This discussion is locked
piperspace
Level 2 (305 points)

Q: System Image Utility 2 - Directory Binding Fails

I am testing the new feature to automatically "Connect Computers to Directory Servers" following an install. I need to bind my clients to a Windows Domain and also to a Mac server. I am running the Version 10.6.2 Server Admin Tools on a laptop under Snow Leopard and then copying the NBI folder to a server running 10.5.x. I have not yet been able to try this with a 10.6 server.

My SIU workflow takes a 10.6 DVD as its source, then it has steps to Add User, Apply System Configuration Settings and finally Create Image. In the Settings I am entering the info for both directory servers. For the Windows AD server I am providing proper admin credentials.

When I install this image everything works as expected except that the client is not connected to the directory servers. This feature does not seem to work under any circumstances. However, I do see the following in the client's system log following first boot:
Dec 7 10:09:40 piperspace-000000000000 /usr/sbin/NetBootClientHelper[27]: bindToServersFromList: Custom call 201 to LDAPv3 failed.
Dec 7 10:09:43 piperspace-000000000000 DirectoryService[15]: Failed to changed computer password in Active Directory domain
Dec 7 10:09:43 piperspace-000000000000 /usr/sbin/NetBootClientHelper[27]: bindToServersFromList: Custom call 80 to Active Directory failed.

Any insight would be helpful.

Mac OS X (10.6.2)

Posted on Dec 8, 2009 9:43 AM

by Brian Nesse,Solvedanswer
Brian Nesse Brian Nesse
Level 4 (3,027 points)
A:
I believe the workaround for this problem would be to pre-install the helper & names files onto the source volume before imaging.

The basic process would be what is (supposed to be) done by the post install script. If you mount the NetInstall image you've created, and look at /Volumes/NetInstall/var/tmp/niu/postinstall/installClientHelper.sh, you'll get the gist of it. All of the necessary files are located on the NetInstall image.

The problem is that you'll probably just run into the other issue which piperspace posted about, which is the race condition that is keeping the tool from executing properly anyway.

Posted on Jan 5, 2010 9:04 AM

Close
piperspace

Q: System Image Utility 2 - Directory Binding Fails

  • All replies
  • Helpful answers

Page 1 Next

  • by Brian Nesse,

    Brian Nesse Brian Nesse Dec 8, 2009 3:36 PM in response to piperspace
    Level 4 (3,027 points)
    Dec 8, 2009 3:36 PM in response to piperspace
    Are you creating a "NetRestore" or a "NetInstall"?

    The "Add User" action is not intended to run in the NetInstall workflow, and could be causing problems.

    Your logs indicate that neither the OD (at :40 seconds) nor the AD (at :43 seconds) bindings are occurring. Can you manually connect these systems to the servers through the accounts preference panel?

  • by piperspace,

    piperspace piperspace Dec 8, 2009 3:51 PM in response to Brian Nesse
    Level 2 (305 points)
    Dec 8, 2009 3:51 PM in response to Brian Nesse
    I am doing a NetRestore.

    Yes, the target client connects to both servers fine if I ask it to do so manually from the accounts preferences panel.

    Related question - if automatic binding fails on first boot does it ever retry? Sometimes our Windows AD servers are flaky.

  • by Brian Nesse,Helpful

    Brian Nesse Brian Nesse Dec 9, 2009 9:40 AM in response to piperspace
    Level 4 (3,027 points)
    Dec 9, 2009 9:40 AM in response to piperspace
    No, it won't re-run. It is a launchd process that unloads itself after running once.

    You can force it to run again by doing a:
    sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.NetBootClientHelper.plist

    it will, of course, disable itself again after executing.

  • by piperspace,

    piperspace piperspace Dec 10, 2009 10:19 AM in response to Brian Nesse
    Level 2 (305 points)
    Dec 10, 2009 10:19 AM in response to Brian Nesse
    Brian - thanks very much for explaining how to make the Helper program retry. I have found it is also necessary to restore /etc/bindingNames.plist in order to make it go. The helper seems to delete that file after each run (even in cases where the bind fails) as well as unloading itself.

    My ongoing problem with binding is intertwined with various naming issues. In my tests - Network Names longer than 14 characters (e.g. piperpspace-000000000000) do get bound successfully to AD but only if I manually enter them into my Windows 2003 server ahead of time. Shorter names (e.g. p-000000000000) are bound reliably both on the first install and subsequent installs using that name. I can live with shorter names. Its not a practical problem.

    However, I would note in passing that the names above result from my trying to use "Generate unique names starting with" feature. In my testing the generated names assigned are not unique. The trailing zeroes are not replaced with the target client's Mac address as expected unless I manually force the Helper to rerun.

    I still have two outstanding issues:

    1) I cannot get the "Apply Computer Name and Local Hostname settings from a file"
    feature to work. I made a txt file with a single line containing a MAC address plus three copies of the desired name as described and added that to my workflow. SIU 2 runs without complaint but it seems to ignore my naming file. There is no /etc/sharingNames.plist in the image, NetBootHelper does not get -setSharingNames as a parameter and the target Mac does not get a name. It therefore does not get bound.

    2) Binding to my Mac Directory Server fails intermittently (in about 20% of my tests) even when the Windows AD bind works OK. I'm guessing that may be happening because I am referencing the Mac server via its Bonjour name instead of making an entry for it in my DNS?

    Any insight, especially re: the naming issue, would be most helpful.

  • by piperspace,

    piperspace piperspace Dec 10, 2009 3:25 PM in response to piperspace
    Level 2 (305 points)
    Dec 10, 2009 3:25 PM in response to piperspace
    Silly me - I left the colons out of my MAC address.

    SIU 2 has now built an image with SharingNames.plist in it reflecting the contents of my Naming file.

    I will post results here from further testing.

  • by piperspace,

    piperspace piperspace Dec 10, 2009 4:57 PM in response to piperspace
    Level 2 (305 points)
    Dec 10, 2009 4:57 PM in response to piperspace
    No joy.

    File based names are not assigned to the target MAC and the initial bind still fails.

    If I manually force a rerun of NetBootClientHelper it works OK.

    This dog won't hunt.

  • by Brian Nesse,Helpful

    Brian Nesse Brian Nesse Dec 11, 2009 9:04 AM in response to piperspace
    Level 4 (3,027 points)
    Dec 11, 2009 9:04 AM in response to piperspace
    I presume the naming isn't working because the format of your file is somehow incorrect. It should look something like:
    0:14:51:64:d1:50 bnesse Brian’s Quad G5 g5Quad
    0:1d:4f:47:5d:e0 bnesse4 Brian’s MacPro 2X2Intel
    0:1d:4f:45:18:e8 -automatic- Octopus 2X4Intel

    The format is:
    MAC Address <TAB> hostname <TAB> Computer Name <TAB> Bonjour Name

    If you don't wish to assign a hostname, use the -automatic- keyword. The Bonjour Name is optional (as is the Computer Name).

    Regarding the binding failure... I don't have any ideas.

  • by piperspace,

    piperspace piperspace Dec 11, 2009 10:00 AM in response to Brian Nesse
    Level 2 (305 points)
    Dec 11, 2009 10:00 AM in response to Brian Nesse
    Brian - thanks very much for providing the example file. I have fixed that.

    However, on first boot the target Mac Client still does not get a name and the binding fails.

    I know that my parameters to NetBootClientHelper are now correct because if I Login and manually force the program to rerun the target Mac then gets the expected name(s) and gets bound correctly to both directories. It would appear that the program does work as intended but is somehow thwarted during first boot under my test conditions.

    Are there any diagnostics I can provide to help clarify this behavior? Thanks for your help!

  • by Brian Nesse,

    Brian Nesse Brian Nesse Dec 14, 2009 9:14 AM in response to piperspace
    Level 4 (3,027 points)
    Dec 14, 2009 9:14 AM in response to piperspace
    I can only guess at the root cause... but I'd guess you probably have some sort of a race condition where the servers aren't responding to the bind request "fast enough". This is causing a cascade failure of the entire process.

    The man page for Directory Services (man DirectoryService) has a discussion of the USR1 & USR2 signals you can sent to the DS daemon for debugging purposes. Maybe they will provide some useful information.

  • by piperspace,

    piperspace piperspace Dec 14, 2009 11:22 AM in response to Brian Nesse
    Level 2 (305 points)
    Dec 14, 2009 11:22 AM in response to Brian Nesse
    Thanks for the suggestion. I will try to produce that log and post results tomorrow.

    It looks like a race condition to me also. But in my tests neither the naming feature nor the binding feature work properly. Assuming both problems have the same cause I would guess the race is within the Mac OS during first boot.

    My test network set up is: Linksys Router (DHCP), Windows 2003 Server (Active Directory and DNS), Apple OS X Server 10.5.8 (Open Directory).

    If anyone reading this is having better luck with post install naming and/or binding I would be very grateful if you could post details of your network.

    Brian - thanks again for all your help.

  • by piperspace,

    piperspace piperspace Dec 14, 2009 5:14 PM in response to piperspace
    Level 2 (305 points)
    Dec 14, 2009 5:14 PM in response to piperspace
    Getting DirectoryService to make a debug log during first boot is tricky. The man page says you do that by restarting the service with "sudo killall -USR1 DirectoryService".

    But how to do that in time to log messages resulting from NetBootClientHelper which is started automatically via launchd?

    I tried adding another launchd job to run killall but it had no effect and I have no idea why not.

    Below is a portion of the system log I got.

    At time 14:04:01 I the USR1 signal from killall seems to just be causing DirectoryService to end abnormally.

    At 14:04:14 the HostName is changed by yet another launchd job I added that invokes the scutil program to set HostName. This seems to work OK but does not help with the binding.

    At 14:04:17 the error messages from NetBootClientHelper appear. Apparently from its failed attempt to bind. Again if I login immediately afterward and rerun this program it works fine. Just not here.

    Any ideas?

    ------------
    Dec 14 14:03:43 localhost com.apple.launchd[1]: * launchd[1] has started up. *
    Dec 14 14:03:57 localhost bootlog[43]: BOOT_TIME: 1260828221 0
    Dec 14 14:03:58 localhost fseventsd[34]: could not open <</.fseventsd/fseventsd-uuid>> (No such file or directory)
    Dec 14 14:03:59 localhost fseventsd[34]: log dir: /.fseventsd getting new uuid: 1C2374D5-6AC7-4AC9-9483-2D2A289E49DA
    Dec 14 14:04:01 localhost com.apple.launchd[1] (com.apple.DirectoryServices[38]): Exited abnormally: User defined signal 1
    Dec 14 14:04:01 localhost com.apple.launchd[1] (com.apple.DirectoryServices): Throttling respawn: Will start in 6 seconds
    Dec 14 14:04:03 localhost blued[53]: Apple Bluetooth daemon started
    Dec 14 14:04:07 localhost DirectoryService[54]: Improper shutdown detected
    Dec 14 14:04:11 localhost com.apple.kextd[10]: Cache file /System/Library/Caches/com.apple.kext.caches/Directories//System/Library/Extens ions/IOKitPersonalities_i386.ioplist.gz is out of date; not using.
    Dec 14 14:04:11 localhost blued[53]: [setSystemPreference] syncs returns false
    Dec 14 14:04:12: --- last message repeated 2 times ---
    Dec 14 14:04:12 localhost com.apple.launchd[1] (com.apple.smb.sharepoints[23]): Exited with exit code: 71
    Dec 14 14:04:12 localhost mDNSResponder[29]: mDNSResponder mDNSResponder-214 (Oct 16 2009 06:09:30) starting
    Dec 14 14:04:14 559-Lib-12345 configd[41]: setting hostname to "559-Lib-12345"
    Dec 14 14:04:14 559-Lib-12345 configd[41]: network configuration changed.
    Dec 14 14:04:15: --- last message repeated 1 time ---
    Dec 14 14:04:15 559-Lib-12345 com.apple.usbmuxd[19]: usbmuxd-167.1 built for iTunesEightTwo on Jul 9 2009 at 14:02:00, running 32 bit
    Dec 14 14:04:17 559-Lib-12345 /usr/sbin/NetBootClientHelper[27]: bindToServersFromList: Custom call 201 to LDAPv3 failed.
    Dec 14 14:04:17 559-Lib-12345 /usr/sbin/NetBootClientHelper[27]: bindToServersFromList: Custom call 82 to Active Directory failed.
    Dec 14 14:04:22 559-Lib-12345 blued[53]: [_setUserPreference] syncs returns false
    Dec 14 14:04:48: --- last message repeated 1 time ---
    Dec 14 14:04:48 559-Lib-12345 fseventsd[34]: checkvol_last_modtime:XXX failed to get mount time (25; &mount_time == 0x10043f8b8)
    Dec 14 14:04:48 559-Lib-12345 fseventsd[34]: log dir: /Volumes/WINDOWS XP/.fseventsd getting new uuid: 61CF2D3C-1B72-4D71-B30D-DBCE470BECD0
    Dec 14 14:04:55 559-Lib-12345 /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow[30]: Login Window Application Started
    Dec 14 14:04:55 559-Lib-12345 com.apple.kextd[10]: InternalModemSupport.kext does not declare a kernel dependency; using com.apple.kernel.6.0.
    Dec 14 14:04:56: --- last message repeated 1 time ---
    Dec 14 14:04:56 559-Lib-12345 com.apple.service_helper[112]: launchctl: Error unloading: com.apple.backupd-auto
    Dec 14 14:04:56 559-Lib-12345 com.apple.service_helper[112]: launchctl: Error unloading: com.apple.backupd-wake
    Dec 14 14:04:56 559-Lib-12345 com.apple.service_helper[112]: launchctl: Error unloading: com.apple.backupd-attach
    Dec 14 14:04:57 559-Lib-12345 com.apple.fontd[100]: FODBCheck: foRec->annexNumber != kInvalidAnnexNumber (0)
    Dec 14 14:04:58: --- last message repeated 1 time ---
    Dec 14 14:04:58 559-Lib-12345 configd[41]: New network configuration saved
    Dec 14 14:04:59 559-Lib-12345 configd[41]: bootpsessiontransmit: bpf_write(en1) failed: Network is down (50)
    Dec 14 14:04:59 559-Lib-12345 configd[41]: DHCP en1: INIT transmit failed
    Dec 14 14:05:00 559-Lib-12345 configd[41]: network configuration changed.
    Dec 14 14:05:01 559-Lib-12345 mds[28]: (Normal) DiskStore: Creating index for /
    Dec 14 14:05:03 559-Lib-12345 loginwindow[30]: Login Window Started Security Agent
    Dec 14 14:05:03 559-Lib-12345 WindowServer[106]: kCGErrorFailure: Set a breakpoint @ CGErrorBreakpoint() to catch errors as they are logged.
    Dec 14 14:05:03 559-Lib-12345 com.apple.WindowServer[106]: Mon Dec 14 14:05:03 559-Lib-12345 WindowServer[106] <Error>: kCGErrorFailure: Set a breakpoint @ CGErrorBreakpoint() to catch errors as they are logged.
    Dec 14 14:05:05 559-Lib-12345 mDNSResponder[29]: User updated Computer Name from “MacBookPro-000000000000” to “MacBookPro-0026B0F1BB52”
    Dec 14 14:05:08 559-Lib-12345 configd[41]: network configuration changed.
    ----------------

  • by piperspace,

    piperspace piperspace Dec 16, 2009 6:24 PM in response to piperspace
    Level 2 (305 points)
    Dec 16, 2009 6:24 PM in response to piperspace
    New Results: I removed "System Configuration Settings" from my NetRestore workflow and replaced it with a custom package that installs a version of the venerable Bombich script as a launchd item. So, instead of running Apple's NetBootClientHelper program I am now executing a shell script during first boot that does the same thing. It assigns a unique name to the target machine using scutil and then binds it to the Windows Directory with dsconfigad. My version of the Bombich script is named signmeup.

    Initially, this approach did not work. Even though the script ran fine in user mode when I ran it as a startup daemon under launchd I got the following message in system.log:

    Dec 16 10:29:53 559-Lib-12345 com.piperspace.signmeup[64]: SCPreferencesCommitChanges() failed: Write attempted on stale version of object

    However, I then added a "sleep 30" statement at the start of the script and it began to work.

    From a programmer's standpoint this is evidence that a race condition exists within OS X during system boot and that NetBootClientHelper is competing with other bits of OS X to set preferences such as HostName.

    I can only speculate where the defect lies but users of Snow Leopard should be aware that the "System Configurations Settings" feature of SIU 2 will not be reliable until this problem is corrected.

  • by John Agapitos,

    John Agapitos John Agapitos Jan 3, 2010 1:46 AM in response to Brian Nesse
    Level 1 (29 points)
    Jan 3, 2010 1:46 AM in response to Brian Nesse
    I've spent days now trying to work out why I cannot get the "apply computer names from a text file" to work under SIU2. The same file I have has worked flawlessly under 10.5.

    I noticed that in your example format that the leading zero in the MAC address is missing. All of my iMac MAC addresses start with 00. Do you think that would make a difference? Also I've noticed you quoted lower case in the address as well. My file is in all uppercase and it worked in 10.5. I'm now trying another build with these differences... but this is killing me that I cant figure out why is not working.
    I'm using Netrestore and building the image using an iMac connected to an xserve.
    This is one line of my text file that has worked in 10.5

    00:26:4A:09:5B:4A helen helen

    Any help appreciated.

    John

  • by piperspace,

    piperspace piperspace Jan 3, 2010 12:54 PM in response to John Agapitos
    Level 2 (305 points)
    Jan 3, 2010 12:54 PM in response to John Agapitos
    Hi John,

    Have you tried forcing the helper program to rerun?

    Enter this from Terminal:
    sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.NetBootClientHelper.plist

    If it works it will confirm your names are OK.
Page 1 Next