Gary, I'd suggest manually creating the computer accounts in AD, and then setting the passwords for the accounts to the machines MAC address, or serial number, or something tied to the computer. Use dsconfigad to set the password change interval flag and prevent it from changing the password. I believe a value of 0 does this. Your script can now bind to the existing account at startup using the computer account name and (MAC/serial/other) as the AD user name and password. The computer owns its own account, and should have the permission to re-join it. If not, this can be easily set. This accomplishes a couple of things. 1. You should have no orphaned accounts. You are simply binding to existing accounts over and again. Bonus, you cut down on object creation in AD. 2. You don't need a service account exposed in a script. This does force you to manually add the account when new hardware is provisioned, and remove when de-provisioned.
The other thing that should be possible is to forget the "bind", and instead use a custom script to modify the ActiveDirectory.plist The key values here are "AD Computer ID", "AD Computer Password" and "AD Computer Kerberos ID". These keys are used to identify the computer to the domain, and are what need to be either identical (if sharing) or unique (but matching between AD and computer). Again, using a lookup of a static username/password combination these values could be changed at runtime, and the computer should be able to talk to the domain using the modified credentials. The bonus to doing it this way is that you avoid all the talk back and forth to the domain to rejoin the computer account. You could probably even pre-create an ActiveDirectory.plist for each machine, store it on a web server in a folder name based on the MAC and curl it down at startup. As long as you HUP DirectoryService afterwards, you should still get loginwindow access.
--DH
Hi Joel,
That’s kind of what I figured. Both options have their drawbacks, but option 2 seems more plausable. I wonder if we could unbind the machine with a logout hook to keep down the number of orphaned accounts?
Gary Daniel Hoit System Management Solutions Group Lawrence Livermore National Laboratory Phone: 925.424.5256 Pager: 877.402.6321 |