Help

Directory Utility question...how to make a domain a default domain?

Go to solution
scentsy
Contributor

Posted on ‎08-29-2016 01:15 PM

Directory Utility question...how to make a domain a default domain?

I'm trying to make a specific domain the default or make it the preferred domain (first in the order)

thank you for your help.64b849032093405ea5bca542a1cc152b

0 Kudos
Reply
1 ACCEPTED SOLUTION

Go to solution
m_entholzner
Contributor III

Posted on ‎09-01-2016 12:31 AM

you should not grab that plist... grabbing a plist should always be used with care, because plists may be different from machine to machine. directly modifying the needed things is a better idea :)

The script you need: 

#!/bin/bash

# Removing "All Domains" from the search path
dscl /Search -delete / CSPSearchPath "/Active Directory/YOURDOMAIN/All Domains"

# Adding Domains to the search path
dscl /Search -append / CSPSearchPath "/Active Directory/YOURDOMAIN/subdomain.domain.com" 

# Removing "All Domains" from the contacts search path
dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/YOURDOMAIN/All Domains" 

# Adding Domains to the contacts search path
dscl /Search/Contacts -append / CSPSearchPath "/Active Directory/YOURDOMAIN/subdomain.domain.com"

Just put this one in a script you run after domain binding and you should be fine.

The /Local/Default path cannot be modified or removed. It is needed for authenticating any local accounts, including system accounts.

View solution in original post

0 Kudos
Reply
8 REPLIES 8

Go to solution
mjsanders
New Contributor III

Posted on ‎08-30-2016 12:19 PM

There is no default domain, but there is a search order (Top to bottom).
In the GUI one can drag and drop to change order.
With scripts I am not sure with 10.11.
It used to depend on the order of binding done by scripts (I remember that the last bound directory was ending at top, but the last time I really tested two domains was 10.8.x)
or change it with a defaults command, probably on this file: /Library/Preferences/OpenDirectory/Configurations/Search.plist

Do you really need two domains? and the order should not really matter, unless there are duplicate usernames.

Workaround: you can specify the domain by logging in as user@domain.local or user@domain.com to tell directory services which domain to use.

0 Kudos
Reply

Go to solution
scentsy
Contributor

Posted on ‎08-30-2016 01:28 PM

I only need one domain, it automatically shows up with the "All Domains" I'm trying to find out a way to do it "automagically" with a script or something similar.

I'm trying to avoid doing it manually.

thank you for your help Maurits.

0 Kudos
Reply

Go to solution
jhalvorson
Valued Contributor

Posted on ‎08-30-2016 02:10 PM

In your Binding Directory or your script, you have the option set to "Allow authentication from any domain in the forest" checked or unchecked?

0 Kudos
Reply

Go to solution
Brad_G
Contributor II

Posted on ‎08-30-2016 02:15 PM

We had to adjust the search order as we have multiple domains in our forest. I didn't do it programmatically with a script but as a package pushed through Casper.

Change your search order as desired on your test machine, and drop the Search.plist file from /Library/Preferences/OpenDirectory/Configurations/ into Composer and that should do the trick.

0 Kudos
Reply

Go to solution
scentsy
Contributor

Posted on ‎08-30-2016 02:38 PM

Thank you Brad I'll try that.

Jason (jhalvorson) I do have the "Allow authentication from any domain in the forest" unchecked.

I really appreciate everyone helping...thank you.

0 Kudos
Reply

Go to solution
scentsy
Contributor

Posted on ‎08-30-2016 03:09 PM

one last question: is it possible to remove "/Local/Default" from the Directory Utility? (see on the screen shot the one that is gray-out).

0 Kudos
Reply

Go to solution
m_entholzner
Contributor III

Posted on ‎09-01-2016 12:31 AM

you should not grab that plist... grabbing a plist should always be used with care, because plists may be different from machine to machine. directly modifying the needed things is a better idea :)

The script you need: 

#!/bin/bash

# Removing "All Domains" from the search path
dscl /Search -delete / CSPSearchPath "/Active Directory/YOURDOMAIN/All Domains"

# Adding Domains to the search path
dscl /Search -append / CSPSearchPath "/Active Directory/YOURDOMAIN/subdomain.domain.com" 

# Removing "All Domains" from the contacts search path
dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/YOURDOMAIN/All Domains" 

# Adding Domains to the contacts search path
dscl /Search/Contacts -append / CSPSearchPath "/Active Directory/YOURDOMAIN/subdomain.domain.com"

Just put this one in a script you run after domain binding and you should be fine.

The /Local/Default path cannot be modified or removed. It is needed for authenticating any local accounts, including system accounts.

0 Kudos
Reply

Go to solution
scentsy
Contributor

Posted on ‎09-01-2016 09:05 AM

@m.entholzner Thank you very much! that's what I was looking for.

0 Kudos
Reply