mtimmons
Level 1 (0 points)

Q: Directory Services Methods

I am at a little stopping point and could use some asistance...

I am configuring remoted management for our various systems. I utimately need to only allow certain users to "ard_interact" on certain machine and other users to "ard_manage" / "ard_admins" on other machines. IE... I don't want all my editros to be able to interact with my servers.

 

Ideal would be to set specific "ard_admins / manage / interact" on a certain COMPUTER GROUP.

 

I have been reading the methods described here:

http://docs.info.apple.com/article.html?path=RemoteDesktop/3.0/en/ARDC55.html

 

Method 2 has me creating the users groups on OD call "ard_admin..." and so forth. I can them add users to this groups. I can have my editors as "interact", but they would still be able to interact on servers. I have this working fine with just admins...being admins.

 

BUT, Method 1 would be ideal as it seams to be a way to apply these setting from a compuer group basis.

 

Method 1 shows us to apple the xml data as a new line in the MCXSetting for a computer groups. I have been trying this with no success. My steps:

1. Changes Client to allow "Directory Authentication"

--- this worked as I can get method 2 to work.

2. I have NO ard_XXX groups in OD, as to not create confusion.

3. I create an XML, and test the plist with xcode that states the differenct usergroups for ard_admins and ard_interact.

4. I open the directory editor (lion) or inspector in snow, locate the computer group in the LDAP, find the existing MCSSettings.

5. I "+" add a value and then paste the xml code in"

6. After reboots, the macs in the group will not let me manage (testing using screen share is easiest).

 

So...I'm trying to firgure out where I went wrong in the past fews days or where I misunderstood..

One thing that is very unclear in the documentation is where and whice MCXSettings are we suppossed to append? Compuer Groups, Computer Lists? Forgive my ignorance here as I try these out.

 

Method 2 will work, but, I really need to open it up to my non-admins and get method 1 to work giving me different ARD settigns for different computer groups.

 

-mt

Posted on Feb 2, 2012 8:37 PM

Close
mtimmons

Q: Directory Services Methods

  • All replies
  • Helpful answers

  • by mtimmons,

    mtimmons mtimmons Feb 3, 2012 10:20 AM in response to mtimmons
    Level 1 (0 points)
    Feb 3, 2012 10:20 AM in response to mtimmons

    After even further research, I attemped to use the kickstart:

    "-setdirgroups -dirgroups "

    as documented here: http://ss64.com/osx/kickstart.html

    Apperantly, these commands do not function anymore. That could have work by running that command on the groups that needed certain access.

  • by TeenTitan,

    TeenTitan TeenTitan Feb 4, 2012 1:49 PM in response to mtimmons
    Level 4 (2,524 points)
    Mac OS X
    Feb 4, 2012 1:49 PM in response to mtimmons

    AD or OD access to ARD has some limitations. For instnace, what happens if your client computer is not reconising the OD? Perhap it was just turned on or the binding has failed. What if the date & time is off? What if another client was binded to the OD that had the same KDC?

     

    To kick start to work it need to be ran on the client computer. If you have a computer that already has ARD access you can send unix command as user root. If your sending the command as root, you don't need to include sudo at the start of the command.

     

    Or if you have Remote Access enabled on the client you can use the terminal to ssh into the client. (ssh user@computerIP) and then issue the command.

    Apple Remote Desktop: Configuring remotely via command line (kickstart):

    Additional Information

    Tip: For more information about using the kickstart command, add the -help flag. For example:

    $ sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/k ickstart -help

     

     

    kickstart -help on (10.7.2):

     

    - Use Directory Server accounts for authentication. Users must be a member of one of the ARD directory groups to authenticate.

      kickstart -configure -clientopts -setdirlogins -dirlogins yes

     

    -clientopts

                  -setmenuextra -menuextra  yes

                  -setdirlogins -dirlogins  yes

                  -setdirgroups -dirgroups  ardadmin,ardinfo

                  -setreqperm   -reqperm    no

                  -setvnclegacy -vnclegacy  yes

                  -setvncpw     -vncpw      FB842344CE89E9E9AA99889233864DDA

                  -setwbem      -wbem       no

     

    ie

     

    sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/k ickstart -activate -configure -access -on

     

    sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/k ickstart -configure -clientopts -setdirlogins -dirlogins yes -setdirgroups -dirgroups ardadmin,ardcontrol

     

    (ardadmin,ardcontrol are the groups being given ARD access)

     

    sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/k ickstart -restart -agent

  • by mtimmons,

    mtimmons mtimmons Feb 4, 2012 2:05 PM in response to TeenTitan
    Level 1 (0 points)
    Feb 4, 2012 2:05 PM in response to TeenTitan

    Thanks for the help...

    I actually tried that...I don't know how you are getting those groups in the -help in 10.7.2 or even 10.6.8.

     

    look:

    GVM-ADSK-GTWY:~ root# /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/k ickstart -help

    <oteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -clientopts -setdirlogins -dirlogins yes -setdirgroups -dirgroups prod_admins              

    Unknown option: setdirgroups

    Unknown option: dirgroups

     

    .....

     

    It seems kickstart does not use those commands anymore.

     

    Any more ideas?