SEC and Mac OSX AD duplication

Change your sharing name to match the mac's AD name. The computer ID setting in the directory services app can be different from the screen sharing name.

Open /system/library/coreservices to find Directory Utility

Ben,

Did you ever happen to find a resolution this this duplication problem?  I'm currently trying to wrap my head around it at our organization as well.  The best answer that I have gotten so far is to sever the syncronization for the MAC ous within the Sophos Enterprise Console.  I haven't had the chance to test that yet, but I'm looking for a better fix.

Let me know,

Thanks,

Tim

Hi Tim,

No I haven't yet recieved a satisfactory solution to the problem yet.  We actually have our mac machines in OUs with Windows Pcs, so we can't even look at the solution that was suggested for you.

As for the other reply, we are not wishing that this point to rename the Sharing name to match the AD name.  We're hoping that there is some way around having to do that.  i can't see why it wouldn't look for an AD name in the first place, and then if that doesn't exist, then look for the sharing name.

I'll keep you posted

Cheers

Ben,

We were able to figure out a working solution after a few weeks of correspondence, I'll post it here so hopefully it can help you too.  As long as your Macs are running Snow Leopard you should be able do this, it couldn't work with our test group of Lion machines because they no longer use Samba sharing.

What to do

Macs use the WORKGROUP value by default.
It's set in the smb.conf file:-

/etc/smb.conf

There is a global workgroup parameter that can be set in here that will be used when reporting the machine back to SEC. By default this is not configured so will always be WORKGROUP. If you add the following entry to the global parameters this will resolve the issue:-

workgroup = domainname

where domainname is the name of the domain you want to use

A restart of RMS will send a new status message with this new workgroup name:-

cd /Library/LaunchDaemons/
sudo launchctl unload com.sophos.managementagent.plist com.sophos.messagerouter.plist
sudo launchctl load com.sophos.messagerouter.plist com.sophos.managementagent.plist

Try that method on your machines, it has been working for the few Macs that we have in AD.

Good Luck!

Tim

Hi Tim,

The /etc/smb.conf file doesn't have a line for the WORKGROUP in it, however the /var/db/smb.conf does.  

It seems fairly straight forward, I changed the line in the /var/db/smb.conf but it didn't change anything.

I'll have a talk to our mac administrator and see if he can figure this out.

Appreciae the reply

Cheers

Ben

Hi Tim,

Acutally I may have misread your last post there.  I manually addedthe line to the file, and ran the command sto unload/reload the preference lists.  The machine is still reporting in the workgroup containter for me.  You didn't delete the workgroup machine before doing this or anything extra to make your work?

Ben

Ben,

Sorry about that, I did realize that I forgot to add that step as it wasn't a part of the formal directions.  Just delete both of the instances out of the Sophos Console and when the machine eventually adds itself back in it should be merged as one machine in the proper AD group. A way to speed this up might be to decrease the amount of time between AD syncs in the Enterprise Console, but we didn't really mess with that.

Anyway, hope this works for you!

Tim

After setting the Workgroup via the command line after a reboot the setting doesn't stick and duplicates show again.

A work around is to create a launch daemon using Lingon 2.1.1 to run the command

http://sourceforge.net/projects/lingon/files/Lingon/2.1.1/LingonSource-2.1.1.zip/download

command (where XXX is your domain)

defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server Workgroup XXX

with a watch path (run it if this file is modified) of 

/Library/Preferences/SystemConfiguration/com.apple.smb.server.plist