Carnegie Mellon University Website Home Page
 
Skip navigation and jump directly to page content
Documentation Index
Contributed Documentation
Deploying Mac OS X in Clusters
Clusters Quick Setup for Leopard
Accounts
Network, Phone & TV
Software
Email & Calendar
Secure Your Computer
Clusters & Printing
Web Services
Classroom & Event Support
Training & Education
Technical Support & Services
Campus Partners
Information Security Office (ISO)
Contributed Documentation
This document is NOT supported by Computing Services.
DO NOT contact the Help Center with questions on this document.
 
Carnegie Mellon

Clusters Quick Setup for Leopard

This page provides the necessary resources for departmental system administrators to perform common setup items specific to the CMU environment.

Topics covered include LDAP & Kerberos, OpenAFS, Dock, and Login/Logout Hooks. Implementing all four sections will result in a machine(s) that:

  • Do not require user account maintenance (creation, deletion, password change, etc.) activities
  • Leverage Computing Services' existing Roaming Profile setup where users' preferences follow them between machines and clusters
  • Provide a local home directory for user files and a link in that directory to the user's Andrew AFS home directory for network storage.
  • Allow Kerberos-enabled applications such as Oracle Calendar to work as expected with Andrew services

LDAP & Kerberos

Setting up cluster Macs to use LDAP for Directory Services and Kerberos for authentication removes the burden to manage individual user accounts on each lab machine. Users will be able to login with their Andrew UserID and password to your machines. In addition, Kerberos-enabled applications such as Oracle Calendar will work without any additional configuration.

It is recommended that a local administrative account is also installed on each machine via the Accounts Preference Pane to perform routine maintenance tasks.

Note: At this time, it is not possible to use the campus LDAP servers AND restrict login access to the machine. If your machines are set up to use LDAP, anyone with a valid Andrew userID will be able to log in to them.

To set up your machine to use the Andrew LDAP and Kerberos servers, we suggest the following:

OpenAFS

OpenAFS may be installed to provide users with access to AFS. If you wish to install AFS, it is highly recommended that you first configure your machine to use the Andrew LDAP and Kerberos servers, as shown above.

OpenAFS may be downloaded as a package from the OpenAFS web site.

Once the OpenAFS package installer finishes, but before you allow it to reboot your machine, you will need to run the following command to complete the CMU-specific setup:

sudo echo andrew.cmu.edu > /var/db/openafs/etc/ThisCell

Unfortunately, the aklog_loginLogout plugin that would get tokens automatically under previous versions of Mac OS X does not work with Leopard. In order to get approximately the same functionality, you can install aklog into /Library/OpenAFS/Tools/bin. Users can then run aklog from a Terminal window to turn their Kerberos tickets into an AFS token, or you can run aklog inside of a login hook to get tokens for them. Our provided login hooks perform the latter step.

Dock Configuration

Note: This section is for historical reference. Computing Services' "roaming profiles" currently utiliizes DFS space.

One of the sore points of Mac OS X in a distributed environment is its handling of Dock preferences. We have worked with a number of departmental administrators to fashion a standardized default dock that minimizes the number of broken links that show up when users move between departmental and public clusters. We urge anyone who is using Computing Services's roaming profile setup to take the following three actions to ensure that your users do not experience problems with their docks when moving between clusters:

  • Use the agreed upon application naming scheme:
    • When possible, install applications directly into /Applications using the default folder name provided by the installer.
    • Mail.app should be hidden in the Finder, to prevent inexperienced users from attempting to use the unsupported client and/or put the client in their docks. This can be done by running 
      sudo /Developer/Tools/SetFile -a V /Applications/Mail.app
    • If you wish to provide a two-level application space (where applications are grouped by category into subdirectories), provide this by symlinking the application from /Applications into the two-level space and hiding the original location from Finder by executing 
      sudo /Developer/Tools/SetFile -a V /Applications/<package>
  • Deploy the default dock:
    • Option 1: Download our default base dock archive. Extract it by executing 
      sudo tar -C / -xvf <dock_base.tar>
    • Option 2: Configure your desired dock and use your custom plist from ~/Library/Preferences/com.apple.dock.plist. Copy it to /Library/Preferences/com.apple.dock.plist and to /System/Library/CoreServices/Dock.app/Contents/Resources/English.lproj/default.plist.
  • Deploy the provided dock fix-up files:
    • Download our default base tools archive. Extract it by executing 
      sudo tar -C / -xvf <dock_tools.tar>
      (Dock modifications and one-time additions using these tools are performed at login by our provided LoginHook.)
    • Optional: If you wish to modify dock entries at every login, add <key>original</key><string>new</string> entries to the 'move' dictionary in /Library/Preferences/com.apple.dockfixup.plist. You can test your modifications by executing the following command then killing the dock: 
      /System/Library/CoreServices/UserAccountUpdater 0 10.4 0 8H63
    • Optional: If you wish to make a one-time addition to the dock, create a spec file in /Library/Preferences/mungedock/ and make a call to the add_dock subroutine in our provided LoginHook, following the format for the existing additions of Preview, Safari, and Terminal.

Login/Logout Hooks

The OS X login and logout processes allow for the running of arbitrary "hooks," or scripts. These scripts can perform a number of vital and useful tasks, such as resetting defaults, ejecting removable media, and creating user home directories.

We have provided stripped down versions of the login and logout hooks we use in our public clusters. These hooks should be usable as-is in deployments that wish to use the roaming profile approach we use in the public clusters, where ~/Library is symlinked into the user's AFS home directory. It is recommended however that you read through the scripts and verify that they do indeed do what you want. For admins considering other setups, they should serve as good cookbooks to develop their own loginhooks.

To set up the hooks:

  • Create the directory /etc/cmu/hooks
  • Download the LoginHook, LogoutHook, and hook-subs (hook utility subroutines) to your machine and install them into /etc/cmu/hooks.
  • Make sure the scripts are executable by running the commands:
    chmod 755 /etc/cmu/hooks/LoginHook
    

chmod 755 /etc/cmu/hooks/LogoutHook
    

chmod 755 /etc/cmu/hooks/hook-subs
  • Enable the scripts as hooks by running the following commands:
    sudo defaults write /var/root/Library/Preferences/com.apple.loginwindow LoginHook /etc/cmu/hooks/LoginHook
    

sudo defaults write /var/root/Library/Preferences/com.apple.loginwindow LogoutHook /etc/cmu/hooks/LogoutHook