On Mon, Dec 22, 2008 at 9:47 AM, Carl Caum <carl.c...@gmail.com> wrote:
> > On Dec 22, 2008, at 11:42 AM, Nigel Kersten wrote: > > > > On Mon, Dec 22, 2008 at 9:28 AM, Carl Caum <carl.c...@gmail.com> wrote: > >> Most plist management can be done with the defaults command. It means we >> exec out everytime, but we could write a definition/plugin around it. >> > > It also has the sometimes undesirable side effect of converting all your > xml1 property lists to binary format. > > We tend to use PlistBuddy here for this reason. > > > > Not that it's a great solution, but you can force it to be xml1 with this: > plutil -convert xml1 > /Library/Preferences/DirectoryService/DirectoryService.plist > It has to be run after every write to be absolutely sure. But I have to > ask, why would you care if you use the defaults command every time for > reading and writing? > Because sometimes we have other tools that use one of the various plist modules for Ruby/Python etc that require the xml1 format, and some of those tools aren't running with elevated privileges, and can't always convert a plist to xml. We're slowly moving things over to using the BridgeSupport in Ruby/Python where you can instantiate an NSDictionary from a binary or xml plist instead, but that's only available in 10.5 by default. > > >> I'm having trouble getting puppet to run on OS X. I installed 0.24.7 on >> my OS X server VM using gems. After signing the certificate on the >> puppetmaster side, I get this on the client side: >> >> 2008-12-22 11:25:35.796 system_profiler[6552:10b] Exception while calling >> [SPPlatformReporter updateDictionary:] >> *** -[NSCFArray objectAtIndex:]: index (3) beyond bounds (2) >> err: Could not retrieve catalog: undefined method `[]' for nil:NilClass >> > > I've never seen that... do you get the same bug using the packages at: > > http://explanatorygap.net/puppetfacter/ > > ? > > I'll try them and report back > > > >> Any ideas? >> On Dec 19, 2008, at 11:16 PM, Crawford Kyle wrote: >> >> >> On Dec 19, 2008, at 10:48 PM, Nigel Kersten wrote: >> >> >> >> On Fri, Dec 19, 2008 at 7:23 PM, Crawford Kyle <kcrw...@gmail.com> wrote: >> >>> >>> On Dec 19, 2008, at 7:55 PM, Nigel Kersten wrote: >>> >>> >>> On Fri, Dec 19, 2008 at 2:29 PM, Carl Caum <carl.c...@gmail.com> wrote: >>> >>>> >>>> Does anyone know how to go about joining Mac OS X Leopard to an Active >>>> Directory domain with puppet? >>>> Primarily it needs to be broken down in to doing LDAP authentication >>>> with a few attribute mappings and using kerberos for the password >>>> authentication. >>> >>> >>> You're going to want to push out your DS preferences and then do an exec >>> for the joining of the machine account I imagine, although you could do some >>> of this with templates..... >>> >>> How were you doing this before Puppet? >>> >>> There are no native types now, because those of us doing the Mac stuff >>> with Puppet don't work in AD environments :) >>> >>> I'm more than happy to spend time helping you work through this though >>> Carl. I'm reasonably familiar with AD integration even though we don't do it >>> here. >>> >>> This would be a great recipe to get up on the Puppet wiki. >>> >>> >>> We are in a large AD environment using Puppet. We currently handle the AD >>> joining outside of Puppet with a python script in a launchd job that runs at >>> first boot, though we will probably be moving this to Puppet. >>> >>> The typical steps are: >>> Make sure time server is set and time is set correctly ( ntpd.conf or >>> exec systemsetup ) >>> Activate AD plugin by enabling it in DirectoryService.plist. ( just a >>> simple key value but I think you need to restart DirectoryService for it to >>> notice ) >>> Configure AD plugin using dsconfigad options. ( this can take a lot of >>> options all of these just change key values in ActiveDirectory.plist ) >>> Join to domain using dsconfigad with a limited AD account and password >>> with permissions to add machines to your OU. ( this would need to exec the >>> dsconfigad command with username, password, OU, machine join name. >>> Unfortunately the password is passed to dsconfigad in clear text as a >>> parameter ) >>> Set the authentication search path to Custom, and include your AD domain >>> node using dscl. ( dscl exec ) >>> >>> We do manage the time server with Puppet and setting a couple of mapping >>> attributes in the AD plists. >>> >>> I'm happy to help you get this all working in Puppet as well. >>> >> >> oh cool. I didn't realize you were doing AD integration Kyle. >> >> How are you ensuring that AD continues to be configured on the clients? >> Does the python launchd job do all of this? Or are you managing some >> components as Puppet resources? >> >> I've been thinking for a while about how to mange DirectoryService nodes >> as native Puppet types, but there are so many attributes to think about I'm >> not sure it actually simplifies matters all that much... >> >> >> Yes, I've done a lot of AD integration work. The python script I wrote >> tests the configuration and scenarios related to AD Node status and takes >> action if necessary. The only part in Puppet so far is management of a >> couple AD plist keys. >> >> Agreed, DirectoryService node configuration can get complex. There may be >> lower hanging fruit like improved plist management that would help in all >> areas including DirectoryService. >> >> Kyle >> >> >> >> >> >> >> >> > > > -- > Nigel Kersten > Systems Administrator > Tech Lead - MacOps > > > > > > > > -- Nigel Kersten Systems Administrator Tech Lead - MacOps --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
