[Casper] Local KDC and imaging: Feature Request

[Thomas Larkin]

Not sure if this will help, but when I was building preaction and post
action scripts for my images I ran into some bash code that I found
useful.  

You can have it grab the computer name from the computer it is currently
imaging.  This works out if you have already imaged and named it
beforehand, if your OD keeps track of computer names when binding to the
ODM.  

an example would be

scutil --get ComputerName, so you could put that command into a variable
like

compname="scutil --get ComputerName"

then just call the $compname in the script.  I found it off of either
AFP548.com or Macenterprise.org, can't remember but it was definitely on
one of those sites.

Of course this only works if you have already named the computer.

Thomas Larkin
TIS Department
KCKPS USD500
tlarki at kckps.org
cell:  913-449-7589
office:  913-627-0351
>>> James Partridge <james.partridge at oucs.ox.ac.uk> 06/17/08 4:48 AM >>>
On 16 Jun 2008, at 16:35, James Partridge wrote:

> I was wondering what strategies, if any, people were following to  
> deal with possible problems with the local KDC caused by imaging  
> 10.5 Macs and binding them to a directory service. I have in mind  
> the specific problem described at <http://support.apple.com/kb/ 
> TS1245>. Is anyone resetting the KDC with a post-flight script, for  
> example?

Hmm, an almost deafening silence on this one. Well, I wonder if it  
would be a good feature to add in to Casper to reset the LKDC at image  
creation time and/or post-imaging. Just for clarification I discussed  
this issue with someone from Apple at WWDC last week and she pointed  
out the following:

"[...] the binding to OD part is just one symptom of the problem --  
ie, they end up with the same LKDC name, and this causes problems  
binding to OD.    Even if you're not binding the machines to OD (or  
anything) you should do these steps, because if one computer is  
compromised, all computers made from the same image can be compromised  
since they all have the same certificate.  Anyone with root access on  
one machine could use the cert to access other machines imaged from  
the same image that have LKDC-based services enabled."

So given that this will affect any10.5.x image (and future OS releases  
I suspect) would a "Reset Local KDC" option up there alongside "Fix  
ByHost Files" etc. be a good idea? Apologies if this is already in  
hand or I've overlooked it somewhere.

Cheers

James


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
James Partridge
Systems Development & Support (Apple)
Oxford University Computing Service
13 Banbury Road
Oxford OX2 6NN

Tel.: (01865) 273207
iChat: james.partridge at mac.com