[Casper] Apple releases article regarding LKDC imaging information - was: (Re: Master Image Creation Checklist)

John Wetter john_wetter at hopkins.k12.mn.us
Fri Jan 30 12:31:13 PST 2009 

Hello all,
I see that Apple has posted something on this now...  It's updated in the admin tools 10.5.6 released on January 22nd.

http://support.apple.com/kb/TS1245

The article says updated in December, but I don't see how that is possible as it references things that came out on January 22nd....

A question to the JAMF folks on list is do we need to follow the last of the information on this page as though it's creating a NetInstall image, or will Composer take care of this for us in a future (or current) version?  If it'll take an update, consider this a feature request.

-John


On 1/21/09 9:57 PM, "Miles Leacy" <miles.leacy at themacadmin.com> wrote:

I threw the following together after reading Rich's message.  This has not been tested yet.

#!/bin/bash

##### HEADER BEGINS #####
# scr_sys_deleteLKDC.bash
#
# Created 20090121 by Miles A. Leacy IV
# miles.leacy at themacadmin.com
# Modified 20090121 by Miles A. Leacy IV
# Copyright 2009 Miles A. Leacy IV
#
# This script may be copied and distributed freely as long as
# this header remains intact.
#
# This script is provided "as is".  The author offers no warranty or
# guarantee of any kind.
# Use of this script is at your own risk.  The author takes no
# responsibility for loss of use,
# loss of data, loss of job, loss of socks, the onset of armageddon,
# or any other negative effects.
#
# Test thoroughly in a lab environment before use on production systems.
# When you think it's ok, test again.  When you're certain it's ok, test
# twice more.
#
# This script deletes Leopard's Local KDC and preps the system to
# create a new one on first boot.
# Use as an "after" script in your Casper core configuration.
#
##### HEADER ENDS #####

systemkeychain -k $1/Library/Keychains/System.keychain -C -f

rm -fr $1/var/db/krb5kdc

defaults delete $1/System/Library/LaunchDaemons/com.apple.configureLocalKDC Disabled


----------
Miles A. Leacy IV

? Certified System Administrator 10.4
? Certified Technical Coordinator 10.5
? Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com
www.themacadmin.com <http://www.themacadmin.com>




2009/1/21 John Wetter <john_wetter at hopkins.k12.mn.us>
Miles,

Are you just doing a destroy and rebuild in one script like this?

sudo rm -rf /var/db/krb5kdc
sudo /usr/libexec/configureLocalKDC

I'm going to have to give this a try as lately we have been seeing some issues with users not being able to log in to AD even when everything is showing as green.  We are running a triangle with AD-OD in part of our environment and this is a problem, so I wonder if this might be one thing to check.

-John


On 1/21/09 8:36 PM, "Miles Leacy" <miles.leacy at themacadmin.com <http://miles.leacy@themacadmin.com> > wrote:

I have yet to encounter any LKDC problems, however, they have been widely reported and I have no reason to believe that these reports are bogus.  Therefore, in the interest of eliminating potential problems, I see destroying the LKDC as a best practice.  You can do this before creating your base image, or you can do it as an "after" script in your configuration.

Guess which I prefer.  :)

----------
Miles A. Leacy IV

? Certified System Administrator 10.4
? Certified Technical Coordinator 10.5
? Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com <http://miles.leacy@themacadmin.com>
www.themacadmin.com <http://www.themacadmin.com>  <http://www.themacadmin.com>




On Wed, Jan 21, 2009 at 7:31 PM, Dagel, Rich <Rich.Dagel at landor.com <http://Rich.Dagel@landor.com> > wrote:
I have been hearing things about AD machine passwords timing out and you should set it not to when binding to the AD.  And also local that the local KDC needs to be deleted.  We have moved to 10.5.4 and have been seeing some problems with computer not being able to login even with a green light for the AD account being ready.  Wondering if you have run across that or have heard of it.


Rich Dagel
Senior Technology Specialist
[cid:3316170673_2665234]
Landor Associates
1001 Front Street
San Francisco, CA 94111
United States
415 365 3933
http://www.landor.com
Rich.Dagel at landor.com <http://Rich.Dagel@landor.com>  <http://Rich.Dagel@landor.com>

--
John Wetter
Technology Support Administrator
Educational Technology, Media & Information Services
Hopkins Public Schools
952-988-5373
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20090130/c6eb16b2/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.gif
Type: image/gif
Size: 580 bytes
Desc: image.gif
Url : http://list.jamfsoftware.com/pipermail/casper/attachments/20090130/c6eb16b2/attachment.gif

More information about the Casper mailing list