Unity Macintosh Lab Kit – Spring 2010 12172009

Spring 2010 12082009

See http://oit.ncsu.edu/macintosh/views/labkit-all for information on software in previous kits.

 


 

MAJOR CHANGES:

1) **Machines must bind to active directory post imaging**.  There is an issue binding to NC State LDAP with 10.6 causing systems to hang after 1-4 hours of idle time.  This version of the kit changes to us the Active Directory Plug-in in Directory Services to bind to the Campus Active Directory instead. As with all deployments of Active Directory on all platforms, the machine must be bound to the directory after the imaging process completes.

The dsconfigad command can be used with ARD in a script to bind a Unity kit machine to the Campus AD as follows: 

/bin/mv /Library/Preferences/edu.mit.Kerberos /Library/Preferences/edu.mit.Kerberos.unity

/user/sbin/dsconfigad -f -u -p -lu labadmin  -lp uwish -domain wolftech.ad.ncsu.edu -ou “ou=YouNeedToKnowThis!!!,ou=ncsu,dc=wolftech,dc=ad,dc=ncsu,dc=edu”

/bin/rm -Rf /Library/Preferences/edu.mit.Kerberos

/bin/mv /Library/Preferences/edu.mit.Kerberos.unity /Library/Preferences/edu.mit.Kerberos

A good copy of the edu.mit.Kerberos multi-Realm file is available for download here if yours becomes unusable.

NOTE: You must know what AD container to bind the machine to and had a username and password that has permissions to do so. If you do not know this information you will not be able to bind the machine.  Contact help@ncsu.edu if you have questions.

2) Machine management is done using the DSLocal directory and each machine must also be “bound” to the DSLocal by adding the hardware MAC address of the Built-in Ethernet NIC (en0) to the /Computers/localhost entry in DSLocal.  This can be done using Send Unix… in ARD by:

sudo dscl . -create /Computers/localhost ENetAddress $(ifconfig en0 |grep ether | awk ‘{print $2}’)

3) Tokens to use OpenAFS are no longer acquired at login.  Instead the MyAFS.app is provided and will prompt uses for Unity ID and password to at Ticket Granting Tickets, Service Granting Tickets and Tokes for using NC State AFS Cells (unity, eos, bp). It is critical that the edu.mit.kerbeos file in /Library/Preferences be correct in step 1) above for this to function.

NOTE: There are other configurations using the DSLocal and AD Plug-in that may be useful documented below.


 

OIT is providing a Universal Lab Kit only for  Intel (i386) based Macintosh hardware supporting 32 bit and 64 bit machines where possible.

OIT Unity Macintosh Lab kits create local home directories (ie /Users/)for each user that logs in on each machine.  Use the MyAFS link to save files to traditional Unity AFS file space.  This means that user preferences and Library files will not follow the users from one machine to the next.

List of Major Applications 
Known issues  
Full List of Applications 
Setting Up WolfCopy Printers
Additional Configuration using Active Directory


Additional Configuration for Active Directory

Once a machine is bound to a directory like the Campus Active Directory some additional settings may optionally be made for administration and security.

Allow a group of directory users to administer the machine.

To allow a group of uses in the Campus Directory to act as administrator of the local machine to install software, change setting, etc. the group must be added to the “Allowed admin groups” setting in the Active Directory Plug-in configuration for directory services.

Use dsconfigad command line tool as administrator (sudo) in Terminal.app or via ARD’s Send Unix… command to enable this for users and groups of users:

dsconfigad -groups “WOLFTECHsome-admin group”,”WOLFTECHsome-other group”

NOTE: You must know the name of the groups in the Campus AD you want to use.

To confirm the setting use:

dsconfigad -show

Allow a single user to be administrator on their private machine.

For a private install where the person using the machine each day should be able to install software, add printers and sudo to root we need to add their Campus AD short name to the group admin in the DSLocal.

Use the dseditgroup command line tool from ARD or Terminal as administrator (sudo) to allow this.

dseditgroup -o edit -a “WOLFTECHsomeuser” -t user -n /Local/Default   admin

Use the dscl command to confirm this setting:

dscl /Local/Default -read /Groups/admin GroupMembership

Allow Campus AD groups/users to use ARD automatically.

It is possible to allow groups/users in the Campus AD to have automatic access to machines using their Campus Id.  The policy for allowing this is under review by OIT Security and Compliance.  The process involves enabling directory-based administration” using the “Create client installer…” command in the ARD application and then adding the Campus AD groups/users to one of 4 fixed groups in the DSLocal of each machine.  This process and a sample installer will be available here when the security review is finished.

 


Major Macintosh Applications:

AIM.app Fugu.app Soundtrack.app
Address Book.app GarageBand.app Stickies.app
AdminLauncher.app Google Earth.app StuffIt 12
Adobe Google Notifier.app System Preferences.app
Adobe Acrobat 9 Pro GrassGIS.app TeX
Adobe Drive CS4 Image Capture.app TextEdit.app
Adobe Media Encoder CS4 JMP 7.app TextWrangler.app
Adobe Media Player.app LiveType.app Time Machine.app
Adobe Reader 9 MATLAB_R2009b.app TurningPoint AnyWhere.app
Audacity 1.3.10 Mail.app Utilities
Automator.app Maple 13 VPython
BTV Pro Carbon 5.4.1 folder MathType 6 Webmail.webloc
Calculator.app Mathematica.app Windows Media Player
Chess.app Microsoft Office 2008 Write-N-Cite 2.5.app
Citrix Dazzle.app MyAFS.app Zend
Cn3D.app Photo Booth.app iCal.app
DVD Player.app Preview.app iChat.app
Dashboard.app Python 2.6 iDVD.app
Dazzle Qgis.app iMovie.app
Dictionary.app QuickTime Broadcaster.app iPhoto.app
ESRI QuickTime Player.app iSync.app
Fetch.app R.app iTunes.app
Final Cut Express HD.app RealPlayer.app iWeb.app
Firefox.app Remote Desktop Connection.app iWork ’09
Flip4Mac Safari.app tn3270
Font Book.app Sketchpad
Front Row.app Solver.app
Acrobat.com.app Adobe Dreamweaver CS4 Adobe InDesign CS4
Adobe After Effects CS4 Adobe Extension Manager CS4 Adobe Photoshop CS4
Adobe Bridge CS4 Adobe Fireworks CS4 Adobe Soundbooth CS4
Adobe Contribute CS4 Adobe Flash CS4 Adobe Soundbooth Scores
Adobe Device Central CS4 Adobe Illustrator CS4


Known Issues:

1) Mac OS X 10.6 will not run on PPC hardware.  This and all kits going forward supports only Apple, Intel based hardware!

2) When printing a Unity ID and password will be required each time a print request is made to a WolfCopy printer. Printing now uses the Apple supported CUPS mechanisms instead of LPRNG used in the past. Have a look athttp://oit.ncsu.edu/macintosh/cups-setup-wolfcopy-mac-os-x-105 to see how to setup printers.

3)  Print queue management in cupsd.conf has been opened up so users can cancel any job, start, restart and re-enable printers.

Here is the changed policy section from /private/etc/cups/cupsd.conf:

 

  # Job-related operations must be done by the owner or an administrator…

  

    Require user @OWNER @SYSTEM

    Order deny,allow

  

 

  # All administration operations require an administrator to authenticate…

  

    AuthType Default

    Require user @SYSTEM

    Order deny,allow

  

 

  # All printer operations require a printer operator to authenticate…

  

    AuthType Default

    Require user @AUTHKEY(system.print.admin) @admin @lpadmin

    Order deny,allow

  

 

  # Only the owner or an administrator can cancel or authenticate a job…

  # NC State all uses can cancel jobs but everyone must authenticate to print

  

    Require user @OWNER @AUTHKEY(system.print.admin) @admin @lpadmin

    Order deny,allow

  

 

 # NC State OIT changes for labs

 

   Order deny,allow

 

  

    Order deny,allow

  

4) The Logout.app in /System/Library/CoreServices  may require a 2nd click to actually logout of the machine.  OIT has rewritten the application to use Cocoa api’s.  The new application is available from

5) Adobe CS 4 products may fail to run due to crashing after launch.  This issue has been observed by OIT staff on Design machines but no resolution has yet been found.  A work around in some cases is to reboot the computer but this is not 100% effective. It is possible that this issue is related to the Adobe license issue in item 7 of this list.

6) Adobe CS4 products may display license error dialogs on launch and fail to run.  Thank you to S. Lennon of CHASS for reporting this issue and the fix.  This is a known issue for multiple platforms running Adobe CS4 products and is detailed with fixes at the Adobe Support site.  See http://kb2.adobe.com/cps/405/kb405970.html for details.

7) These software updates did not make the freeze date for the image and are NOT applied nor tested with this image: