[Casper] Local KDC and imaging: Feature Request

[James Partridge]

On 16 Jun 2008, at 16:35, James Partridge wrote:

> I was wondering what strategies, if any, people were following to  
> deal with possible problems with the local KDC caused by imaging  
> 10.5 Macs and binding them to a directory service. I have in mind  
> the specific problem described at <http://support.apple.com/kb/ 
> TS1245>. Is anyone resetting the KDC with a post-flight script, for  
> example?

Hmm, an almost deafening silence on this one. Well, I wonder if it  
would be a good feature to add in to Casper to reset the LKDC at image  
creation time and/or post-imaging. Just for clarification I discussed  
this issue with someone from Apple at WWDC last week and she pointed  
out the following:

"[...] the binding to OD part is just one symptom of the problem --  
ie, they end up with the same LKDC name, and this causes problems  
binding to OD.    Even if you're not binding the machines to OD (or  
anything) you should do these steps, because if one computer is  
compromised, all computers made from the same image can be compromised  
since they all have the same certificate.  Anyone with root access on  
one machine could use the cert to access other machines imaged from  
the same image that have LKDC-based services enabled."

So given that this will affect any10.5.x image (and future OS releases  
I suspect) would a "Reset Local KDC" option up there alongside "Fix  
ByHost Files" etc. be a good idea? Apologies if this is already in  
hand or I've overlooked it somewhere.

Cheers

James


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
James Partridge
Systems Development & Support (Apple)
Oxford University Computing Service
13 Banbury Road
Oxford OX2 6NN

Tel.: (01865) 273207
iChat: james.partridge at mac.com






-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20080617/15df3140/attachment.html