Hmm, an almost deafening silence on this one. Well, I wonder if it
On 16 Jun 2008, at 16:35, James Partridge wrote:
would be a good feature to add in to Casper to reset the LKDC at image
creation time and/or post-imaging. Just for clarification I discussed
this issue with someone from Apple at WWDC last week and she pointed
out the following:
"[...] the binding to OD part is just one symptom of the problem -- ie, they end up with the same LKDC name, and this causes problems binding to OD. Even if you're not binding the machines to OD (or anything) you should do these steps, because if one computer is compromised, all computers made from the same image can be compromised since they all have the same certificate. Anyone with root access on one machine could use the cert to access other machines imaged from the same image that have LKDC-based services enabled."
So given that this will affect any10.5.x image (and future OS releases I suspect) would a "Reset Local KDC" option up there alongside "Fix ByHost Files" etc. be a good idea? Apologies if this is already in hand or I've overlooked it somewhere.
Cheers
James
~~~~~~~~~
James Partridge
Systems Development & Support (Apple)
Oxford University Computing Service
13 Banbury Road
Oxford OX2 6NN
Tel.: (01865) 273207
iChat: james.partridge at mac.com
