On Fri, Dec 19, 2008 at 7:23 PM, Crawford Kyle <kcrw...@gmail.com> wrote:
> > On Dec 19, 2008, at 7:55 PM, Nigel Kersten wrote: > > > On Fri, Dec 19, 2008 at 2:29 PM, Carl Caum <carl.c...@gmail.com> wrote: > >> >> Does anyone know how to go about joining Mac OS X Leopard to an Active >> Directory domain with puppet? >> Primarily it needs to be broken down in to doing LDAP authentication >> with a few attribute mappings and using kerberos for the password >> authentication. > > > You're going to want to push out your DS preferences and then do an exec > for the joining of the machine account I imagine, although you could do some > of this with templates..... > > How were you doing this before Puppet? > > There are no native types now, because those of us doing the Mac stuff with > Puppet don't work in AD environments :) > > I'm more than happy to spend time helping you work through this though > Carl. I'm reasonably familiar with AD integration even though we don't do it > here. > > This would be a great recipe to get up on the Puppet wiki. > > > We are in a large AD environment using Puppet. We currently handle the AD > joining outside of Puppet with a python script in a launchd job that runs at > first boot, though we will probably be moving this to Puppet. > > The typical steps are: > Make sure time server is set and time is set correctly ( ntpd.conf or exec > systemsetup ) > Activate AD plugin by enabling it in DirectoryService.plist. ( just a > simple key value but I think you need to restart DirectoryService for it to > notice ) > Configure AD plugin using dsconfigad options. ( this can take a lot of > options all of these just change key values in ActiveDirectory.plist ) > Join to domain using dsconfigad with a limited AD account and password with > permissions to add machines to your OU. ( this would need to exec the > dsconfigad command with username, password, OU, machine join name. > Unfortunately the password is passed to dsconfigad in clear text as a > parameter ) > Set the authentication search path to Custom, and include your AD domain > node using dscl. ( dscl exec ) > > We do manage the time server with Puppet and setting a couple of mapping > attributes in the AD plists. > > I'm happy to help you get this all working in Puppet as well. > oh cool. I didn't realize you were doing AD integration Kyle. How are you ensuring that AD continues to be configured on the clients? Does the python launchd job do all of this? Or are you managing some components as Puppet resources? I've been thinking for a while about how to mange DirectoryService nodes as native Puppet types, but there are so many attributes to think about I'm not sure it actually simplifies matters all that much... -- Nigel Kersten Systems Administrator Tech Lead - MacOps --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
