Puppet users - Dec 2008 - Join active directory domain on Mac OS X Leopard

Does anyone know how to go about joining Mac OS X Leopard to an Active  
Directory domain with puppet?
Primarily it needs to be broken down in to doing LDAP authentication  
with a few attribute mappings and using kerberos for the password  
authentication.


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Fri, Dec 19, 2008 at 2:29 PM, Carl Caum <carl.caum@gmail.com> wrote:
>
> Does anyone know how to go about joining Mac OS X Leopard to an Active
> Directory domain with puppet?
> Primarily it needs to be broken down in to doing LDAP authentication
> with a few attribute mappings and using kerberos for the password
> authentication.

You''re going to want to push out your DS preferences and then do an
exec for
the joining of the machine account I imagine, although you could do some of
this with templates.....

How were you doing this before Puppet?

There are no native types now, because those of us doing the Mac stuff with
Puppet don''t work in AD environments :)

I''m more than happy to spend time helping you work through this though
Carl.
I''m reasonably familiar with AD integration even though we
don''t do it
here.

This would be a great recipe to get up on the Puppet wiki.


-- 
Nigel Kersten
Systems Administrator
Tech Lead - MacOps

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Dec 19, 2008, at 7:55 PM, Nigel Kersten wrote:
>
> On Fri, Dec 19, 2008 at 2:29 PM, Carl Caum <carl.caum@gmail.com>  
> wrote:
>
> Does anyone know how to go about joining Mac OS X Leopard to an Active
> Directory domain with puppet?
> Primarily it needs to be broken down in to doing LDAP authentication
> with a few attribute mappings and using kerberos for the password
> authentication.
>
> You''re going to want to push out your DS preferences and then do
an
> exec for the joining of the machine account I imagine, although you  
> could do some of this with templates.....
>
> How were you doing this before Puppet?
>
> There are no native types now, because those of us doing the Mac  
> stuff with Puppet don''t work in AD environments :)
>
> I''m more than happy to spend time helping you work through this  
> though Carl. I''m reasonably familiar with AD integration even
though
> we don''t do it here.
>
> This would be a great recipe to get up on the Puppet wiki.
We are in a large AD environment using Puppet. We currently handle the  
AD joining outside of Puppet with a python script in a launchd job  
that runs at first boot, though we will probably be moving this to  
Puppet.

The typical steps are:
Make sure time server is set and time is set correctly  ( ntpd.conf or  
exec systemsetup )
Activate AD plugin by enabling it in DirectoryService.plist.  ( just a  
simple key value but I think you need to restart DirectoryService for  
it to notice )
Configure AD plugin using dsconfigad options.  ( this can take a lot  
of options  all of these just change key values in  
ActiveDirectory.plist )
Join to domain using dsconfigad with a limited AD account and password  
with permissions to add machines to your OU.  ( this would need to  
exec the dsconfigad command with username, password, OU, machine join  
name.  Unfortunately the password is passed to dsconfigad in clear  
text as a parameter )
Set the authentication search path to Custom, and include your AD  
domain node using dscl.  ( dscl exec )

We do manage the time server with Puppet and setting a couple of  
mapping attributes in the AD plists.

I''m happy to help you get this all working in Puppet as well.

Kyle
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Fri, Dec 19, 2008 at 7:23 PM, Crawford Kyle <kcrwfrd@gmail.com> wrote:
>
> On Dec 19, 2008, at 7:55 PM, Nigel Kersten wrote:
>
>
> On Fri, Dec 19, 2008 at 2:29 PM, Carl Caum <carl.caum@gmail.com>
wrote:
>
>>
>> Does anyone know how to go about joining Mac OS X Leopard to an Active
>> Directory domain with puppet?
>> Primarily it needs to be broken down in to doing LDAP authentication
>> with a few attribute mappings and using kerberos for the password
>> authentication.
>
>
> You''re going to want to push out your DS preferences and then do
an exec
> for the joining of the machine account I imagine, although you could do
some
> of this with templates.....
>
> How were you doing this before Puppet?
>
> There are no native types now, because those of us doing the Mac stuff with
> Puppet don''t work in AD environments :)
>
> I''m more than happy to spend time helping you work through this
though
> Carl. I''m reasonably familiar with AD integration even though we
don''t do it
> here.
>
> This would be a great recipe to get up on the Puppet wiki.
>
>
> We are in a large AD environment using Puppet. We currently handle the AD
> joining outside of Puppet with a python script in a launchd job that runs
at
> first boot, though we will probably be moving this to Puppet.
>
> The typical steps are:
> Make sure time server is set and time is set correctly  ( ntpd.conf or exec
> systemsetup )
> Activate AD plugin by enabling it in DirectoryService.plist.  ( just a
> simple key value but I think you need to restart DirectoryService for it to
> notice )
> Configure AD plugin using dsconfigad options.  ( this can take a lot of
> options  all of these just change key values in ActiveDirectory.plist )
> Join to domain using dsconfigad with a limited AD account and password with
> permissions to add machines to your OU.  ( this would need to exec the
> dsconfigad command with username, password, OU, machine join name.
>  Unfortunately the password is passed to dsconfigad in clear text as a
> parameter )
> Set the authentication search path to Custom, and include your AD domain
> node using dscl.  ( dscl exec )
>
> We do manage the time server with Puppet and setting a couple of mapping
> attributes in the AD plists.
>
> I''m happy to help you get this all working in Puppet as well.
>
oh cool. I didn''t realize you were doing AD integration Kyle.

How are you ensuring that AD continues to be configured on the clients? Does
the python launchd job do all of this? Or are you managing some components
as Puppet resources?

I''ve been thinking for a while about how to mange DirectoryService
nodes as
native Puppet types, but there are so many attributes to think about
I''m not
sure it actually simplifies matters all that much...


-- 
Nigel Kersten
Systems Administrator
Tech Lead - MacOps

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Dec 19, 2008, at 10:48 PM, Nigel Kersten wrote:
>
>
> On Fri, Dec 19, 2008 at 7:23 PM, Crawford Kyle <kcrwfrd@gmail.com>  
> wrote:
>
> On Dec 19, 2008, at 7:55 PM, Nigel Kersten wrote:
>>
>> On Fri, Dec 19, 2008 at 2:29 PM, Carl Caum <carl.caum@gmail.com>
>> wrote:
>>
>> Does anyone know how to go about joining Mac OS X Leopard to an  
>> Active
>> Directory domain with puppet?
>> Primarily it needs to be broken down in to doing LDAP authentication
>> with a few attribute mappings and using kerberos for the password
>> authentication.
>>
>> You''re going to want to push out your DS preferences and then
do an
>> exec for the joining of the machine account I imagine, although you  
>> could do some of this with templates.....
>>
>> How were you doing this before Puppet?
>>
>> There are no native types now, because those of us doing the Mac  
>> stuff with Puppet don''t work in AD environments :)
>>
>> I''m more than happy to spend time helping you work through
this
>> though Carl. I''m reasonably familiar with AD integration even
>> though we don''t do it here.
>>
>> This would be a great recipe to get up on the Puppet wiki.
>
> We are in a large AD environment using Puppet. We currently handle  
> the AD joining outside of Puppet with a python script in a launchd  
> job that runs at first boot, though we will probably be moving this  
> to Puppet.
>
> The typical steps are:
> Make sure time server is set and time is set correctly  ( ntpd.conf  
> or exec systemsetup )
> Activate AD plugin by enabling it in DirectoryService.plist.  ( just  
> a simple key value but I think you need to restart DirectoryService  
> for it to notice )
> Configure AD plugin using dsconfigad options.  ( this can take a lot  
> of options  all of these just change key values in  
> ActiveDirectory.plist )
> Join to domain using dsconfigad with a limited AD account and  
> password with permissions to add machines to your OU.  ( this would  
> need to exec the dsconfigad command with username, password, OU,  
> machine join name.  Unfortunately the password is passed to  
> dsconfigad in clear text as a parameter )
> Set the authentication search path to Custom, and include your AD  
> domain node using dscl.  ( dscl exec )
>
> We do manage the time server with Puppet and setting a couple of  
> mapping attributes in the AD plists.
>
> I''m happy to help you get this all working in Puppet as well.
>
> oh cool. I didn''t realize you were doing AD integration Kyle.
>
> How are you ensuring that AD continues to be configured on the  
> clients? Does the python launchd job do all of this? Or are you  
> managing some components as Puppet resources?
>
> I''ve been thinking for a while about how to mange DirectoryService
> nodes as native Puppet types, but there are so many attributes to  
> think about I''m not sure it actually simplifies matters all that  
> much...
Yes, I''ve done a lot of AD integration work. The python script I wrote
tests the configuration and scenarios related to AD Node status and  
takes action if necessary.  The only part in Puppet so far is  
management of a couple AD plist keys.

Agreed, DirectoryService node configuration can get complex.  There  
may be lower hanging fruit like improved plist management that would  
help in all areas including DirectoryService.

Kyle


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

OK, just playing around with it so far, but I think this will work.   
I''m setting up a virtual machine to test it on right now.  Tell me if  
you think this is a good approach:

define authentication::ldap($server, $binddn, $bindpasswd, $adminuser  
= "", $adminpass = "", $domain = "", $workgroup =
"") {
     class linux {
		......
     }

     class mac {
         exec {"restart com.apple.DirectoryServices":
             command => "launchctl stop com.apple.DirectoryServices
&&
launchctl start com.apple.DirectoryServices",
             refreshonly => true,
         }

         #Set Active Directory plugin to active
         exec {"activate AD plugin":
             command => "defaults write /Library/Preferences/ 
DirectoryService/DirectoryService \"Active Directory\" Active",
             #test if the Active Directory service is set to be active
             unless => "test `defaults read /Library/Preferences/ 
DirectoryService/DirectoryService | grep \"Active Directory\" | awk  
''{print $4}'' | sed ''s/;//''` ==
\"Active\"",
             notify => Exec["restart com.apple.DirectoryServices"],
             notify => Exec["join domain"],
         }

         exec {"join domain":
             refreshonly => true,
             command => "dsconfigad -f -u $adminuser -p $adminpass - 
domain $domain",
         }
     }

     case $operatingsystem {
         "CentOS": {
             include linux

             Exec <| title == "authconfig-ldap" |>
         }

         "Darwin": {
             include mac
         }
     }
}

On Dec 19, 2008, at 11:16 PM, Crawford Kyle wrote:
>
> On Dec 19, 2008, at 10:48 PM, Nigel Kersten wrote:
>
>>
>>
>> On Fri, Dec 19, 2008 at 7:23 PM, Crawford Kyle
<kcrwfrd@gmail.com>
>> wrote:
>>
>> On Dec 19, 2008, at 7:55 PM, Nigel Kersten wrote:
>>>
>>> On Fri, Dec 19, 2008 at 2:29 PM, Carl Caum
<carl.caum@gmail.com>
>>> wrote:
>>>
>>> Does anyone know how to go about joining Mac OS X Leopard to an  
>>> Active
>>> Directory domain with puppet?
>>> Primarily it needs to be broken down in to doing LDAP
authentication
>>> with a few attribute mappings and using kerberos for the password
>>> authentication.
>>>
>>> You''re going to want to push out your DS preferences and
then do
>>> an exec for the joining of the machine account I imagine, although
>>> you could do some of this with templates.....
>>>
>>> How were you doing this before Puppet?
>>>
>>> There are no native types now, because those of us doing the Mac  
>>> stuff with Puppet don''t work in AD environments :)
>>>
>>> I''m more than happy to spend time helping you work through
this
>>> though Carl. I''m reasonably familiar with AD integration
even
>>> though we don''t do it here.
>>>
>>> This would be a great recipe to get up on the Puppet wiki.
>>
>> We are in a large AD environment using Puppet. We currently handle  
>> the AD joining outside of Puppet with a python script in a launchd  
>> job that runs at first boot, though we will probably be moving this  
>> to Puppet.
>>
>> The typical steps are:
>> Make sure time server is set and time is set correctly  ( ntpd.conf  
>> or exec systemsetup )
>> Activate AD plugin by enabling it in DirectoryService.plist.   
>> ( just a simple key value but I think you need to restart  
>> DirectoryService for it to notice )
>> Configure AD plugin using dsconfigad options.  ( this can take a  
>> lot of options  all of these just change key values in  
>> ActiveDirectory.plist )
>> Join to domain using dsconfigad with a limited AD account and  
>> password with permissions to add machines to your OU.  ( this would  
>> need to exec the dsconfigad command with username, password, OU,  
>> machine join name.  Unfortunately the password is passed to  
>> dsconfigad in clear text as a parameter )
>> Set the authentication search path to Custom, and include your AD  
>> domain node using dscl.  ( dscl exec )
>>
>> We do manage the time server with Puppet and setting a couple of  
>> mapping attributes in the AD plists.
>>
>> I''m happy to help you get this all working in Puppet as well.
>>
>> oh cool. I didn''t realize you were doing AD integration Kyle.
>>
>> How are you ensuring that AD continues to be configured on the  
>> clients? Does the python launchd job do all of this? Or are you  
>> managing some components as Puppet resources?
>>
>> I''ve been thinking for a while about how to mange
DirectoryService
>> nodes as native Puppet types, but there are so many attributes to  
>> think about I''m not sure it actually simplifies matters all
that
>> much...
>
> Yes, I''ve done a lot of AD integration work. The python script I  
> wrote tests the configuration and scenarios related to AD Node  
> status and takes action if necessary.  The only part in Puppet so  
> far is management of a couple AD plist keys.
>
> Agreed, DirectoryService node configuration can get complex.  There  
> may be lower hanging fruit like improved plist management that would  
> help in all areas including DirectoryService.
>
> Kyle
>
>
> >

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Most plist management can be done with the defaults command.  It means  
we exec out everytime, but we could write a definition/plugin around it.

I''m having trouble getting puppet to run on OS X.  I installed 0.24.7  
on my OS X server VM using gems.  After signing the certificate on the  
puppetmaster side, I get this on the client side:

2008-12-22 11:25:35.796 system_profiler[6552:10b] Exception while  
calling [SPPlatformReporter updateDictionary:]
*** -[NSCFArray objectAtIndex:]: index (3) beyond bounds (2)
err: Could not retrieve catalog: undefined method `[]'' for nil:NilClass

Any ideas?
On Dec 19, 2008, at 11:16 PM, Crawford Kyle wrote:
>
> On Dec 19, 2008, at 10:48 PM, Nigel Kersten wrote:
>
>>
>>
>> On Fri, Dec 19, 2008 at 7:23 PM, Crawford Kyle
<kcrwfrd@gmail.com>
>> wrote:
>>
>> On Dec 19, 2008, at 7:55 PM, Nigel Kersten wrote:
>>>
>>> On Fri, Dec 19, 2008 at 2:29 PM, Carl Caum
<carl.caum@gmail.com>
>>> wrote:
>>>
>>> Does anyone know how to go about joining Mac OS X Leopard to an  
>>> Active
>>> Directory domain with puppet?
>>> Primarily it needs to be broken down in to doing LDAP
authentication
>>> with a few attribute mappings and using kerberos for the password
>>> authentication.
>>>
>>> You''re going to want to push out your DS preferences and
then do
>>> an exec for the joining of the machine account I imagine, although
>>> you could do some of this with templates.....
>>>
>>> How were you doing this before Puppet?
>>>
>>> There are no native types now, because those of us doing the Mac  
>>> stuff with Puppet don''t work in AD environments :)
>>>
>>> I''m more than happy to spend time helping you work through
this
>>> though Carl. I''m reasonably familiar with AD integration
even
>>> though we don''t do it here.
>>>
>>> This would be a great recipe to get up on the Puppet wiki.
>>
>> We are in a large AD environment using Puppet. We currently handle  
>> the AD joining outside of Puppet with a python script in a launchd  
>> job that runs at first boot, though we will probably be moving this  
>> to Puppet.
>>
>> The typical steps are:
>> Make sure time server is set and time is set correctly  ( ntpd.conf  
>> or exec systemsetup )
>> Activate AD plugin by enabling it in DirectoryService.plist.   
>> ( just a simple key value but I think you need to restart  
>> DirectoryService for it to notice )
>> Configure AD plugin using dsconfigad options.  ( this can take a  
>> lot of options  all of these just change key values in  
>> ActiveDirectory.plist )
>> Join to domain using dsconfigad with a limited AD account and  
>> password with permissions to add machines to your OU.  ( this would  
>> need to exec the dsconfigad command with username, password, OU,  
>> machine join name.  Unfortunately the password is passed to  
>> dsconfigad in clear text as a parameter )
>> Set the authentication search path to Custom, and include your AD  
>> domain node using dscl.  ( dscl exec )
>>
>> We do manage the time server with Puppet and setting a couple of  
>> mapping attributes in the AD plists.
>>
>> I''m happy to help you get this all working in Puppet as well.
>>
>> oh cool. I didn''t realize you were doing AD integration Kyle.
>>
>> How are you ensuring that AD continues to be configured on the  
>> clients? Does the python launchd job do all of this? Or are you  
>> managing some components as Puppet resources?
>>
>> I''ve been thinking for a while about how to mange
DirectoryService
>> nodes as native Puppet types, but there are so many attributes to  
>> think about I''m not sure it actually simplifies matters all
that
>> much...
>
> Yes, I''ve done a lot of AD integration work. The python script I  
> wrote tests the configuration and scenarios related to AD Node  
> status and takes action if necessary.  The only part in Puppet so  
> far is management of a couple AD plist keys.
>
> Agreed, DirectoryService node configuration can get complex.  There  
> may be lower hanging fruit like improved plist management that would  
> help in all areas including DirectoryService.
>
> Kyle
>
>
> >

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Mon, Dec 22, 2008 at 9:28 AM, Carl Caum <carl.caum@gmail.com> wrote:
> Most plist management can be done with the defaults command.  It means we
> exec out everytime, but we could write a definition/plugin around it.
>
It also has the sometimes undesirable side effect of converting all your
xml1 property lists to binary format.

We tend to use PlistBuddy here for this reason.

>
> I''m having trouble getting puppet to run on OS X.  I installed
0.24.7 on my
> OS X server VM using gems.  After signing the certificate on the
> puppetmaster side, I get this on the client side:
>
> 2008-12-22 11:25:35.796 system_profiler[6552:10b] Exception while calling
> [SPPlatformReporter updateDictionary:]
> *** -[NSCFArray objectAtIndex:]: index (3) beyond bounds (2)
> err: Could not retrieve catalog: undefined method `[]'' for
nil:NilClass
>
I''ve never seen that... do you get the same bug using the packages at:

http://explanatorygap.net/puppetfacter/

?


>
> Any ideas?
> On Dec 19, 2008, at 11:16 PM, Crawford Kyle wrote:
>
>
> On Dec 19, 2008, at 10:48 PM, Nigel Kersten wrote:
>
>
>
> On Fri, Dec 19, 2008 at 7:23 PM, Crawford Kyle <kcrwfrd@gmail.com>
wrote:
>
>>
>> On Dec 19, 2008, at 7:55 PM, Nigel Kersten wrote:
>>
>>
>> On Fri, Dec 19, 2008 at 2:29 PM, Carl Caum <carl.caum@gmail.com>
wrote:
>>
>>>
>>> Does anyone know how to go about joining Mac OS X Leopard to an
Active
>>> Directory domain with puppet?
>>> Primarily it needs to be broken down in to doing LDAP
authentication
>>> with a few attribute mappings and using kerberos for the password
>>> authentication.
>>
>>
>> You''re going to want to push out your DS preferences and then
do an exec
>> for the joining of the machine account I imagine, although you could do
some
>> of this with templates.....
>>
>> How were you doing this before Puppet?
>>
>> There are no native types now, because those of us doing the Mac stuff
>> with Puppet don''t work in AD environments :)
>>
>> I''m more than happy to spend time helping you work through
this though
>> Carl. I''m reasonably familiar with AD integration even though
we don''t do it
>> here.
>>
>> This would be a great recipe to get up on the Puppet wiki.
>>
>>
>> We are in a large AD environment using Puppet. We currently handle the
AD
>> joining outside of Puppet with a python script in a launchd job that
runs at
>> first boot, though we will probably be moving this to Puppet.
>>
>> The typical steps are:
>> Make sure time server is set and time is set correctly  ( ntpd.conf or
>> exec systemsetup )
>> Activate AD plugin by enabling it in DirectoryService.plist.  ( just a
>> simple key value but I think you need to restart DirectoryService for
it to
>> notice )
>> Configure AD plugin using dsconfigad options.  ( this can take a lot of
>> options  all of these just change key values in ActiveDirectory.plist )
>> Join to domain using dsconfigad with a limited AD account and password
>> with permissions to add machines to your OU.  ( this would need to exec
the
>> dsconfigad command with username, password, OU, machine join name.
>>  Unfortunately the password is passed to dsconfigad in clear text as a
>> parameter )
>> Set the authentication search path to Custom, and include your AD
domain
>> node using dscl.  ( dscl exec )
>>
>> We do manage the time server with Puppet and setting a couple of
mapping
>> attributes in the AD plists.
>>
>> I''m happy to help you get this all working in Puppet as well.
>>
>
> oh cool. I didn''t realize you were doing AD integration Kyle.
>
> How are you ensuring that AD continues to be configured on the clients?
> Does the python launchd job do all of this? Or are you managing some
> components as Puppet resources?
>
> I''ve been thinking for a while about how to mange DirectoryService
nodes as
> native Puppet types, but there are so many attributes to think about
I''m not
> sure it actually simplifies matters all that much...
>
>
> Yes, I''ve done a lot of AD integration work. The python script I
wrote
> tests the configuration and scenarios related to AD Node status and takes
> action if necessary.  The only part in Puppet so far is management of a
> couple AD plist keys.
>
> Agreed, DirectoryService node configuration can get complex.  There may be
> lower hanging fruit like improved plist management that would help in all
> areas including DirectoryService.
>
> Kyle
>
>
>
>
>
>
> >
>

-- 
Nigel Kersten
Systems Administrator
Tech Lead - MacOps

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Dec 22, 2008, at 11:42 AM, Nigel Kersten wrote:
>
>
> On Mon, Dec 22, 2008 at 9:28 AM, Carl Caum <carl.caum@gmail.com>  
> wrote:
> Most plist management can be done with the defaults command.  It  
> means we exec out everytime, but we could write a definition/plugin  
> around it.
>
> It also has the sometimes undesirable side effect of converting all  
> your xml1 property lists to binary format.
>
> We tend to use PlistBuddy here for this reason.
>
Not that it''s a great solution, but you can force it to be xml1 with  
this:
plutil -convert xml1 /Library/Preferences/DirectoryService/ 
DirectoryService.plist
It has to be run after every write to be absolutely sure.  But I have  
to ask, why would you care if you use the defaults command every time  
for reading and writing?
>
> I''m having trouble getting puppet to run on OS X.  I installed  
> 0.24.7 on my OS X server VM using gems.  After signing the  
> certificate on the puppetmaster side, I get this on the client side:
>
> 2008-12-22 11:25:35.796 system_profiler[6552:10b] Exception while  
> calling [SPPlatformReporter updateDictionary:]
> *** -[NSCFArray objectAtIndex:]: index (3) beyond bounds (2)
> err: Could not retrieve catalog: undefined method `[]'' for  
> nil:NilClass
>
> I''ve never seen that... do you get the same bug using the packages
at:
>
> http://explanatorygap.net/puppetfacter/
>
> ?
I''ll try them and report back

>
> Any ideas?
> On Dec 19, 2008, at 11:16 PM, Crawford Kyle wrote:
>
>>
>> On Dec 19, 2008, at 10:48 PM, Nigel Kersten wrote:
>>
>>>
>>>
>>> On Fri, Dec 19, 2008 at 7:23 PM, Crawford Kyle
<kcrwfrd@gmail.com>
>>> wrote:
>>>
>>> On Dec 19, 2008, at 7:55 PM, Nigel Kersten wrote:
>>>>
>>>> On Fri, Dec 19, 2008 at 2:29 PM, Carl Caum
<carl.caum@gmail.com>
>>>> wrote:
>>>>
>>>> Does anyone know how to go about joining Mac OS X Leopard to an
>>>> Active
>>>> Directory domain with puppet?
>>>> Primarily it needs to be broken down in to doing LDAP  
>>>> authentication
>>>> with a few attribute mappings and using kerberos for the
password
>>>> authentication.
>>>>
>>>> You''re going to want to push out your DS preferences
and then do
>>>> an exec for the joining of the machine account I imagine,  
>>>> although you could do some of this with templates.....
>>>>
>>>> How were you doing this before Puppet?
>>>>
>>>> There are no native types now, because those of us doing the
Mac
>>>> stuff with Puppet don''t work in AD environments :)
>>>>
>>>> I''m more than happy to spend time helping you work
through this
>>>> though Carl. I''m reasonably familiar with AD
integration even
>>>> though we don''t do it here.
>>>>
>>>> This would be a great recipe to get up on the Puppet wiki.
>>>
>>> We are in a large AD environment using Puppet. We currently handle
>>> the AD joining outside of Puppet with a python script in a launchd
>>> job that runs at first boot, though we will probably be moving  
>>> this to Puppet.
>>>
>>> The typical steps are:
>>> Make sure time server is set and time is set correctly   
>>> ( ntpd.conf or exec systemsetup )
>>> Activate AD plugin by enabling it in DirectoryService.plist.   
>>> ( just a simple key value but I think you need to restart  
>>> DirectoryService for it to notice )
>>> Configure AD plugin using dsconfigad options.  ( this can take a  
>>> lot of options  all of these just change key values in  
>>> ActiveDirectory.plist )
>>> Join to domain using dsconfigad with a limited AD account and  
>>> password with permissions to add machines to your OU.  ( this  
>>> would need to exec the dsconfigad command with username, password,
>>> OU, machine join name.  Unfortunately the password is passed to  
>>> dsconfigad in clear text as a parameter )
>>> Set the authentication search path to Custom, and include your AD  
>>> domain node using dscl.  ( dscl exec )
>>>
>>> We do manage the time server with Puppet and setting a couple of  
>>> mapping attributes in the AD plists.
>>>
>>> I''m happy to help you get this all working in Puppet as
well.
>>>
>>> oh cool. I didn''t realize you were doing AD integration
Kyle.
>>>
>>> How are you ensuring that AD continues to be configured on the  
>>> clients? Does the python launchd job do all of this? Or are you  
>>> managing some components as Puppet resources?
>>>
>>> I''ve been thinking for a while about how to mange
DirectoryService
>>> nodes as native Puppet types, but there are so many attributes to  
>>> think about I''m not sure it actually simplifies matters
all that
>>> much...
>>
>> Yes, I''ve done a lot of AD integration work. The python script
I
>> wrote tests the configuration and scenarios related to AD Node  
>> status and takes action if necessary.  The only part in Puppet so  
>> far is management of a couple AD plist keys.
>>
>> Agreed, DirectoryService node configuration can get complex.  There  
>> may be lower hanging fruit like improved plist management that  
>> would help in all areas including DirectoryService.
>>
>> Kyle
>>
>>
>>
>>
>
>
>
>
>
>
> -- 
> Nigel Kersten
> Systems Administrator
> Tech Lead - MacOps
>
> >

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Is the client running on Mac hardware and not in a VM?  Seems like  
system_profiler, which is used to generate default facts is failing.   
Maybe it doesn''t work because of virtual hardware.


On Dec 22, 2008, at 12:28 PM, Carl Caum wrote:
> Most plist management can be done with the defaults command.  It  
> means we exec out everytime, but we could write a definition/plugin  
> around it.
>
> I''m having trouble getting puppet to run on OS X.  I installed  
> 0.24.7 on my OS X server VM using gems.  After signing the  
> certificate on the puppetmaster side, I get this on the client side:
>
> 2008-12-22 11:25:35.796 system_profiler[6552:10b] Exception while  
> calling [SPPlatformReporter updateDictionary:]
> *** -[NSCFArray objectAtIndex:]: index (3) beyond bounds (2)
> err: Could not retrieve catalog: undefined method `[]'' for  
> nil:NilClass
>
> Any ideas?
> On Dec 19, 2008, at 11:16 PM, Crawford Kyle wrote:
>
>>
>> On Dec 19, 2008, at 10:48 PM, Nigel Kersten wrote:
>>
>>>
>>>
>>> On Fri, Dec 19, 2008 at 7:23 PM, Crawford Kyle
<kcrwfrd@gmail.com>
>>> wrote:
>>>
>>> On Dec 19, 2008, at 7:55 PM, Nigel Kersten wrote:
>>>>
>>>> On Fri, Dec 19, 2008 at 2:29 PM, Carl Caum
<carl.caum@gmail.com>
>>>> wrote:
>>>>
>>>> Does anyone know how to go about joining Mac OS X Leopard to an
>>>> Active
>>>> Directory domain with puppet?
>>>> Primarily it needs to be broken down in to doing LDAP  
>>>> authentication
>>>> with a few attribute mappings and using kerberos for the
password
>>>> authentication.
>>>>
>>>> You''re going to want to push out your DS preferences
and then do
>>>> an exec for the joining of the machine account I imagine,  
>>>> although you could do some of this with templates.....
>>>>
>>>> How were you doing this before Puppet?
>>>>
>>>> There are no native types now, because those of us doing the
Mac
>>>> stuff with Puppet don''t work in AD environments :)
>>>>
>>>> I''m more than happy to spend time helping you work
through this
>>>> though Carl. I''m reasonably familiar with AD
integration even
>>>> though we don''t do it here.
>>>>
>>>> This would be a great recipe to get up on the Puppet wiki.
>>>
>>> We are in a large AD environment using Puppet. We currently handle
>>> the AD joining outside of Puppet with a python script in a launchd
>>> job that runs at first boot, though we will probably be moving  
>>> this to Puppet.
>>>
>>> The typical steps are:
>>> Make sure time server is set and time is set correctly   
>>> ( ntpd.conf or exec systemsetup )
>>> Activate AD plugin by enabling it in DirectoryService.plist.   
>>> ( just a simple key value but I think you need to restart  
>>> DirectoryService for it to notice )
>>> Configure AD plugin using dsconfigad options.  ( this can take a  
>>> lot of options  all of these just change key values in  
>>> ActiveDirectory.plist )
>>> Join to domain using dsconfigad with a limited AD account and  
>>> password with permissions to add machines to your OU.  ( this  
>>> would need to exec the dsconfigad command with username, password,
>>> OU, machine join name.  Unfortunately the password is passed to  
>>> dsconfigad in clear text as a parameter )
>>> Set the authentication search path to Custom, and include your AD  
>>> domain node using dscl.  ( dscl exec )
>>>
>>> We do manage the time server with Puppet and setting a couple of  
>>> mapping attributes in the AD plists.
>>>
>>> I''m happy to help you get this all working in Puppet as
well.
>>>
>>> oh cool. I didn''t realize you were doing AD integration
Kyle.
>>>
>>> How are you ensuring that AD continues to be configured on the  
>>> clients? Does the python launchd job do all of this? Or are you  
>>> managing some components as Puppet resources?
>>>
>>> I''ve been thinking for a while about how to mange
DirectoryService
>>> nodes as native Puppet types, but there are so many attributes to  
>>> think about I''m not sure it actually simplifies matters
all that
>>> much...
>>
>> Yes, I''ve done a lot of AD integration work. The python script
I
>> wrote tests the configuration and scenarios related to AD Node  
>> status and takes action if necessary.  The only part in Puppet so  
>> far is management of a couple AD plist keys.
>>
>> Agreed, DirectoryService node configuration can get complex.  There  
>> may be lower hanging fruit like improved plist management that  
>> would help in all areas including DirectoryService.
>>
>> Kyle
>>
>>
>>
>>
>
>
> >

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Mon, Dec 22, 2008 at 9:47 AM, Carl Caum <carl.caum@gmail.com> wrote:
>
> On Dec 22, 2008, at 11:42 AM, Nigel Kersten wrote:
>
>
>
> On Mon, Dec 22, 2008 at 9:28 AM, Carl Caum <carl.caum@gmail.com>
wrote:
>
>> Most plist management can be done with the defaults command.  It means
we
>> exec out everytime, but we could write a definition/plugin around it.
>>
>
> It also has the sometimes undesirable side effect of converting all your
> xml1 property lists to binary format.
>
> We tend to use PlistBuddy here for this reason.
>
>
>
> Not that it''s a great solution, but you can force it to be xml1
with this:
> plutil -convert xml1
> /Library/Preferences/DirectoryService/DirectoryService.plist
> It has to be run after every write to be absolutely sure.  But I have to
> ask, why would you care if you use the defaults command every time for
> reading and writing?
>
Because sometimes we have other tools that use one of the various plist
modules for Ruby/Python etc that require the xml1 format, and some of those
tools aren''t running with elevated privileges, and can''t
always convert a
plist to xml.

We''re slowly moving things over to using the BridgeSupport in
Ruby/Python
where you can instantiate an NSDictionary from a binary or xml plist
instead, but that''s only available in 10.5 by default.



>
>
>> I''m having trouble getting puppet to run on OS X.  I installed
0.24.7 on
>> my OS X server VM using gems.  After signing the certificate on the
>> puppetmaster side, I get this on the client side:
>>
>> 2008-12-22 11:25:35.796 system_profiler[6552:10b] Exception while
calling
>> [SPPlatformReporter updateDictionary:]
>> *** -[NSCFArray objectAtIndex:]: index (3) beyond bounds (2)
>> err: Could not retrieve catalog: undefined method `[]'' for
nil:NilClass
>>
>
> I''ve never seen that... do you get the same bug using the packages
at:
>
> http://explanatorygap.net/puppetfacter/
>
> ?
>
> I''ll try them and report back
>
>
>
>> Any ideas?
>> On Dec 19, 2008, at 11:16 PM, Crawford Kyle wrote:
>>
>>
>> On Dec 19, 2008, at 10:48 PM, Nigel Kersten wrote:
>>
>>
>>
>> On Fri, Dec 19, 2008 at 7:23 PM, Crawford Kyle
<kcrwfrd@gmail.com> wrote:
>>
>>>
>>> On Dec 19, 2008, at 7:55 PM, Nigel Kersten wrote:
>>>
>>>
>>> On Fri, Dec 19, 2008 at 2:29 PM, Carl Caum
<carl.caum@gmail.com> wrote:
>>>
>>>>
>>>> Does anyone know how to go about joining Mac OS X Leopard to an
Active
>>>> Directory domain with puppet?
>>>> Primarily it needs to be broken down in to doing LDAP
authentication
>>>> with a few attribute mappings and using kerberos for the
password
>>>> authentication.
>>>
>>>
>>> You''re going to want to push out your DS preferences and
then do an exec
>>> for the joining of the machine account I imagine, although you
could do some
>>> of this with templates.....
>>>
>>> How were you doing this before Puppet?
>>>
>>> There are no native types now, because those of us doing the Mac
stuff
>>> with Puppet don''t work in AD environments :)
>>>
>>> I''m more than happy to spend time helping you work through
this though
>>> Carl. I''m reasonably familiar with AD integration even
though we don''t do it
>>> here.
>>>
>>> This would be a great recipe to get up on the Puppet wiki.
>>>
>>>
>>> We are in a large AD environment using Puppet. We currently handle
the AD
>>> joining outside of Puppet with a python script in a launchd job
that runs at
>>> first boot, though we will probably be moving this to Puppet.
>>>
>>> The typical steps are:
>>> Make sure time server is set and time is set correctly  ( ntpd.conf
or
>>> exec systemsetup )
>>> Activate AD plugin by enabling it in DirectoryService.plist.  (
just a
>>> simple key value but I think you need to restart DirectoryService
for it to
>>> notice )
>>> Configure AD plugin using dsconfigad options.  ( this can take a
lot of
>>> options  all of these just change key values in
ActiveDirectory.plist )
>>> Join to domain using dsconfigad with a limited AD account and
password
>>> with permissions to add machines to your OU.  ( this would need to
exec the
>>> dsconfigad command with username, password, OU, machine join name.
>>>  Unfortunately the password is passed to dsconfigad in clear text
as a
>>> parameter )
>>> Set the authentication search path to Custom, and include your AD
domain
>>> node using dscl.  ( dscl exec )
>>>
>>> We do manage the time server with Puppet and setting a couple of
mapping
>>> attributes in the AD plists.
>>>
>>> I''m happy to help you get this all working in Puppet as
well.
>>>
>>
>> oh cool. I didn''t realize you were doing AD integration Kyle.
>>
>> How are you ensuring that AD continues to be configured on the clients?
>> Does the python launchd job do all of this? Or are you managing some
>> components as Puppet resources?
>>
>> I''ve been thinking for a while about how to mange
DirectoryService nodes
>> as native Puppet types, but there are so many attributes to think about
I''m
>> not sure it actually simplifies matters all that much...
>>
>>
>> Yes, I''ve done a lot of AD integration work. The python script
I wrote
>> tests the configuration and scenarios related to AD Node status and
takes
>> action if necessary.  The only part in Puppet so far is management of a
>> couple AD plist keys.
>>
>> Agreed, DirectoryService node configuration can get complex.  There may
be
>> lower hanging fruit like improved plist management that would help in
all
>> areas including DirectoryService.
>>
>> Kyle
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> Nigel Kersten
> Systems Administrator
> Tech Lead - MacOps
>
>
>
>
>
> >
>

-- 
Nigel Kersten
Systems Administrator
Tech Lead - MacOps

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Dec 22, 2008, at 11:42 AM, Nigel Kersten wrote:
>
>
> On Mon, Dec 22, 2008 at 9:28 AM, Carl Caum <carl.caum@gmail.com>  
> wrote:
> Most plist management can be done with the defaults command.  It  
> means we exec out everytime, but we could write a definition/plugin  
> around it.
>
> It also has the sometimes undesirable side effect of converting all  
> your xml1 property lists to binary format.
>
> We tend to use PlistBuddy here for this reason.
>
>
> I''m having trouble getting puppet to run on OS X.  I installed  
> 0.24.7 on my OS X server VM using gems.  After signing the  
> certificate on the puppetmaster side, I get this on the client side:
>
> 2008-12-22 11:25:35.796 system_profiler[6552:10b] Exception while  
> calling [SPPlatformReporter updateDictionary:]
> *** -[NSCFArray objectAtIndex:]: index (3) beyond bounds (2)
> err: Could not retrieve catalog: undefined method `[]'' for  
> nil:NilClass
>
> I''ve never seen that... do you get the same bug using the packages
at:
>
> http://explanatorygap.net/puppetfacter/
>
> ?
These do not work either.  The problem seems to be in facter when  
getting hardware information.  I get this when I run facter directly:

2008-12-22 11:58:06.223 system_profiler[6613:10b] Exception while  
calling [SPPlatformReporter updateDictionary:]
*** -[NSCFArray objectAtIndex:]: index (3) beyond bounds (2)
/Library/Ruby/Site/1.8/facter/util/macosx.rb:29:in  
`hardware_overview'': undefined method `[]'' for nil:NilClass  
(NoMethodError)
	from /Library/Ruby/Site/1.8/facter/macosx.rb:28
	from /Library/Ruby/Site/1.8/facter/util/loader.rb:72:in `load''
	from /Library/Ruby/Site/1.8/facter/util/loader.rb:72:in `load_file''
	from /Library/Ruby/Site/1.8/facter/util/loader.rb:38:in `load_all''
	from /Library/Ruby/Site/1.8/facter/util/loader.rb:33:in `each''
	from /Library/Ruby/Site/1.8/facter/util/loader.rb:33:in `load_all''
	from /Library/Ruby/Site/1.8/facter/util/loader.rb:30:in `each''
	from /Library/Ruby/Site/1.8/facter/util/loader.rb:30:in `load_all''
	from /Library/Ruby/Site/1.8/facter/util/collection.rb:90:in `load_all''
	from /Library/Ruby/Site/1.8/facter.rb:91:in `to_hash''
	from /usr/bin/facter:121


Could this be because I''m running OS X as a virtual machine?
>
>
>
> Any ideas?
> On Dec 19, 2008, at 11:16 PM, Crawford Kyle wrote:
>
>>
>> On Dec 19, 2008, at 10:48 PM, Nigel Kersten wrote:
>>
>>>
>>>
>>> On Fri, Dec 19, 2008 at 7:23 PM, Crawford Kyle
<kcrwfrd@gmail.com>
>>> wrote:
>>>
>>> On Dec 19, 2008, at 7:55 PM, Nigel Kersten wrote:
>>>>
>>>> On Fri, Dec 19, 2008 at 2:29 PM, Carl Caum
<carl.caum@gmail.com>
>>>> wrote:
>>>>
>>>> Does anyone know how to go about joining Mac OS X Leopard to an
>>>> Active
>>>> Directory domain with puppet?
>>>> Primarily it needs to be broken down in to doing LDAP  
>>>> authentication
>>>> with a few attribute mappings and using kerberos for the
password
>>>> authentication.
>>>>
>>>> You''re going to want to push out your DS preferences
and then do
>>>> an exec for the joining of the machine account I imagine,  
>>>> although you could do some of this with templates.....
>>>>
>>>> How were you doing this before Puppet?
>>>>
>>>> There are no native types now, because those of us doing the
Mac
>>>> stuff with Puppet don''t work in AD environments :)
>>>>
>>>> I''m more than happy to spend time helping you work
through this
>>>> though Carl. I''m reasonably familiar with AD
integration even
>>>> though we don''t do it here.
>>>>
>>>> This would be a great recipe to get up on the Puppet wiki.
>>>
>>> We are in a large AD environment using Puppet. We currently handle
>>> the AD joining outside of Puppet with a python script in a launchd
>>> job that runs at first boot, though we will probably be moving  
>>> this to Puppet.
>>>
>>> The typical steps are:
>>> Make sure time server is set and time is set correctly   
>>> ( ntpd.conf or exec systemsetup )
>>> Activate AD plugin by enabling it in DirectoryService.plist.   
>>> ( just a simple key value but I think you need to restart  
>>> DirectoryService for it to notice )
>>> Configure AD plugin using dsconfigad options.  ( this can take a  
>>> lot of options  all of these just change key values in  
>>> ActiveDirectory.plist )
>>> Join to domain using dsconfigad with a limited AD account and  
>>> password with permissions to add machines to your OU.  ( this  
>>> would need to exec the dsconfigad command with username, password,
>>> OU, machine join name.  Unfortunately the password is passed to  
>>> dsconfigad in clear text as a parameter )
>>> Set the authentication search path to Custom, and include your AD  
>>> domain node using dscl.  ( dscl exec )
>>>
>>> We do manage the time server with Puppet and setting a couple of  
>>> mapping attributes in the AD plists.
>>>
>>> I''m happy to help you get this all working in Puppet as
well.
>>>
>>> oh cool. I didn''t realize you were doing AD integration
Kyle.
>>>
>>> How are you ensuring that AD continues to be configured on the  
>>> clients? Does the python launchd job do all of this? Or are you  
>>> managing some components as Puppet resources?
>>>
>>> I''ve been thinking for a while about how to mange
DirectoryService
>>> nodes as native Puppet types, but there are so many attributes to  
>>> think about I''m not sure it actually simplifies matters
all that
>>> much...
>>
>> Yes, I''ve done a lot of AD integration work. The python script
I
>> wrote tests the configuration and scenarios related to AD Node  
>> status and takes action if necessary.  The only part in Puppet so  
>> far is management of a couple AD plist keys.
>>
>> Agreed, DirectoryService node configuration can get complex.  There  
>> may be lower hanging fruit like improved plist management that  
>> would help in all areas including DirectoryService.
>>
>> Kyle
>>
>>
>>
>>
>
>
>
>
>
>
> -- 
> Nigel Kersten
> Systems Administrator
> Tech Lead - MacOps
>
> >

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Ok, yeah.  That''s what I was thinking.  I can''t test this on
physical
hardware since both our physical XServes are in production.  I''ll see  
if I can get a mac mini ordered.

On Dec 22, 2008, at 11:57 AM, Crawford Kyle wrote:
> Is the client running on Mac hardware and not in a VM?  Seems like  
> system_profiler, which is used to generate default facts is  
> failing.  Maybe it doesn''t work because of virtual hardware.
>
>
> On Dec 22, 2008, at 12:28 PM, Carl Caum wrote:
>
>> Most plist management can be done with the defaults command.  It  
>> means we exec out everytime, but we could write a definition/plugin  
>> around it.
>>
>> I''m having trouble getting puppet to run on OS X.  I installed
>> 0.24.7 on my OS X server VM using gems.  After signing the  
>> certificate on the puppetmaster side, I get this on the client side:
>>
>> 2008-12-22 11:25:35.796 system_profiler[6552:10b] Exception while  
>> calling [SPPlatformReporter updateDictionary:]
>> *** -[NSCFArray objectAtIndex:]: index (3) beyond bounds (2)
>> err: Could not retrieve catalog: undefined method `[]'' for  
>> nil:NilClass
>>
>> Any ideas?
>> On Dec 19, 2008, at 11:16 PM, Crawford Kyle wrote:
>>
>>>
>>> On Dec 19, 2008, at 10:48 PM, Nigel Kersten wrote:
>>>
>>>>
>>>>
>>>> On Fri, Dec 19, 2008 at 7:23 PM, Crawford Kyle  
>>>> <kcrwfrd@gmail.com> wrote:
>>>>
>>>> On Dec 19, 2008, at 7:55 PM, Nigel Kersten wrote:
>>>>>
>>>>> On Fri, Dec 19, 2008 at 2:29 PM, Carl Caum
<carl.caum@gmail.com>
>>>>> wrote:
>>>>>
>>>>> Does anyone know how to go about joining Mac OS X Leopard
to an
>>>>> Active
>>>>> Directory domain with puppet?
>>>>> Primarily it needs to be broken down in to doing LDAP  
>>>>> authentication
>>>>> with a few attribute mappings and using kerberos for the
password
>>>>> authentication.
>>>>>
>>>>> You''re going to want to push out your DS
preferences and then do
>>>>> an exec for the joining of the machine account I imagine,  
>>>>> although you could do some of this with templates.....
>>>>>
>>>>> How were you doing this before Puppet?
>>>>>
>>>>> There are no native types now, because those of us doing
the Mac
>>>>> stuff with Puppet don''t work in AD environments :)
>>>>>
>>>>> I''m more than happy to spend time helping you work
through this
>>>>> though Carl. I''m reasonably familiar with AD
integration even
>>>>> though we don''t do it here.
>>>>>
>>>>> This would be a great recipe to get up on the Puppet wiki.
>>>>
>>>> We are in a large AD environment using Puppet. We currently  
>>>> handle the AD joining outside of Puppet with a python script in
a
>>>> launchd job that runs at first boot, though we will probably be
>>>> moving this to Puppet.
>>>>
>>>> The typical steps are:
>>>> Make sure time server is set and time is set correctly   
>>>> ( ntpd.conf or exec systemsetup )
>>>> Activate AD plugin by enabling it in DirectoryService.plist.   
>>>> ( just a simple key value but I think you need to restart  
>>>> DirectoryService for it to notice )
>>>> Configure AD plugin using dsconfigad options.  ( this can take
a
>>>> lot of options  all of these just change key values in  
>>>> ActiveDirectory.plist )
>>>> Join to domain using dsconfigad with a limited AD account and  
>>>> password with permissions to add machines to your OU.  ( this  
>>>> would need to exec the dsconfigad command with username,  
>>>> password, OU, machine join name.  Unfortunately the password is
>>>> passed to dsconfigad in clear text as a parameter )
>>>> Set the authentication search path to Custom, and include your
AD
>>>> domain node using dscl.  ( dscl exec )
>>>>
>>>> We do manage the time server with Puppet and setting a couple
of
>>>> mapping attributes in the AD plists.
>>>>
>>>> I''m happy to help you get this all working in Puppet
as well.
>>>>
>>>> oh cool. I didn''t realize you were doing AD
integration Kyle.
>>>>
>>>> How are you ensuring that AD continues to be configured on the
>>>> clients? Does the python launchd job do all of this? Or are you
>>>> managing some components as Puppet resources?
>>>>
>>>> I''ve been thinking for a while about how to mange  
>>>> DirectoryService nodes as native Puppet types, but there are so
>>>> many attributes to think about I''m not sure it
actually
>>>> simplifies matters all that much...
>>>
>>> Yes, I''ve done a lot of AD integration work. The python
script I
>>> wrote tests the configuration and scenarios related to AD Node  
>>> status and takes action if necessary.  The only part in Puppet so  
>>> far is management of a couple AD plist keys.
>>>
>>> Agreed, DirectoryService node configuration can get complex.   
>>> There may be lower hanging fruit like improved plist management  
>>> that would help in all areas including DirectoryService.
>>>
>>> Kyle
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>
>
> >

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Dec 22, 2008, at 11:59 AM, Nigel Kersten wrote:
>
>
> On Mon, Dec 22, 2008 at 9:47 AM, Carl Caum <carl.caum@gmail.com>  
> wrote:
>
> On Dec 22, 2008, at 11:42 AM, Nigel Kersten wrote:
>
>>
>>
>> On Mon, Dec 22, 2008 at 9:28 AM, Carl Caum <carl.caum@gmail.com>
>> wrote:
>> Most plist management can be done with the defaults command.  It  
>> means we exec out everytime, but we could write a definition/plugin  
>> around it.
>>
>> It also has the sometimes undesirable side effect of converting all  
>> your xml1 property lists to binary format.
>>
>> We tend to use PlistBuddy here for this reason.
>>
>
> Not that it''s a great solution, but you can force it to be xml1
with
> this:
> plutil -convert xml1 /Library/Preferences/DirectoryService/ 
> DirectoryService.plist
> It has to be run after every write to be absolutely sure.  But I  
> have to ask, why would you care if you use the defaults command  
> every time for reading and writing?
>
> Because sometimes we have other tools that use one of the various  
> plist modules for Ruby/Python etc that require the xml1 format, and  
> some of those tools aren''t running with elevated privileges, and  
> can''t always convert a plist to xml.
>
> We''re slowly moving things over to using the BridgeSupport in
Ruby/
> Python where you can instantiate an NSDictionary from a binary or  
> xml plist instead, but that''s only available in 10.5 by default.
>
>
>
>
>>
>> I''m having trouble getting puppet to run on OS X.  I installed
>> 0.24.7 on my OS X server VM using gems.  After signing the  
>> certificate on the puppetmaster side, I get this on the client side:
>>
>> 2008-12-22 11:25:35.796 system_profiler[6552:10b] Exception while  
>> calling [SPPlatformReporter updateDictionary:]
>> *** -[NSCFArray objectAtIndex:]: index (3) beyond bounds (2)
>> err: Could not retrieve catalog: undefined method `[]'' for  
>> nil:NilClass
>>
>> I''ve never seen that... do you get the same bug using the
packages
>> at:
>>
>> http://explanatorygap.net/puppetfacter/
>>
>> ?
> I''ll try them and report back
>
VMWare doesn''t report hardware to the system profiler.  It''s
VMWare/
Apple''s bug.  Thanks to nigelk in IRC for figuring it out.
>
>>
>> Any ideas?
>> On Dec 19, 2008, at 11:16 PM, Crawford Kyle wrote:
>>
>>>
>>> On Dec 19, 2008, at 10:48 PM, Nigel Kersten wrote:
>>>
>>>>
>>>>
>>>> On Fri, Dec 19, 2008 at 7:23 PM, Crawford Kyle  
>>>> <kcrwfrd@gmail.com> wrote:
>>>>
>>>> On Dec 19, 2008, at 7:55 PM, Nigel Kersten wrote:
>>>>>
>>>>> On Fri, Dec 19, 2008 at 2:29 PM, Carl Caum
<carl.caum@gmail.com>
>>>>> wrote:
>>>>>
>>>>> Does anyone know how to go about joining Mac OS X Leopard
to an
>>>>> Active
>>>>> Directory domain with puppet?
>>>>> Primarily it needs to be broken down in to doing LDAP  
>>>>> authentication
>>>>> with a few attribute mappings and using kerberos for the
password
>>>>> authentication.
>>>>>
>>>>> You''re going to want to push out your DS
preferences and then do
>>>>> an exec for the joining of the machine account I imagine,  
>>>>> although you could do some of this with templates.....
>>>>>
>>>>> How were you doing this before Puppet?
>>>>>
>>>>> There are no native types now, because those of us doing
the Mac
>>>>> stuff with Puppet don''t work in AD environments :)
>>>>>
>>>>> I''m more than happy to spend time helping you work
through this
>>>>> though Carl. I''m reasonably familiar with AD
integration even
>>>>> though we don''t do it here.
>>>>>
>>>>> This would be a great recipe to get up on the Puppet wiki.
>>>>
>>>> We are in a large AD environment using Puppet. We currently  
>>>> handle the AD joining outside of Puppet with a python script in
a
>>>> launchd job that runs at first boot, though we will probably be
>>>> moving this to Puppet.
>>>>
>>>> The typical steps are:
>>>> Make sure time server is set and time is set correctly   
>>>> ( ntpd.conf or exec systemsetup )
>>>> Activate AD plugin by enabling it in DirectoryService.plist.   
>>>> ( just a simple key value but I think you need to restart  
>>>> DirectoryService for it to notice )
>>>> Configure AD plugin using dsconfigad options.  ( this can take
a
>>>> lot of options  all of these just change key values in  
>>>> ActiveDirectory.plist )
>>>> Join to domain using dsconfigad with a limited AD account and  
>>>> password with permissions to add machines to your OU.  ( this  
>>>> would need to exec the dsconfigad command with username,  
>>>> password, OU, machine join name.  Unfortunately the password is
>>>> passed to dsconfigad in clear text as a parameter )
>>>> Set the authentication search path to Custom, and include your
AD
>>>> domain node using dscl.  ( dscl exec )
>>>>
>>>> We do manage the time server with Puppet and setting a couple
of
>>>> mapping attributes in the AD plists.
>>>>
>>>> I''m happy to help you get this all working in Puppet
as well.
>>>>
>>>> oh cool. I didn''t realize you were doing AD
integration Kyle.
>>>>
>>>> How are you ensuring that AD continues to be configured on the
>>>> clients? Does the python launchd job do all of this? Or are you
>>>> managing some components as Puppet resources?
>>>>
>>>> I''ve been thinking for a while about how to mange  
>>>> DirectoryService nodes as native Puppet types, but there are so
>>>> many attributes to think about I''m not sure it
actually
>>>> simplifies matters all that much...
>>>
>>> Yes, I''ve done a lot of AD integration work. The python
script I
>>> wrote tests the configuration and scenarios related to AD Node  
>>> status and takes action if necessary.  The only part in Puppet so  
>>> far is management of a couple AD plist keys.
>>>
>>> Agreed, DirectoryService node configuration can get complex.   
>>> There may be lower hanging fruit like improved plist management  
>>> that would help in all areas including DirectoryService.
>>>
>>> Kyle
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>
>>
>> -- 
>> Nigel Kersten
>> Systems Administrator
>> Tech Lead - MacOps
>>
>>
>>
>
>
>
>
>
>
> -- 
> Nigel Kersten
> Systems Administrator
> Tech Lead - MacOps
>
> >

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

For testing you could edit the facter ruby code to return hardcoded  
values instead of running system profiler. I think it just adds  
everything to a hash then prefixes it with ''sp'' if I remember
correctly. I''ve edited ours to return other data.

Kyle

On Dec 22, 2008, at 1:02 PM, Carl Caum <carl.caum@gmail.com> wrote:
> Ok, yeah.  That''s what I was thinking.  I can''t test this
on
> physical hardware since both our physical XServes are in  
> production.  I''ll see if I can get a mac mini ordered.
>
> On Dec 22, 2008, at 11:57 AM, Crawford Kyle wrote:
>
>> Is the client running on Mac hardware and not in a VM?  Seems like  
>> system_profiler, which is used to generate default facts is  
>> failing.  Maybe it doesn''t work because of virtual hardware.
>>
>>
>> On Dec 22, 2008, at 12:28 PM, Carl Caum wrote:
>>
>>> Most plist management can be done with the defaults command.  It  
>>> means we exec out everytime, but we could write a definition/ 
>>> plugin around it.
>>>
>>> I''m having trouble getting puppet to run on OS X.  I
installed
>>> 0.24.7 on my OS X server VM using gems.  After signing the  
>>> certificate on the puppetmaster side, I get this on the client
side:
>>>
>>> 2008-12-22 11:25:35.796 system_profiler[6552:10b] Exception while  
>>> calling [SPPlatformReporter updateDictionary:]
>>> *** -[NSCFArray objectAtIndex:]: index (3) beyond bounds (2)
>>> err: Could not retrieve catalog: undefined method `[]'' for
>>> nil:NilClass
>>>
>>> Any ideas?
>>> On Dec 19, 2008, at 11:16 PM, Crawford Kyle wrote:
>>>
>>>>
>>>> On Dec 19, 2008, at 10:48 PM, Nigel Kersten wrote:
>>>>
>>>>>
>>>>>
>>>>> On Fri, Dec 19, 2008 at 7:23 PM, Crawford Kyle  
>>>>> <kcrwfrd@gmail.com> wrote:
>>>>>
>>>>> On Dec 19, 2008, at 7:55 PM, Nigel Kersten wrote:
>>>>>>
>>>>>> On Fri, Dec 19, 2008 at 2:29 PM, Carl Caum  
>>>>>> <carl.caum@gmail.com> wrote:
>>>>>>
>>>>>> Does anyone know how to go about joining Mac OS X
Leopard to an
>>>>>> Active
>>>>>> Directory domain with puppet?
>>>>>> Primarily it needs to be broken down in to doing LDAP  
>>>>>> authentication
>>>>>> with a few attribute mappings and using kerberos for
the password
>>>>>> authentication.
>>>>>>
>>>>>> You''re going to want to push out your DS
preferences and then
>>>>>> do an exec for the joining of the machine account I
imagine,
>>>>>> although you could do some of this with templates.....
>>>>>>
>>>>>> How were you doing this before Puppet?
>>>>>>
>>>>>> There are no native types now, because those of us
doing the
>>>>>> Mac stuff with Puppet don''t work in AD
environments :)
>>>>>>
>>>>>> I''m more than happy to spend time helping you
work through this
>>>>>> though Carl. I''m reasonably familiar with AD
integration even
>>>>>> though we don''t do it here.
>>>>>>
>>>>>> This would be a great recipe to get up on the Puppet
wiki.
>>>>>
>>>>> We are in a large AD environment using Puppet. We currently
>>>>> handle the AD joining outside of Puppet with a python
script in
>>>>> a launchd job that runs at first boot, though we will
probably
>>>>> be moving this to Puppet.
>>>>>
>>>>> The typical steps are:
>>>>> Make sure time server is set and time is set correctly   
>>>>> ( ntpd.conf or exec systemsetup )
>>>>> Activate AD plugin by enabling it in
DirectoryService.plist.
>>>>> ( just a simple key value but I think you need to restart  
>>>>> DirectoryService for it to notice )
>>>>> Configure AD plugin using dsconfigad options.  ( this can
take a
>>>>> lot of options  all of these just change key values in  
>>>>> ActiveDirectory.plist )
>>>>> Join to domain using dsconfigad with a limited AD account
and
>>>>> password with permissions to add machines to your OU.  (
this
>>>>> would need to exec the dsconfigad command with username,  
>>>>> password, OU, machine join name.  Unfortunately the
password is
>>>>> passed to dsconfigad in clear text as a parameter )
>>>>> Set the authentication search path to Custom, and include
your
>>>>> AD domain node using dscl.  ( dscl exec )
>>>>>
>>>>> We do manage the time server with Puppet and setting a
couple of
>>>>> mapping attributes in the AD plists.
>>>>>
>>>>> I''m happy to help you get this all working in
Puppet as well.
>>>>>
>>>>> oh cool. I didn''t realize you were doing AD
integration Kyle.
>>>>>
>>>>> How are you ensuring that AD continues to be configured on
the
>>>>> clients? Does the python launchd job do all of this? Or are
you
>>>>> managing some components as Puppet resources?
>>>>>
>>>>> I''ve been thinking for a while about how to mange
>>>>> DirectoryService nodes as native Puppet types, but there
are so
>>>>> many attributes to think about I''m not sure it
actually
>>>>> simplifies matters all that much...
>>>>
>>>> Yes, I''ve done a lot of AD integration work. The
python script I
>>>> wrote tests the configuration and scenarios related to AD Node
>>>> status and takes action if necessary.  The only part in Puppet
so
>>>> far is management of a couple AD plist keys.
>>>>
>>>> Agreed, DirectoryService node configuration can get complex.   
>>>> There may be lower hanging fruit like improved plist management
>>>> that would help in all areas including DirectoryService.
>>>>
>>>> Kyle
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>
>
> >
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

So for future reference, it turns out system profiler (GUI or command line)
is somewhat broken in VMWare with OS X Server.
It doesn''t report any hardware info at all, and spews to stderr for
SPHardwareDataType and SPMemoryDataType.

There''s a simple enough workaround that I''ll test before
patching upstream.

http://pastie.org/345047

On Mon, Dec 22, 2008 at 11:54 AM, Kyle Crawford <kcrwfrd@gmail.com> wrote:
> For testing you could edit the facter ruby code to return hardcoded values
> instead of running system profiler. I think it just adds everything to a
> hash then prefixes it with ''sp'' if I remember correctly.
I''ve edited ours to
> return other data.
>
> Kyle
>
> On Dec 22, 2008, at 1:02 PM, Carl Caum <carl.caum@gmail.com> wrote:
>
> Ok, yeah.  That''s what I was thinking.  I can''t test this
on physical
> hardware since both our physical XServes are in production.  I''ll
see if I
> can get a mac mini ordered.
> On Dec 22, 2008, at 11:57 AM, Crawford Kyle wrote:
>
> Is the client running on Mac hardware and not in a VM?  Seems like
> system_profiler, which is used to generate default facts is failing.  Maybe
> it doesn''t work because of virtual hardware.
>
>
> On Dec 22, 2008, at 12:28 PM, Carl Caum wrote:
>
> Most plist management can be done with the defaults command.  It means we
> exec out everytime, but we could write a definition/plugin around it.
> I''m having trouble getting puppet to run on OS X.  I installed
0.24.7 on my
> OS X server VM using gems.  After signing the certificate on the
> puppetmaster side, I get this on the client side:
>
> 2008-12-22 11:25:35.796 system_profiler[6552:10b] Exception while calling
> [SPPlatformReporter updateDictionary:]
> *** -[NSCFArray objectAtIndex:]: index (3) beyond bounds (2)
> err: Could not retrieve catalog: undefined method `[]'' for
nil:NilClass
>
> Any ideas?
> On Dec 19, 2008, at 11:16 PM, Crawford Kyle wrote:
>
>
> On Dec 19, 2008, at 10:48 PM, Nigel Kersten wrote:
>
>
>
> On Fri, Dec 19, 2008 at 7:23 PM, Crawford Kyle <
<kcrwfrd@gmail.com>
> kcrwfrd@gmail.com> wrote:
>
>>
>> On Dec 19, 2008, at 7:55 PM, Nigel Kersten wrote:
>>
>>
>> On Fri, Dec 19, 2008 at 2:29 PM, Carl Caum <
<carl.caum@gmail.com>
>> carl.caum@gmail.com> wrote:
>>
>>>
>>> Does anyone know how to go about joining Mac OS X Leopard to an
Active
>>> Directory domain with puppet?
>>> Primarily it needs to be broken down in to doing LDAP
authentication
>>> with a few attribute mappings and using kerberos for the password
>>> authentication.
>>
>>
>> You''re going to want to push out your DS preferences and then
do an exec
>> for the joining of the machine account I imagine, although you could do
some
>> of this with templates.....
>>
>> How were you doing this before Puppet?
>>
>> There are no native types now, because those of us doing the Mac stuff
>> with Puppet don''t work in AD environments :)
>>
>> I''m more than happy to spend time helping you work through
this though
>> Carl. I''m reasonably familiar with AD integration even though
we don''t do it
>> here.
>>
>> This would be a great recipe to get up on the Puppet wiki.
>>
>>
>> We are in a large AD environment using Puppet. We currently handle the
AD
>> joining outside of Puppet with a python script in a launchd job that
runs at
>> first boot, though we will probably be moving this to Puppet.
>>
>> The typical steps are:
>> Make sure time server is set and time is set correctly  ( ntpd.conf or
>> exec systemsetup )
>> Activate AD plugin by enabling it in DirectoryService.plist.  ( just a
>> simple key value but I think you need to restart DirectoryService for
it to
>> notice )
>> Configure AD plugin using dsconfigad options.  ( this can take a lot of
>> options  all of these just change key values in ActiveDirectory.plist )
>> Join to domain using dsconfigad with a limited AD account and password
>> with permissions to add machines to your OU.  ( this would need to exec
the
>> dsconfigad command with username, password, OU, machine join name.
>>  Unfortunately the password is passed to dsconfigad in clear text as a
>> parameter )
>> Set the authentication search path to Custom, and include your AD
domain
>> node using dscl.  ( dscl exec )
>>
>> We do manage the time server with Puppet and setting a couple of
mapping
>> attributes in the AD plists.
>>
>> I''m happy to help you get this all working in Puppet as well.
>>
>
> oh cool. I didn''t realize you were doing AD integration Kyle.
>
> How are you ensuring that AD continues to be configured on the clients?
> Does the python launchd job do all of this? Or are you managing some
> components as Puppet resources?
>
> I''ve been thinking for a while about how to mange DirectoryService
nodes as
> native Puppet types, but there are so many attributes to think about
I''m not
> sure it actually simplifies matters all that much...
>
>
> Yes, I''ve done a lot of AD integration work. The python script I
wrote
> tests the configuration and scenarios related to AD Node status and takes
> action if necessary.  The only part in Puppet so far is management of a
> couple AD plist keys.
>
> Agreed, DirectoryService node configuration can get complex.  There may be
> lower hanging fruit like improved plist management that would help in all
> areas including DirectoryService.
>
> Kyle
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> >
>

-- 
Nigel Kersten
Systems Administrator
Tech Lead - MacOps

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---