I'm glad to hear that it "works", though I'm still unclear as to
exactly what that means. Does "working" simply mean one no longer
receives an alert that the computer already exists when binding to OD?
What are the implications of the AuthenticationAuthority Kerberos
related values, for each local user in the local directory service?
Ought we be deleting these as well?
As an example, suppose your image source contains a local user of
jdoe. Part of jdoe's directory services information will be user
record has an attribute of AuthenticationAuthority, of which one of
the strings looks something like--
";Kerberosv5
;;username@LKDC:SHA1.reallylongHEXstring;LKDC:SHA1.reallylongHEXstring;"
Suppose we have either blown away the KDC, or that we use the System
Image Utility from 10.5.6 or later and that we put this image on
10,000 Macs. So now we have a bunch of Macs that all have unique KDCs,
but they have an identical user named jdoe having the same Kerberos
hex string identifier. Normally, if we had created a user named jdoe
on these same Macs, wouldn't that hex string identifier be different
for each and every one of them? Maybe this is not an issue, but it
seems natural to wonder if there aren't some behavioral differences
caused by all those jdoes having the same identifier.
We haven't yet used InstaDMG. (Plan to try both it and Deploy Studio,
but haven't yet.) One can see how it avoids the alert. But, it isn't
clear how it removes these other issues. If one follows the InstaDMG
process and creates local users, what about Kerberos string in their
directory services user records? Or are InstaDMG users simply not
putting the Kerberos string in their user records? This would appear
to bypass the alert problem. But don't these users loose access to
some KDC functionality?
I think one of the implications is that one needs to have a very good
understanding of Kerberos works on Leopard clients, or risk unexpected
behaviors when imaging. This email is an implicit admission that I
don't have that understanding. The fact that it took Apple until
10.5.6 to identify this bug would suggest that it is non-trivial. And
while I fully expect to learn more, I'm not sure where to start. This
is a bit deeper than the Apple documentation seems to go.
Best Wishes,
Paul
_______________________________________________
Do not post admin requests to the list. They will be ignored.
System-imaging mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
