Spring 2010 12082009
See http://oit.ncsu.edu/macintosh/views/labkit-all for information on software in previous kits.
MAJOR CHANGES:
1) **Machines must bind to active directory post imaging**. There is an issue binding to NC State LDAP with 10.6 causing systems to hang after 1-4 hours of idle time. This version of the kit changes to us the Active Directory Plug-in in Directory Services to bind to the Campus Active Directory instead. As with all deployments of Active Directory on all platforms, the machine must be bound to the directory after the imaging process completes.
The dsconfigad command can be used with ARD in a script to bind a Unity kit machine to the Campus AD as follows:
/bin/mv /Library/Preferences/edu.mit.Kerberos /Library/Preferences/edu.mit.Kerberos.unity
/user/sbin/dsconfigad -f -u -p -lu labadmin -lp uwish -domain wolftech.ad.ncsu.edu -ou “ou=YouNeedToKnowThis!!!,ou=ncsu,dc=wolftech,dc=ad,dc=ncsu,dc=edu”
/bin/rm -Rf /Library/Preferences/edu.mit.Kerberos
/bin/mv /Library/Preferences/edu.mit.Kerberos.unity /Library/Preferences/edu.mit.Kerberos
A good copy of the edu.mit.Kerberos multi-Realm file is available for download here if yours becomes unusable.
NOTE: You must know what AD container to bind the machine to and had a username and password that has permissions to do so. If you do not know this information you will not be able to bind the machine. Contact help@ncsu.edu if you have questions.
2) Machine management is done using the DSLocal directory and each machine must also be “bound” to the DSLocal by adding the hardware MAC address of the Built-in Ethernet NIC (en0) to the /Computers/localhost entry in DSLocal. This can be done using Send Unix… in ARD by:
sudo dscl . -create /Computers/localhost ENetAddress $(ifconfig en0 |grep ether | awk ‘{print $2}’)
3) Tokens to use OpenAFS are no longer acquired at login. Instead the MyAFS.app is provided and will prompt uses for Unity ID and password to at Ticket Granting Tickets, Service Granting Tickets and Tokes for using NC State AFS Cells (unity, eos, bp). It is critical that the edu.mit.kerbeos file in /Library/Preferences be correct in step 1) above for this to function.
NOTE: There are other configurations using the DSLocal and AD Plug-in that may be useful documented below.
OIT is providing a Universal Lab Kit only for Intel (i386) based Macintosh hardware supporting 32 bit and 64 bit machines where possible.
OIT Unity Macintosh Lab kits create local home directories (ie /Users/)for each user that logs in on each machine. Use the MyAFS link to save files to traditional Unity AFS file space. This means that user preferences and Library files will not follow the users from one machine to the next.
List of Major Applications
Known issues
Full List of Applications
Setting Up WolfCopy Printers
Additional Configuration for Active Directory
Once a machine is bound to a directory like the Campus Active Directory some additional settings may optionally be made for administration and security.
Allow a group of directory users to administer the machine.
To allow a group of uses in the Campus Directory to act as administrator of the local machine to install software, change setting, etc. the group must be added to the “Allowed admin groups” setting in the Active Directory Plug-in configuration for directory services.
Use dsconfigad command line tool as administrator (sudo) in Terminal.app or via ARD’s Send Unix… command to enable this for users and groups of users:
dsconfigad -groups “WOLFTECHsome-admin group”,”WOLFTECHsome-other group”
NOTE: You must know the name of the groups in the Campus AD you want to use.
To confirm the setting use:
dsconfigad -show
Allow a single user to be administrator on their private machine.
For a private install where the person using the machine each day should be able to install software, add printers and sudo to root we need to add their Campus AD short name to the group admin in the DSLocal.
Use the dseditgroup command line tool from ARD or Terminal as administrator (sudo) to allow this.
dseditgroup -o edit -a “WOLFTECHsomeuser” -t user -n /Local/Default admin
Use the dscl command to confirm this setting:
dscl /Local/Default -read /Groups/admin GroupMembership
Allow Campus AD groups/users to use ARD automatically.
It is possible to allow groups/users in the Campus AD to have automatic access to machines using their Campus Id. The policy for allowing this is under review by OIT Security and Compliance. The process involves enabling directory-based administration” using the “Create client installer…” command in the ARD application and then adding the Campus AD groups/users to one of 4 fixed groups in the DSLocal of each machine. This process and a sample installer will be available here when the security review is finished.
| AIM.app | Fugu.app | Soundtrack.app |
| Address Book.app | GarageBand.app | Stickies.app |
| AdminLauncher.app | Google Earth.app | StuffIt 12 |
| Adobe | Google Notifier.app | System Preferences.app |
| Adobe Acrobat 9 Pro | GrassGIS.app | TeX |
| Adobe Drive CS4 | Image Capture.app | TextEdit.app |
| Adobe Media Encoder CS4 | JMP 7.app | TextWrangler.app |
| Adobe Media Player.app | LiveType.app | Time Machine.app |
| Adobe Reader 9 | MATLAB_R2009b.app | TurningPoint AnyWhere.app |
| Audacity 1.3.10 | Mail.app | Utilities |
| Automator.app | Maple 13 | VPython |
| BTV Pro Carbon 5.4.1 folder | MathType 6 | Webmail.webloc |
| Calculator.app | Mathematica.app | Windows Media Player |
| Chess.app | Microsoft Office 2008 | Write-N-Cite 2.5.app |
| Citrix Dazzle.app | MyAFS.app | Zend |
| Cn3D.app | Photo Booth.app | iCal.app |
| DVD Player.app | Preview.app | iChat.app |
| Dashboard.app | Python 2.6 | iDVD.app |
| Dazzle | Qgis.app | iMovie.app |
| Dictionary.app | QuickTime Broadcaster.app | iPhoto.app |
| ESRI | QuickTime Player.app | iSync.app |
| Fetch.app | R.app | iTunes.app |
| Final Cut Express HD.app | RealPlayer.app | iWeb.app |
| Firefox.app | Remote Desktop Connection.app | iWork ’09 |
| Flip4Mac | Safari.app | tn3270 |
| Font Book.app | Sketchpad | |
| Front Row.app | Solver.app | |
| Acrobat.com.app | Adobe Dreamweaver CS4 | Adobe InDesign CS4 |
| Adobe After Effects CS4 | Adobe Extension Manager CS4 | Adobe Photoshop CS4 |
| Adobe Bridge CS4 | Adobe Fireworks CS4 | Adobe Soundbooth CS4 |
| Adobe Contribute CS4 | Adobe Flash CS4 | Adobe Soundbooth Scores |
| Adobe Device Central CS4 | Adobe Illustrator CS4 |
Known Issues:
1) Mac OS X 10.6 will not run on PPC hardware. This and all kits going forward supports only Apple, Intel based hardware!
2) When printing a Unity ID and password will be required each time a print request is made to a WolfCopy printer. Printing now uses the Apple supported CUPS mechanisms instead of LPRNG used in the past. Have a look athttp://oit.ncsu.edu/macintosh/cups-setup-wolfcopy-mac-os-x-105 to see how to setup printers.
3) Print queue management in cupsd.conf has been opened up so users can cancel any job, start, restart and re-enable printers.
Here is the changed policy section from /private/etc/cups/cupsd.conf:
# Job-related operations must be done by the owner or an administrator…
Require user @OWNER @SYSTEM
Order deny,allow
# All administration operations require an administrator to authenticate…
AuthType Default
Require user @SYSTEM
Order deny,allow
# All printer operations require a printer operator to authenticate…
AuthType Default
Require user @AUTHKEY(system.print.admin) @admin @lpadmin
Order deny,allow
# Only the owner or an administrator can cancel or authenticate a job…
# NC State all uses can cancel jobs but everyone must authenticate to print
Require user @OWNER @AUTHKEY(system.print.admin) @admin @lpadmin
Order deny,allow
# NC State OIT changes for labs
Order deny,allow
Order deny,allow
4) The Logout.app in /System/Library/CoreServices may require a 2nd click to actually logout of the machine. OIT has rewritten the application to use Cocoa api’s. The new application is available from
5) Adobe CS 4 products may fail to run due to crashing after launch. This issue has been observed by OIT staff on Design machines but no resolution has yet been found. A work around in some cases is to reboot the computer but this is not 100% effective. It is possible that this issue is related to the Adobe license issue in item 7 of this list.
6) Adobe CS4 products may display license error dialogs on launch and fail to run. Thank you to S. Lennon of CHASS for reporting this issue and the fix. This is a known issue for multiple platforms running Adobe CS4 products and is detailed with fixes at the Adobe Support site.
7) These software updates did not make the freeze date for the image and are NOT applied nor tested with this image:
* JavaForMacOSX10.6Update1-1.0