Jamf Nation Community

Thanks much. I will give that a try.

Seem to work fine. Thank you thank you thank you.

No good deed goes unpunished. Since I got such a quick response from my first question here is another. What is the difference between "scutil" and "dscl"? Where would I use one and where would I use the other? Since the last time Apple updated dscl was 2003 it seems like it might be deprecated.

dscl is typically used for reading user/group membership. You can query which users are admins, or read information from an AD server.

scutil has functions to query/set hostname, computername, dns, proxy, etc information.

AD and any LDAP setup as well?

@kyoung if you are bound to either the AD or other LDAP then yes.

If you need to query a random LDAP/AD you are not bound to then you use something like ldapsearch.

Thank you very much. Have a great day.

OK. Next question. I tried using "dscl /AD/odyssey.packer.edu -list" to access our AD server but this is what I got back: "Data source (/AD/odyssey.packer.edu) is not valid"

Any idea what I have done wrong?

That's typically not how you would access your AD environment with dscl. It needs to be the full path to AD and using the All Domains line, something like:

dscl "/Active Directory/DOMAIN/All Domains" read /Computers

(or whatever you want to access)

OK. Let's try that. Do I need the quotes?

No joy. All I get so far is:

Joe:~ jostobs$ dscl /Active Directory/Odyssey.packer.edu/All Domains -read /Computers
Data source (/Active Directory/Odyssey.packer.edu/All) is not valid.
Joe:~ jostobs$ dscl /Active Directory/Odyssey.packer.edu/
Data source (/Active Directory/Odyssey.packer.edu/) is not valid.
Joe:~ jostobs$ dscl /Active Directory/Odyssey.packer.edu
Data source (/Active Directory/Odyssey.packer.edu) is not valid.
Joe:~ jostobs$ dscl /Active Directory/odyssey.packer.edu
Data source (/Active Directory/odyssey.packer.edu) is not valid.

You don't need the quotes, but without them you have to escape any spaces, like

dscl /Active Directory/DOMAIN/All Domains read /Computers

Note the backslashes in front of each space. So either way works.

Still no joy:

Joe:~ jostobs$ dscl "/Active Directory/Odyssey.packer.edu"
Data source (/Active Directory/Odyssey.packer.edu) is not valid.
Joe:~ jostobs$ dscl /Active Directory/Odyssey.packer.edu/All Domains -read /Computers
Data source (/Active Directory/Odyssey.packer.edu/All Domains) is not valid.
Joe:~ jostobs$

@kyoung The problem is likely the "Odyssey.packer.edu" in your command. Its usually only the domain name and not a full string like that.
So, on an AD joined Mac, go into Keychain Access and click on the System.keychain. Look for an entry that starts with "/Active Directory/" It will be listed as kind "application password". The string after that, for example, maybe just "Odyssey" or whatever, is generally what you want to try using in the dscl command, not the entire Odyssey.packer.edu.

No joy.

Joe:~ jostobs$ dscacheutil -cachedump
Unable to get details from the cache node
Joe:~ jostobs$ dscacheutil -configuration
DirectoryService Cache search policy: /Local/Default /Active Directory/PACKEREDU/All Domains

Unable to get details from the cache node
Unable to get cache configuration information
Joe:~ jostobs$ dscl /Active Directory/PACKEPEDU/All Domains
Data source (/Active Directory/PACKEPEDU/All Domains) is not valid.
Joe:~ jostobs$ dscl /Active Directory/Odyssey/All Domains
Data source (/Active Directory/Odyssey/All Domains) is not valid.

@kyoung, let's step back a second. What exactly is it that you want to accomplish with DSCL? I've been reading this thread and I don't have a clear understanding of what you want to get out of DSCL from your AD server, and for what purpose.

On a side note, you've got mixed threads now. I encourage you to start a new thread for new questions that are not related to the topic of the original post.

You can confirm the path by using 'dscl' in interactive mode. For example:

# dscl
Entering interactive mode... (type "help" for commands)
 > ls
Active Directory
Local

Contact
Search
 > cd Active Directory/
/Active Directory > ls
UK
/Active Directory > cd UK/
/Active Directory/UK > ls
All Domains
/Active Directory/UK > cd All Domains/
/Active Directory/UK/All Domains >

As @mm2270 suggested, you can find this out from Keychain Access. You can do something similar from terminal if you are only bound to one domain. Try this:

#!/bin/bash

computer_account=`dsconfigad -show | awk '/Computer Account/ {print $NF}'`
domain_path=`security find-generic-password -a "$computer_account" | awk -F  "=" '/svce/  {print $NF}'`

echo "Bound computer account: $computer_account"
echo "Doamin path: $domain_path"

exit 0

If none of this is working, then are you bound?

Additionally, 'read' is not a valid command to run against /Computers, however 'readall' or 'list' are. 'read' is for reading single values, e.g. a single computer or user.

E.g.(quoted domain)

# dscl "/Active Directory/UK/All Domains" -list /Computers

E.g.(domain path spaces escaped)

# dscl /Active Directory/UK/All Domains -readall /Computers