On Fri, Jan 6, 2012 at 2:09 PM, Ski Kacoroski <[email protected]> wrote: > Hi, > > After the holidays something changed and I cannot figure out what it is, but > for some reason our Mac OSX 10.6 clients who are bound to Active Directory > are having the ownership changed. So for example: > > C00771:Users root# ls -l > total 0 > -rw-r--r-- 1 root wheel 0 Jul 1 2009 .localized > drwxrwxrwt 8 root wheel 272 Nov 23 2010 Shared > drwx------ 19 hmccrum 1696695147 646 Jan 3 10:44 hmccrum > drwx------ 13 2110082475 1696695147 442 Mar 25 2011 jbaumgartner > drwx------ 13 270894697 1696695147 442 Mar 25 2011 nholder > drwxr-xr-x+ 12 nsadmin staff 408 Feb 22 2011 nsadmin > drwxr-xr-x+ 12 staffadmin staff 408 Jan 27 2011 staffadmin > > The quick fix is simply to change them back, but then it happens again > > The only other item I have noticed is that in the DirectoryService.error.log > I see things like: > > 2012-01-05 08:26:52 PST - T[0x0000000101281000] - Active Directory: > No matching _kerberos records for server - "stadc07.staff.nsd.org" > 2012-01-05 15:41:00 PST - T[0x00007FFF70C96CA0] - DNSServiceProcessResult > returned -65563 > > Now the stadc07 server has not been around since Sept 2010. It was > initially set up as a new AD server and then renamed to stadc01 when we > replaced the original AD server (this was part of an upgrade from 2003 to > 2008). > > This is happening to around 50% at one site (20 of 35 machines) and > sporadically across our other sites. If we fix it then on some machines it > happens again in a few days. > > I really do not want to run a cron job every hour on the clients to check > and reset the ownership, but if starts spreading and I cannot figure it out > that is all I can think of so the users can continue to work. > > I look forward to hearing your ideas. >
Ok, I found several spurious SRV records in the AD server and have removed them. My current theory is that some clients would connect and get a _ldap._tcp.stadc07 record and then someone the OS would change the ownership when they tried to request a _kerberos._tcp.stadc07 record which did not exist. Comments? cheers, ski -- "When we try to pick out anything by itself, we find it connected to the entire universe" John Muir Chris "Ski" Kacoroski, [email protected], 206-501-9803 _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
