On Dec 22, 2008, at 11:59 AM, Nigel Kersten wrote: > > > On Mon, Dec 22, 2008 at 9:47 AM, Carl Caum <[email protected]> > wrote: > > On Dec 22, 2008, at 11:42 AM, Nigel Kersten wrote: > >> >> >> On Mon, Dec 22, 2008 at 9:28 AM, Carl Caum <[email protected]> >> wrote: >> Most plist management can be done with the defaults command. It >> means we exec out everytime, but we could write a definition/plugin >> around it. >> >> It also has the sometimes undesirable side effect of converting all >> your xml1 property lists to binary format. >> >> We tend to use PlistBuddy here for this reason. >> > > Not that it's a great solution, but you can force it to be xml1 with > this: > plutil -convert xml1 /Library/Preferences/DirectoryService/ > DirectoryService.plist > It has to be run after every write to be absolutely sure. But I > have to ask, why would you care if you use the defaults command > every time for reading and writing? > > Because sometimes we have other tools that use one of the various > plist modules for Ruby/Python etc that require the xml1 format, and > some of those tools aren't running with elevated privileges, and > can't always convert a plist to xml. > > We're slowly moving things over to using the BridgeSupport in Ruby/ > Python where you can instantiate an NSDictionary from a binary or > xml plist instead, but that's only available in 10.5 by default. > > > > >> >> I'm having trouble getting puppet to run on OS X. I installed >> 0.24.7 on my OS X server VM using gems. After signing the >> certificate on the puppetmaster side, I get this on the client side: >> >> 2008-12-22 11:25:35.796 system_profiler[6552:10b] Exception while >> calling [SPPlatformReporter updateDictionary:] >> *** -[NSCFArray objectAtIndex:]: index (3) beyond bounds (2) >> err: Could not retrieve catalog: undefined method `[]' for >> nil:NilClass >> >> I've never seen that... do you get the same bug using the packages >> at: >> >> http://explanatorygap.net/puppetfacter/ >> >> ? > I'll try them and report back >
VMWare doesn't report hardware to the system profiler. It's VMWare/ Apple's bug. Thanks to nigelk in IRC for figuring it out. > >> >> Any ideas? >> On Dec 19, 2008, at 11:16 PM, Crawford Kyle wrote: >> >>> >>> On Dec 19, 2008, at 10:48 PM, Nigel Kersten wrote: >>> >>>> >>>> >>>> On Fri, Dec 19, 2008 at 7:23 PM, Crawford Kyle >>>> <[email protected]> wrote: >>>> >>>> On Dec 19, 2008, at 7:55 PM, Nigel Kersten wrote: >>>>> >>>>> On Fri, Dec 19, 2008 at 2:29 PM, Carl Caum <[email protected]> >>>>> wrote: >>>>> >>>>> Does anyone know how to go about joining Mac OS X Leopard to an >>>>> Active >>>>> Directory domain with puppet? >>>>> Primarily it needs to be broken down in to doing LDAP >>>>> authentication >>>>> with a few attribute mappings and using kerberos for the password >>>>> authentication. >>>>> >>>>> You're going to want to push out your DS preferences and then do >>>>> an exec for the joining of the machine account I imagine, >>>>> although you could do some of this with templates..... >>>>> >>>>> How were you doing this before Puppet? >>>>> >>>>> There are no native types now, because those of us doing the Mac >>>>> stuff with Puppet don't work in AD environments :) >>>>> >>>>> I'm more than happy to spend time helping you work through this >>>>> though Carl. I'm reasonably familiar with AD integration even >>>>> though we don't do it here. >>>>> >>>>> This would be a great recipe to get up on the Puppet wiki. >>>> >>>> We are in a large AD environment using Puppet. We currently >>>> handle the AD joining outside of Puppet with a python script in a >>>> launchd job that runs at first boot, though we will probably be >>>> moving this to Puppet. >>>> >>>> The typical steps are: >>>> Make sure time server is set and time is set correctly >>>> ( ntpd.conf or exec systemsetup ) >>>> Activate AD plugin by enabling it in DirectoryService.plist. >>>> ( just a simple key value but I think you need to restart >>>> DirectoryService for it to notice ) >>>> Configure AD plugin using dsconfigad options. ( this can take a >>>> lot of options all of these just change key values in >>>> ActiveDirectory.plist ) >>>> Join to domain using dsconfigad with a limited AD account and >>>> password with permissions to add machines to your OU. ( this >>>> would need to exec the dsconfigad command with username, >>>> password, OU, machine join name. Unfortunately the password is >>>> passed to dsconfigad in clear text as a parameter ) >>>> Set the authentication search path to Custom, and include your AD >>>> domain node using dscl. ( dscl exec ) >>>> >>>> We do manage the time server with Puppet and setting a couple of >>>> mapping attributes in the AD plists. >>>> >>>> I'm happy to help you get this all working in Puppet as well. >>>> >>>> oh cool. I didn't realize you were doing AD integration Kyle. >>>> >>>> How are you ensuring that AD continues to be configured on the >>>> clients? Does the python launchd job do all of this? Or are you >>>> managing some components as Puppet resources? >>>> >>>> I've been thinking for a while about how to mange >>>> DirectoryService nodes as native Puppet types, but there are so >>>> many attributes to think about I'm not sure it actually >>>> simplifies matters all that much... >>> >>> Yes, I've done a lot of AD integration work. The python script I >>> wrote tests the configuration and scenarios related to AD Node >>> status and takes action if necessary. The only part in Puppet so >>> far is management of a couple AD plist keys. >>> >>> Agreed, DirectoryService node configuration can get complex. >>> There may be lower hanging fruit like improved plist management >>> that would help in all areas including DirectoryService. >>> >>> Kyle >>> >>> >>> >>> >> >> >> >> >> >> >> -- >> Nigel Kersten >> Systems Administrator >> Tech Lead - MacOps >> >> >> > > > > > > > -- > Nigel Kersten > Systems Administrator > Tech Lead - MacOps > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
