Keeping authentication to network resources alive while working with MacOSX 10.6

If you have problems with your Mac not playing nicely with network resources after sleep, you may find adding the following managed preference useful. It makes the mac prompt for a password after coming out of screensaver/sleep.

Workgroup Manager com.apple.screensaver preferences

Unfortunately, there’s no GUI checkbox or anything for this setting in Workgroup Manager, so I’ve taken a screenshot and highlighted the required setting.

More about MacOSX (10.6) and Active Directory

After getting our Macs into Active Directory with nice managed preferences, I ran into a few problems, first of which was slow logons.

To fix it, I had to make a change on each machine to disable the Bonjour service advertisements. This made .local DNS lookups much faster and solved a lot of issues with users not being able to log on, or logons taking a very long time. This appears to contradict the behaviour described here, although it could just be my particular environment. The important bit says:

In Mac OS X v10.6, as long as your network's DNS server is properly configured, you do not have to make any changes on your client Mac. Host names that contain only one label in addition to local, for example "My-Computer.local", are resolved using Multicast DNS (Bonjour) by default. Host names that contain two or more labels in addition to local, for example "server.domain.local", are resolved using a DNS server by default. Additionally, Mac OS X v10.6 automatically detects when the local network operator has set up a name server that will answer name requests for a domain ending in ".local". It does this by checking to see if there is a Start Of Authority (SOA) record for the top level domain "local", which is how a DNS server indicates that it claims to have authority over a part of the DNS namespace. As long as the DNS server is properly configured with the required SOA record, Mac OS X v10.6 will detect this SOA record and automatically use this server to look up all host names in the domain.

From: Mac OS X v10.4, 10.5, 10.6: How to look up “.local” host names via both Bonjour and standard DNS - http://support.apple.com/kb/HT3473

The change I made is also on the apple support knowlegebase, but I have listed it below if it disappears from the apple site (as pages often seem to do). You will need to edit the following file as an administrative user. You should probably make a backup of this file first, as breaking it can apparently prevent your Mac from starting up.

/System/Library/LaunchDaemons/com.apple.mDNSResponder.plist

You will need to add the following line to the file, on the line before the declaration for the end of the array:

<string>-NoMulticastAdvertisements</string>

This should make the file look as follows.

<key>ProgramArguments</key>
<array>
    <string>/usr/sbin/mDNSResponder</string>
    <string>-launchd</string>
    <string>-NoMulticastAdvertisements</string>
</array>

Once you’ve saved the file, reboot the Mac. You can probably just reload mDNSResponder, but that’s what I did.

The second issue was more my fault than anything else and relates to a permissions issue I was having with network storage.

If you’re going to offer network attached storage to your Macs for home folders or shared storage, the user must have read permissions at the root of the share. The permission doesn’t need to apply to sub-folders, so you can still manage permissions in a secure way; although it’s a little strange as Windows XP and 7 machines don’t seem to need it. I just chalked it up to an implementation difference in SMB, made the changes and left it at that.

I’ll probably do a post on managed printing and printing to a Windows print server in the near future, but I’ve got to iron out a few more issues and get it all sorted out before I put it all together.

Even more work with shadowGroupSync

There has been a couple of updates to the shadowGroupSync tool over the past few days. Apart from a bit of development, I also I went and threw it to GitHub. You can check out my previous posts on it, or grab the latest version. There’s also a development branch in the repository that lets you choose the type of group to create. UPDATE: The features from the development branch are now all in the stable version.

The stable branch has also had a few features added and a couple of little snags fixed. The main new feature is the ability to specify multiple source organisational units for inclusion into a single shadow group. These changes make the utility very useful for generating distribution lists or access groups based on whatever conditions you want; like employee type, manager, or existing group memberships.

The stable ‘master’ branch is essentially the script use myself on a day to day basis, so it should work fine for you. However, as with all things not done yet, the development branch ‘next’ may be unstable. If downloading it sets your computer/server/domain/datacenter on fire (delete as appropriate), that’s got nothing to do with me.

Recent Books III

Yes, it’s been a while, but here are some more great books I have read in the recent past.

Pirate Cinema - Cory Doctorow

A really enjoyable book based in a near future London, where the only difference to reality is the harsh hammer of copyright law. It’s a fun adventure and an interesting premise, but I’ll have to read it again before I make a decision on whether it’s good, or great.


The Departure - Neal Asher

Zero Point - Neal Asher

Enhanced intelligence, emergent AI, guns, space travel and a ‘1984’-esque government. There’s a lot to ponder, plus a good adventure and the overthrow of an oppressive government rolled in. Based on these two books, I can’t wait for the third book of ‘The Owner Trilogy’.


I, Alex Cross - James Patterson

A modern day murder mystery and a big conspiracy involving the mob, the secret service and some other less than reputable characters. It’s a good story, if a bit short, but then theres a bunch of others in the series to read, so they’re next.


Covenant - Dean Crawford

Alien remains and the uplift humanity concept explored in this Indiana Jones type adventure for a burnt out war journalist. It’s an OK story, but almost all of the concepts have been explored before.


The Restoration Game - Ken MacLeod

It’s quite difficult to talk about this one without spoilers. MMO’s, a Russia-Georgia conflict and all sorts of weird history and secrets make this one a real rollercoaster. It’s probably one of the best books I’ve read from Ken MacLeod.

AD Shadow Groups with Windows PowerShell An Update

I’ve made a fair amount of changes to the shadow group sync script, it’s a fair amount more powerful and much more flexible than the first version. You can now sync user and computer objects into groups from an OU, but with the added functionality of filters to narrow for specific user or computer attribute values. There are a few changes to the format of the CSV, detailed in the script comments, along with an example of the filters that you can use (see the Microsoft TechNet article on PowerShell Active Directory filter syntax for more information).

UPDATE

There’s some more changes here, the script now takes the CSV as an argument to the script file. For example:

.\shadowGroupSync.ps1 ".\TheCSVFile.csv"
.\shadowGroupSync.ps1 -file ".\TheCSVFile.csv"

are both valid ways or running the script. As before, feel free to use it in any way you want. It’s pretty straightforward, but may contain bugs which I take no responsibility for.

Current version:

Older versions:

Thanks to i3laze for his work with this. I probably wouldn’t have made the effort to extend the script without it.