Category Archives: OS X

Building Leopard for AD/OD

install the standard base OSX image
run sw updates (current image tested is using 10.5.7)
install additional software as requested

via terminal – defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo DSStatus
open accounts, login options. Display login window as Name and Password. (I also removed the ituneshelper app from the admin login items)
set wallpaper for admin account
add tech coordinator account
added keychain access & directory utility to admin toolbar

open directory access. It should come up and say no directory servers. Add Active Directory. Use the std domain without dc1 or any other subdomain and any tech with rights can enter their own creds for the binding. Leave the computer ID as is.. this should already have the correct workstation name from the login hook’s workstation renamer script.
Show Advanced Settings and go to Services
Open the Active Directory selection and show advanced options
select Create Mobile account at login and verify that smb is used. (all others should already be checked)
go to administrative tab and check ‘Allow Administration by’, and add the Shop Guys group to the existing list.

Go to the LDAP selection and create a new ldap connection. specify the od server. When it asks about binding, do NOT enter credentials as we do not want to bind to the od server, simply click continue then ok. Change the LDAP mappings to Open Directory Server.

for a quick check, open keychain access and under the keychain access pulldown, open the kerberos ticket viewer, create a new ticket and enter your credentials.

logout and login using a shop guy acct.
run dsconfigad -mobileconfirm disable

reboot
login under a test account. 🙂 you should not be prompted to create a mobile account.. it should just happen.

before imaging, unBIND from AD.

Advertisements

2009-2010 SMS Image

SMS 2009-2010 Image

Build Date: 30 Jun 2009
Created by Eric Gustafson

Imaged using Build43. Updated to 10.5.7 and all sw updates through build date. (Including Safari 4)

Local Accounts:  3 standard accounts via build 43.

Software Added (all apps current as of image build date):

  • Adobe Reader 9
  • Google Earth 5
  • Google Sketchup 7
  • Read Naturally (Connects to District server)
  • Reading Counts
  • Comic Life 1.5 (SMS Licensed)
  • Cabri II+ 1.4.2 (SMS Site License)
  • Cabri 3d 1.2.1 (SMS Site License)
  • Star Review Form.pdf (in Applications folder)
  • Perian 1.13 (see Preference Panel)

DeployStudio Setup

Overview

As designed, the setup of DeployStudio in my environment goes through the following stages:

  • Netboot (firewire or hardwired)
  • Image
  • Rename & set bind info
  • Reboot
  • Login as admin
  • Connect to wireless via 802.1x (if not hardwired)
  • Execute bind script (automatically done)

Setup

Serv2

OS: 10.5.7

  • Updating OS on server or clients MAY break binding capabilities due to Apple’s flakiness with patching the AD binding stuff.
  • Server is bound to Active Directory.
  • Deploystudio RC12 and AD/OD binding tested under 10.5.7 only.
Scripts:

In the following scripts, edit:

From: /usr/sbin/ipconfig waitall to: ping -i 10 -o xxx.xxx.xxx.xxx (ip address of domain controller or similar.)

In the netboot image (/Volumes/RAID/Library/NetBoot/NetBootSP0/DSRuntime-v1.nb/DeployStudioRuntime.sparseimage) —

/Applications/Utilities/DeployStudio\ Admin.app/Contents/Resources/Runtime.app/Contents/Frameworks/DSCore.framework/Versions/A/Resources/Scripts/Common/ds_directory_binding.sh

/Applications/Utilities/DeployStudio\ Admin.app/Contents/Resources/Runtime.app/Contents/Frameworks/DSCore.framework/Versions/A/Resources/Scripts/Common/ds_active_directory_binding/ds_active_directory_binding.sh

/Applications/Utilities/DeployStudio\ Admin.app/Contents/Resources/Runtime.app/Contents/Frameworks/DSCore.framework/Versions/A/Resources/Scripts/Common/ds_active_directory_binding/ds_active_directory_binding_install.sh

/Applications/Utilities/DeployStudio\ Admin.app/Contents/Resources/Runtime.app/Contents/Frameworks/DSCore.framework/Versions/A/Resources/Scripts/Common/ds_open_directory_binding/ds_open_directory_binding.sh

In those same scripts, there are a few more changes relating to workstation naming:

At least one of the scripts accesses the web based workstation name database to retrieve the assigned workstation name (and suffix) according to Helpdesk.

District specific scripts

ds_sms-asr.sh — For firewire drive images. Hardcoded asr command. Filename is specified on the Parameter line of the workflow.

ds_setcomputername.sh — Computername query from sps websserver.

SetHostNames — via Bombich. Works in conjunction with ds_setcomputername.sh

Backup

The completed scripts, netboot image, etc are stored in: //file1/techsrv/sms/

The server is set to run a sparseimage backup of itself on the 1st and 3rd Saturdays of each month at 21:30hrs.  The backup image is in it’s own attached raid drives.  – /Volumes/Raid/backup/

Image Repository

/Volumes/Raid/Images/DS/Masters/HFS/

This is shared as //server/Images/

Issues

The server is supposedly managed through System Preferences, but we’ve had issues with this. If the repository is not accessible, try these commands:

sudo “/Applications/Utilities/DeployStudio Admin.app/Contents/MacOS/DeployStudioServerEnabler” -stop

sudo “/Applications/Utilities/DeployStudio Admin.app/Contents/MacOS/DeployStudioServerEnabler” -start

You can also try unloading and reloading the server via launchd:

sudo launchctl unload /Library/LaunchDaemons/com.deploystudio.server.plist
sudo launchctl load /Library/LaunchDaemons/com.deploystudio.server.plist

Additional Info

Followup: I’ll probably have an upcoming post on imaging..

DeployStudio

As designed, the setup of Deploystudio in my environment goes through the following stages:

Netboot (firewire or hardwired) -> Image -> Rename & set bind info -> Reboot -> login as admin -> connect to wireless via 802.1x -> execute bind script (automatically done.. see info on getting the script to wait until a network connection has been established)

Notes (via KirkG) from current install setup..

To review, we were having an issue with the ds_binding scripts on reboot as we had a self-assigned IP, and that allows the line

/usr/sbin/ipconfig waitall

in the various binding scripts to succeed and continue with the binding process – which we didn’t want as the network wasn’t really reachable.

So, instead we replaced that line with this:

ping -i 10 -o IPAddrofDomainController

which says, ping IPAddrofDomainController every 10 seconds until you get a success, then stop. We could not use a FQDN as that errors out right away. We replaced this line in these scripts in our NetBoot image:

/Applications/Utilities/DeployStudio\ Admin.app/Contents/Resources/Runtime.app/Contents/Frameworks/DSCore.framework/Versions/A/Resources/Scripts/Common/ds_directory_binding.sh

/Applications/Utilities/DeployStudio\ Admin.app/Contents/Resources/Runtime.app/Contents/Frameworks/DSCore.framework/Versions/A/Resources/Scripts/Common/ds_active_directory_binding/ds_active_directory_binding.sh

/Applications/Utilities/DeployStudio\ Admin.app/Contents/Resources/Runtime.app/Contents/Frameworks/DSCore.framework/Versions/A/Resources/Scripts/Common/ds_open_directory_binding/ds_open_directory_binding.sh

We did some tests today watching the console on the rebooted machines and as soon as we brought up a real network, our binding scripts launched and did their magic.

Imaging from a Firewire Drive-

copied DeployStudio Admin from server (utilities folder) to the firewire drive

booted from fw drive for additional setup.  Ran DS Admin/DS Runtime and connected to http://server.xxx.xxx.edu:60080

Workflows from the server appeared.  A few hacks to access an image on the fw drive are out there but none have worked for me so far (editing the workflows plist, creating a symbolic link on top of the HFS folder which will point to your firewire drive).

from the forums. re: setup as 100% firewire.

If you dont’ already have a bootable firewire drive,

Boot computer with Mac OS X install DVD and install onto external hard drive
Re-boot computer from external hard drive
Do necessary “personalization” setup for Mac OS X

then on to DS..

Install DeployStudio Server on external hard drive
Go into System Preferences and turn DeployStudio Server On
(this will give the server address – which you can change to http://127.0.0.1:60080 – for simplicity and in case IP Address changes)

If anyone has suggestions, feel free…

Movie Publishing for the Web on a Mac

[Sorry – This blog does not support embedded video]

iMovie ’08

With your edited and finished movie in iMovie ‘08:  go to Share, Export Using Quicktime.

Exporting/Sharing a movie with iMovie (& iMovie HD)

Evening Fireworks

Walt Disney World, Florida

March 2008

In the Export selection box, make sure it says Movie to QuickTime Movie and pick Steaming – Medium settings in the Use selection box. Finally, Click on Save.

With your edited and finished movie in Movie ‘08:  go to Share, then Share…

Choose the Expert Settings and click on the Share button.

That brings us to the settings options.  For the best overall size to quality ratio for the web, choose Streaming – Medium.

All that’s left is to pick where you want to save the file (thin this example it’s being saved to the Desktop) and click on the Save button.

iWeb ’08

Open iWeb and create a New Page if you wish (I used the Movie template).  Open finder, and drag the exported movie from finder to your webpage in iWeb.  When you publish your website, the movie will be transferred appropriately — there is no special file copying or anything else necessry.

Continue the publishing process using iWeb (see below).

iMovie HD

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Eric “Gus”tafson

(with apologies for the formatting. My original was as a standard webpage, not a  blog post and I did a quick copy/paste a minor reformatting.   The original iWeb document was at http://people.sps.lane.edu/eric.gustafson/web/Movie_Publishing.html

orting/Sharing a movie with iMovie (& iMovie HD)

Leopard client with AD Binding & OD Preferences

.. partial notes..

  • Laptop built using district build 34 and all updates to 10.5.6 (including sw).
  • bound to AD
  • 802.1x configuration created as a Login Window Profile with blank username/password for the district wireless network
  • dc1 cert stored in keychain as part of a default Login profile.
  • Enabled network connection radiobutton/icon for the login window. It is configured in /Library/Preferences/com.apple.loginwindow, the option is AdminHostInfo = DSStatus. It can be set in Terminal via:
  • defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo DSStatus

The account appears as Networked, Managed on my currrent build-box.
I’m not sure yet why it’s appearing as a Managed account as the
username tested is only in domain users and not one of the groups
managed via OD.

Notes:

    troubleshooting:

  • /Library/Preferemces/edu.mit.Kerberos – shows last BINDing
  • open keychain, create new kerberos ticket to verify secure connection capability.
  • /library/preferences/com.apple.loginwindow.plist — shows exported/current 802.1x config

    from http://support.apple.com/kb/HT3326

    Login Window Mode: This mode is called Login Window because the 802.1X session originates from the login window using credentials entered at the login window. The same credentials are used to both authenticate to the network and authenticate the user to a directory service.

    At the login screen, one enters a name and password. If LoginWindow can’t find a local user account with that name, it initiates an 802.1X session using the same name and password and in the case of an 802.11 network, it associates to the wireless network. After the 802.1X authentication completes, LoginWindow authenticates the user against the directory service. If that authentication succeeds, the user is logged in.

    When the user logs out, LoginWindow checks whether the 802.1X session is one that it started, and if so, it stops the 802.1X session, and if an 802.11 network, disassociates from the network.

    If no one is logged in, no 802.1X session is running, and no 802.11 network will be joined. The Mac is not available on the authenticated network.

If a laptop is bound to both ad and od, any Domain Users account may
login
so long as Dial-In is allowed (and not following the current NPS
settings).  The user account does not receive any mappings and has full
use of the system as a standard user.