Storing this information directly in the file metadata would ensure that it would not become out of sync with some external database tracking this information.

I wanted this data to be modifiable only by a specific user or group. Unfortunately, setting an ACL on extended attributes applies to all extended attributes. I didn’t want to disallow users from setting their own extended attributes on these files and folders, so I abandoned the idea.

I wonder if we’ll ever be able to set permissions on specific attributes.

Daemons and Agents Tech Note Updated for Leopard

Posted on by

There are TONS of changes to the way daemons and agents are handled in Leopard.  This new Apple technical note explains a lot.  If you are having trouble running a GUI app from a script or at startup in Leopard, this is required reading. http://developer.apple.com/technotes/tn2005/tn2083.html  Thanks Quinn “The Eskimo!”

CS3 PDF Queue Stops

Posted on by

If print presets point to the wrong Distiller Library or Distiller Settings, your pdf print queue will stop or pdfs will not be created.  Check your com.apple.printer.custompresets.plist.  Use plutil -convert xml1 ~/Library/Preferences/com.apple.printer.custompresets.plist to convert it, then use sed to correct the plist. A telltale sign is choosing Adobe PDF 8 as your printer and printer specific options only shows dpi, not PDF Options.