- Jamf Nation Community
- Products
- Jamf Pro
- Lion ignoring AD settings?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-17-2012 12:54 PM
I'm currently testing a 10.7.3 Lion image for deployment later this year and I'm encountering an issue where network users aren't automatically creating mobile home folders at login, even though the AD bind script explicitly has that option enabled.
Anybody else see this issue?
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-21-2012 04:45 PM
I found 2 oddities in 10.7 binding as well, but also a solution that pulled down all the settings I wanted for Directory Utility.
If the BIND item is added to a 10.7 based configuration in Casper Admin and I leave Casper to take care of everything then BOTH the gidNumber mappings are enabled when only one should be. Also I think the directory location was set to afp: instead of smb: but I don't remember for sure.
Also, be sure you are not setting any Bind settings in a configuration profile as I found that it wiped out all settings completely if both were done. The machine was bound but all the options in Directory Utility were set to the defaults.
Solution:
Go back to the old method of having my personal bootscript actually call a policy whose only function is adding the very same BIND mentioned in #1 above via Accounts tab.
Down at the very bottom I simply have a line that says
jamf policy -trigger adbindThis has worked flawlessly for me everytime (provided you aren't playing around with profies and accidently set Directory stuff in there again). ;)
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-17-2012 12:58 PM
Which script are you using? Are you adding objects and binding or just binding to pre added objects? If thats the case I would just use the AD plugin that comes with Casper.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-17-2012 01:39 PM
I'm using the bind scripts that are built in to the JSS. The unit binds fine, but it doesn't seem to obey the "Create Mobile User at Login" option.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-17-2012 01:44 PM
Ahh Ok. I am using the Directory Binding option in Casper Admin with a smart group and its worked well for me so far.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-17-2012 01:59 PM
For clarity purposes I feel I should say that you and I are using the same binding method, just so anybody else reading isn't confused.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-20-2012 12:53 PM
In my experiences, it takes quite some time for a machine to get bound to active directory all the way. I typically login as the local Administrator then watch for the script to run. After a few minutes I go into directory utility and see if it's finished the entire script by checking mobile settings and administrator settings.
On a separate note though I also had to re-create my bind scripts after upgrading to 8.4 and 10.7.3 because they stopped working completely.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-21-2012 10:24 AM
I know the bind script is running completely because I install several packages after reboot during imaging and the computer reboots a second time once all the installs and scripts (including the bind script) have run. I can log in with AD accounts and when I view the AD settings in directory utility, they appear how I have them set up in the script. 10.7.3 just seems to ignore the settings I have selected.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-21-2012 04:45 PM
I found 2 oddities in 10.7 binding as well, but also a solution that pulled down all the settings I wanted for Directory Utility.
If the BIND item is added to a 10.7 based configuration in Casper Admin and I leave Casper to take care of everything then BOTH the gidNumber mappings are enabled when only one should be. Also I think the directory location was set to afp: instead of smb: but I don't remember for sure.
Also, be sure you are not setting any Bind settings in a configuration profile as I found that it wiped out all settings completely if both were done. The machine was bound but all the options in Directory Utility were set to the defaults.
Solution:
Go back to the old method of having my personal bootscript actually call a policy whose only function is adding the very same BIND mentioned in #1 above via Accounts tab.
Down at the very bottom I simply have a line that says
jamf policy -trigger adbindThis has worked flawlessly for me everytime (provided you aren't playing around with profies and accidently set Directory stuff in there again). ;)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-22-2012 09:15 AM
Thanks, I'll give it a shot
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-22-2012 09:45 AM
Seems like it worked, so I gave you the answer. Now I'm having an issue where Lion is not getting any computer list MCX settings. All snow leopard machines are getting them just fine, and when I image this computer with snow leopard it works. User and user group settings are being downloaded fine.
I've read about this issue on other forums, but nobody seems to have a solution.
Maybe I should create a new discussion?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-23-2012 08:12 AM
Are you doing MCX through AD schema or OD?
If so, I do not know what to tell you. :(
I do my MCX and configuration profiles via the JSS and they function as they should. Provided you remember that a Configuration Profile trumps MCX.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-23-2012 09:20 AM
I am using AD extended.
We aren't set up to use configuration profiles just yet as all production machines are still on 10.6. I guess I'll just wait until the summer when we do our 10.7 deployment and hope we get configuration profiles right in time.
If I enable certificate based communication for config profiles, will that affect the 10.6 clients at all?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-04-2012 12:42 PM
I just enabled cert-based communication recently and the existing clients negotiated with the JSS to get the certs. and begin using encrypted communication.
