The Adventures of Systems Boy!

Confessions of a Mac SysAdmin...

A Problem with Managed Preferences

In our labs Mac OS X machines bind to a Mac OS X Server for user authentication. But this also affords us the opportunity to control certain aspects of our workstations' behavior en masse as well. And we certainly take advantage of this. The way this works is simple, and, when it works properly, a thing of beauty: Open up Workgroup Manager, create a computer list, add computers to it and then set whatever preferences you want on those systems. Just about anything you can set in System Preferences can be controlled from the server — Login Items, Energy Saver settings, and my personal favorite, Printers, to name just a few. The Open Directory host — your OS X Server — will make sure all the prefs you set in here are managed on the specified machines.

But recently I had a few machines that would simply not allow themselves to be controlled from the server. Binding was working properly, as evidenced by the fact that network logins worked. But any sort of managed preferences would not be sensed by the workstations. This is a perennial problem and historically has had something to do with mcx_cache settings not being reset by the server. But this has gotten much better over the years, to the point where it's not usually an issue. Still I tried everything with regards to cache, and no matter what I did, authentication worked but managed preferences did not. Finally, today I managed to stumble upon the solution.

Turns out there's a little quirk in the Workgroup Manager. Seems if you add the same computer to two different lists, you'll get two separate entries in your OD database — one called "computer" and one called "computer_1." I did this. And then later I deleted the original "computer" entry from the first list, and renamed the "computer_1" entry back to "computer" in the WGM GUI. This is a no-no. And it's what was causing my computer control problems, though there seemed no apparent problem from the standpoint of the standard WGM interface.

Workgroup Manager Preferences: Show Me the Records!
(click image for larger view)

The solution was to enable WGM's "Show 'All Records' tab and inspector" preference, which gives you a much more accurate view of your Open Directory database than does the standard GUI interface. Once the "All Records" tab was enabled I opened it up and looked at the "Computers" list from the pull-down on the right (just below the search field). Lo and behold, there was my "computer_1" record, but no "computer" record. Looks like the server was getting confused as to whether to control "computer" (as set in the GUI) or "computer_1" (as was actually entered in the OD database). So I deleted all references to the machine in the "All Records" inspector, then went back into the GUI and re-added the machine to the appropriate list. Voila! The machine instantly began getting managed preference settings from the server.

So the rules of thumb here are:
  1. Avoid adding the same machine to more than one list. You're not supposed to do it, and it can muck things up.
  2. The "All Records" tab is your friend. Look here for more accurate views than the standard GUI can provide. Edit with care as necessary.

My lesson for the day.

Labels: , ,

« Home | Next »
| Next »
| Next »
| Next »
| Next »
| Next »
| Next »
| Next »
| Next »
| Next »

2:23 AM

Been stung by this as well. Tricky bugger. Wokgroup Mgr is so powerful, but can be flay sometimes. Behold the great wizard and his magic wand... :)    

12:55 PM

I will evermore repeat this mantra:
"Inspector, Inspector, Inspector."

It's all about the Inspector.


5:46 AM

This also happens if you have 'Disable Clear Text Passwords' ticked in the LDAP security settings on the client, but not on the server - or vice versa of course. Might help someone! :)    

7:31 PM

In my case, we had some old teachers leave, and some new ones come on board. So when I renamed a computer from "Joe's iMac" to "Lisa's iMac", and then tried to bind "Lisa's iMac" to a Managed Computer List, it wouldn't take because the Ethernet address of that computer was still in the Database in the "Lisa's iMac" record! So it's not just about the name of the computer, it's about the Ethernet address. No duplicates allowed in either case.

So the moral here is if you are reassigning computers, delete those old Sharing names....

This drove me crazy today for 3 hours.    

1:58 PM

Excellent! Thanks for the info.


» Post a Comment