Posted on 03-22-2010 07:23 AM
I am frequently having machines that aren't binding at reboot. It is
something that we have dealt with here for quite some time. Even before I
came to the organization in fact.
The way we are doing binding is that there is an "At Reboot" script that
simply does this:
#!/bin/bash
jamf policy -trigger adbind
I have tried to get some logging of the issue by prepending
*killall* -*USR1 DirectoryService*
But then my tech's complained because it would *never* bind.
Soooo……thoughts?
p.s. we see this issue in 10.5 & 10.6
Ryan M. Manly
Glenbrook High Schools
? ACSP ? ACMT
Posted on 03-22-2010 08:13 AM
Mine bind scripts work perfect at reboot, can you post your script? Did
it work before? I don't run mine as manual trigger policies though, it
runs as a reboot script.
Posted on 03-22-2010 09:03 AM
I bind to AD just fine, for the most part. 10.5 actually improved the reliability of this quite a bit.
I’ve had some rumblings from our offices area they don’t bind when they image, on occasion, but I recently discovered they were potentially imaging with a config that didn’t have a bind in it...using the wrong config. So I can’t say for sure if it really was an issue with binding OR just them making a mistake.
Undoubtedly your issue is not related to something with how the Casper side is binding, it’s something with the AD server or network itself. If you can consistently manually bind without issue, or bind with Casper Remote without issue. I’m not sure where to go after that.
What version of JSS are you running? What OS are your domain controllers on?
I would recommend sticking to the binding stuff within the JSS as part of the config, using a policy for this triggered at reboot seems a bit of an extra step to break this.
Are you seeing this issue yourself and can reproduce it, or are you just getting reports of it from other people?
Craig E
Posted on 03-22-2010 09:15 AM
We found that with our setup if the computer account already existed in AD
the bind would fail. We need to first search and make sure the computer
doesn't exist first before imaging (which includes binding).
j
Posted on 03-22-2010 09:24 AM
This setup was done before my time. And the script is *literally*:
#!/bin/sh
/usr/sbin/jamf policy -trigger odbind
/usr/sbin/jamf policy -trigger adbind
This is saved as bindscript.sh in the JSS and is included in every config.
This is set to run "At Reboot" and all it does is run the trigger that
executes a policy that has the AD & OD boxes checked in the Accounts
section.
What is the better/proper way to do binding through JSS?
The only thing I have done is in more recent configs is that I have taken
out the OD binding (and saved as ADbind.sh) because I am working towards
managing MCX 100% with Casper vs. WGM.
Manual bindings always work. The JSS is 7.2 and the DCs are 2008R2.
Ryan M. Manly
Glenbrook High Schools
? ACSP ? ACMT
Posted on 03-22-2010 09:31 AM
OH, so you are using the built in bind features of casper.....I am just
using a script using dsconfigldap and I don't use AD. So, I probably
won't be of much help...
Sorry. However, if you look at the jamf binary and do (as root) jamf
help bind, it will print out all the commands and switches you can use
to bind your client to AD/OD
Posted on 03-22-2010 09:39 AM
Create Directory Bindings right in the JSS to use in configurations, Casper Remote sessions, and policies.
Login -> Management -> Directory Bindings
I actually have 4 different bindings right now for AD.
Labs Workstations Labs Mobile (Laptop Checkout) - Has create mobile account checked Office Workstations Offices Mobile – Has create mobile account checked
The two different groups bind different domain admin groups to the box so only labs people have admin to labs boxes and offices people have admin to office boxes. And then I have additional scripts that run after the fact that add additional groups for a particular lab, so housing admins can get to the housing systems (which are labs). What sucks there is you can’t just ADD a group you have to redefine all the groups over when you do.
I’ve done this forever it seems and have had very little issues. In fact my only big issue was when the JSS was switched to only bind systems by computer name instead of some other field you could specify. Put in a nasty gram about this already with a feature request a long while back. I should do it again. =)
Craig E
Posted on 03-22-2010 09:47 AM
Yea same here but to use it in a Config you have to call it in a Policy
correct? I mean my bindings are all in there (you actually gave me an idea
for some more) but how do you actually bind it when you are imaging?
Ryan M. Manly
Glenbrook High Schools
? ACSP ? ACMT
Posted on 03-22-2010 10:00 AM
Since we have a total of 6 OD servers and clients bind to a locational
server, instead of zoning it out by location in the JSS (since clients
tend to be shifted around from building to building) I just wrote a
script that does it at imaging. Based on the netboot server you netboot
into gives you the correct bind script. When we first deployed we had
6,000 clients authenticating against 1 ODM, which well, lets just say it
choked the ODM out pretty quick.
Posted on 03-22-2010 10:46 AM
Just like a package drag it into the config. They show up at the bottom of the list in Casper Admin. Casper Imaging then adds the necessary scripting into its FirstRun for reboot
Craig Ernst
UW-Eau Claire
(715) 836-3639
Sent from my iPhone
Posted on 03-22-2010 10:48 AM
Another example of just about eight different ways to do something.
You could have a bind for each of those OD servers, and then have a different smart config for each segment that gets used at imaging. So instead of maintaining a script you maintain things in the JSS. Depends on your preference really. This would be EVEN cooler if you could dictate which image gets used in the JSS based on network segment. There’s probably something in the pre-staging for that I betcha...
Craig E
Posted on 03-22-2010 01:50 PM
Yea, this is what I am doing. I just assumed that you guys were doing
something else from the way you were talking.
Ryan M. Manly
Glenbrook High Schools
? ACSP ? ACMT
Posted on 03-22-2010 07:08 PM
While building our Image we found something similar. The issue ended up
being that the OS was not synched with our time server and the binding
would fail. A script was created to first synch the machine being
imaged with the time server and then bind the machine to AD.
------------------------------
Message: 14
Date: Mon, 22 Mar 2010 12:48:57 -0500