TweetFollow Us on Twitter

MacEnterprise: Local MCX Revisited

Volume Number: 26
Issue Number: 03
Column Tag: MacEnterprise

MacEnterprise: Local MCX Revisited

Using an alternate local directory node for MCX data

by Greg Neagle, MacEnterprise.org

Introduction

About a year ago, I wrote a couple of columns on the subject of Local MCX - using the local directory to store Managed Preferences records. Those articles are in the MacTech archives for November 2008 and February 2009:

http://www.mactech.com/articles/mactech/Vol.24/24.11/2411MacEnterprise-MCX-NoExcuses/index.html

http://www.mactech.com/articles/mactech/Vol.25/25.02/2502MacEnterprise-LocoforLocalMCX/index.html

You can also read about local MCX in an even earlier article of mine:

http://managingosx.wordpress.com/2008/02/07/mcx-dslocal-and-leopard/

Local MCX seems to be one of the most popular topics I've written on, based on comments and mail I've received, and page views of the Local MCX articles. This month, we will look at Local MCX once again, and make some improvements in our implementation.

Back to Basics

The basic concept of Local MCX is simple: if you do not have or cannot use a central directory to store MCX data, you can still use Apple's Managed Preferences system to manage your machines by using the local directory service. You can use Workgroup Manager to create computer and computer group records in the local directory service store on a single machine. Since as of OS X 10.5, these are simply plist files in a special directory path, it's then possible to use any handy software distribution system you might have to deliver and install these files on all the machines you manage. If you already manage software installs on your machines, you can use the same methods to install these plist files.

In my earlier articles, I outlined a very specific strategy that I think gives you a lot of power and flexibility. The strategy is this: for each logical set of Managed Preferences, you create a computer group and manage a set of preferences for that group. For example, if you want to manage the screen saver, you create a computer group named "ScreenSaver" and use Workgroup Manager's preferences management editor to configure the managed preferences for that group. You then add a "local_computer" computer record to the computer group. This local_computer record (eventually) points to the local machine. You can create any number of computer groups, each with a logical grouping of preferences to be managed.

Since the "local_computer" computer record must contain the primary Ethernet MAC layer address of the machine as an identifier, you do have to implement a script that creates or modifies the "local_computer" computer record to contain the correct data for the current computer.

You now have the flexibility of deploying different sets of managed preferences to different machines by controlling which computer groups you copy to each machine's local directory service. If you have a group of machines for which you do not want to manage the screen saver, you just don't copy the screensaver.plist to that group of machine's /var/db/dslocal/nodes/Default/computergroups/ directory. In this way, you can mix-and-match different sets of managed preferences among your machines quite easily.

Minor Issues

I've been using this strategy for a little over two years now, and it's been working quite well. I had to make almost no changes when transitioning to Snow Leopard; most of my Local MCX computer groups worked unchanged. But there were a few rough edges.

The first may be merely cosmetic. When using Local MCX with computer records in the default local store (like the "local_computer" record described above), you would see entries like the following in the system log:

Mar 6 17:43:56 allure com.apple.loginwindow[39]: MCXCCacheGraph(local_computer, dsRecTypeStandard:Computers): Cannot cache because an existing record named "local_computer" has conflicting attributes and must be deleted before caching.

Mar 6 17:43:56 allure com.apple.loginwindow[39]: MCXD.getComputerInfoFromStartup: MCXCCacheGraph() == -2 (MCXCCacheGraph(local_computer, dsRecTypeStandard:Computers): Cannot cache because an existing record named "local_computer" has conflicting attributes and must be deleted before caching.)

Mar 6 19:48:52 allure /System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient[92889]: MCXCCacheGraph(local_computer, dsRecTypeStandard:Computers): Cannot cache because an existing record named "local_computer" has conflicting attributes and must be deleted before caching.

Mar 6 19:48:52 allure /System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient[92889]: MCXD.getComputerInfoFromStartup: MCXCCacheGraph() == -2 (MCXCCacheGraph(local_computer, dsRecTypeStandard:Computers): Cannot cache because an existing record named "local_computer" has conflicting attributes and must be deleted before caching.)

Even though these messages appear in the system log, the managed preferences seemed to work anyway, so it seems these warnings aren't fatal. Still, it seemed like we were doing something "wrong", and we should try to fix it.

A little more serious issue with our Local MCX strategy was this: occasionally, at startup, the "local_computer" record would mysteriously disappear or lose its ENetAddress attribute. The effect was that managed preferences stopped working. Another reboot generally cleared things up again, as a script that ran at startup recreated the local_computer data.

These two issues are probably related. It turns out that in a more traditional, Apple-supported configuration, where MCX data is coming from a network directory service, that MCX copies the active local computer record from the network directory service and creates a cached copy in the default local directory service node. By storing the MCX data in the default local directory service node, we get in the way of the caching process. It can't create its cached copy because we've already put something there. And on startup, under some conditions, it may delete our computer data, thinking it's just a cache file to be cleaned up.

I just lived with these issues, since the first wasn't serious, and the second I never saw on an actual user's machine - it just seemed to happen every once in a while on one of my test machines while I was testing something else. But every once in while, I'd poke at things, trying to make these issues go away. Until lately, I had no success.

Local directory nodes

Recently, on the MacEnterprise list, there was a discussion on using Local MCX on a NetBoot image. (You can read it here: http://groups.google.com/group/macenterprise/browse_thread/thread/f3c39db134738e66)

One of the participants suggested putting MCX data in a node other than /Local/Default. Immediately I saw the possibilities...

Let's step back a bit. If you've worked with Directory Services in OS X Leopard or Snow Leopard, you probably know that the local directory data is stored at /var/db/dslocal/nodes/Default. Inside that directory are subdirectories for users, groups, computers, computergroups, and more. Our original Local MCX implementation made use of plist files in the computers and computergroups directories.

You are probably also aware that OS X supports connecting to multiple network directory services concurrently. This is how the "Magic Triangle" works - a Mac is connected to both an Active Directory server and an Open Directory server, and gets directory information from both directories.

Even if you are connected to a single network directory, Mac OS X is making use of multiple directory sources. At the very least, it's consulting the local directory store as well as the network directory.

What many do not realize, though, is that OS X supports multiple local directory nodes. You might have gotten a clue from the directory names - the "nodes" in /var/db/dslocal/nodes/Default implies more than one node. It turns out that you can create additional local directory nodes.

I saw that we might be able to avoid the issues with the MCX caches by moving our MCX data out of the default local store and into an alternate local store. This would allow the MCX caching mechanism to copy data to the default local node, since we aren't using it anymore.

Let's get started. We'll assume you already have a Local MCX implementation with records in the default local node. If you don't, either follow along in your head, or find a copy of one of the older articles and set up a Local MCX implementation. Open a Terminal window:

cd /var/db/dslocal/nodes
sudo mkdir MCX
sudo chmod 700 MCX
sudo mkdir MCX/computers
sudo mkdir MCX/computergroups
sudo mv Default/computers/* MCX/computers/
sudo mv Default/computergroups/* MCX/computergroups/

What did we just do? We navigated to the dslocal/nodes directory. We created a new "MCX" node and set its permissions to match the Default node. We created computer and computergroup directories in the MCX node, and moved all the computer and computergroup objects from the Default node to the MCX node.

Now we need to let DirectoryService in on our changes - we just changed a bunch of stuff behind its back:

sudo killall DirectoryService

DirectoryService will restart by itself and notice our new local node.

Next, we need to tell DirectoryService to actually use the new node. Open Directory Utility. You can find it in /Applications/Utilities on Leopard, and in /System/Library/CoreServices on Snow Leopard. If you can't see the toolbar at the top of the Directory Utility window, click Show Advanced Settings. Click the Search Policy icon in the toolbar. Click the padlock icon and authenticate. Make sure the Search popup is set to Custom path. You should see something similar to Figure 1.


Figure 1 - Directory Utility Authentication search path

Let's add our new local node to our search path. Click the plus button under the list of Directory Domains. A sheet should appear like the one in Figure 2.


Figure 2 - adding the /Local/MCX directory node

Click Add. It will appear at the bottom of the search list. If you have a network directory in your list, move /Local/MCX above it, so it looks like Figure 3. Click Apply.


Figure 3 - /Local/MCX now in the search path

Now you can logout and back in, or restart, and take a look at your MCX settings using mcxquery or by looking in System Profiler. If all went well, you should see absolutely no change at all - everything should work exactly as it did before. If you look in the system log, you'll see the MCXCCacheGraph() warnings are gone!

So we've made some progress. We've moved the Local MCX data to an alternate local node, and MCX is still working. In order for this to be a usable solution, though, we need to make sure we can still work with the MCX data using Workgroup Manager. This was one of the appealing features of the original solution - we could use Workgroup Manager to set managed preferences almost as if we were using MCX with a network directory. We wouldn't want to lose that feature.

Launch Workgroup Manager. In the original Local MCX implementation, to access the local directory service, we connected to localhost with a local admin username and password, as in Figure 4.


Figure 4 - Workgroup Manager Connect

Once you do this, you should find yourself authenticated to local directory "/Local/Default". But since we've added a new node, we want to access that. Click the tiny globe next to the text that tells you which directory you are browsing and select Other... from the popup menu. From the sheet that appears, select Local, then MCX, as in Figure 5. Click OK.


Figure 5 - Selecting an alternate local node

You should now be viewing directory /Local/MCX. You can look at the computer and computergroup objects, but you can't edit them because you aren't authenticated. So click the padlock icon on the right side of the window. You'll get a dialog prompting you to authenticate to directory /Local/MCX. If you're like me, you'll enter the same admin username and password that you did to authenticate to /Local/Default. And you will be denied. Workgroup Manager will tell you "The login information is not valid for this server."

This puzzled me for a bit. I tried a few things, and then asked for help on the MacEnterprise list and on the Managing OS X site. A short time later, I had several suggestions to try adding an admin account to the /Local/MCX node. That seemed promising.

sudo dscl /Local/MCX create /Users/mcxadmin
sudo dscl /Local/MCX create /Users/mcxadmin uid 8080
sudo dscl /Local/MCX create /Users/mcxadmin gid 80
sudo dscl /Local/MCX create /Users/mcxadmin shell /dev/null
sudo dscl /Local/MCX passwd /Users/mcxadmin
New Password: <enter a password for the account>

Now what did we do? We used dscl to create a new user in the /Local/MCX node called "mcxadmin". (It's important that this name is different than any user in /Local/Default.) We set the uid to an arbitrary value (but one I thought was unique on this machine). We set the Group ID to 80, which is the Group ID of the admin group in /Local/Default. This gives the account admin rights. We set the shell to /dev/null because we don't want or need this account to be used to log in. We don't set a home directory for the same reason. Finally, we create a password for this new account.

Now go back to Workgroup Manager and try again to authenticate to the /Local/MCX directory, this time using the new mcxadmin account and password. Success! Figure 6 proves it. We can now create and edit managed preference records in our new local directory node.


Figure 6 - Authenticated to /Local/MCX

Finishing up

That was a lot of work to get back to where we started, and we've added another level of complexity to our Local MCX implementation. Is it worth it? That remains to be seen. It eliminates the MCXCCacheGraph() warnings from the log, so we're doing things in a way more compatible with how MCX was designed. It should eliminate the issue where local computer records are deleted at startup, though the jury is still out on that one. But we have added a new capability, which might be useful. It's now easy and straightforward to temporarily turn off all MCX management for a given computer - just launch Directory Utility and remove the /Local/MCX node from the search path. When you want to re-enable MCX, just add the /Local/MCX node back in.

If you decide to go forward with this change, you'll probably need to modify any scripts you have that create/modify the MAC layer address data in the local_computer record, since it now is in a different directory node. You'll need to modify your delivery mechanisms to deliver the computergroup plists to their new location as well. You'll need to find a way to add the new /Local/MCX node to the DirectoryService search path on all your managed machines. This can be done with dscl by manipulating the CSPSearchPath in the /Search node:

dscl /Search create / CSPSearchPath /Local/Default /BSD/local /Local/MCX /LDAPv3/ldap.pretendco.com

The above would be all on a single line. It might be easier to just package up the contents of /Library/Preferences/DirectoryService on a correctly configured machine and push that out to all your managed machines.

Conclusion

I've tested this on both Leopard and Snow Leopard, and it seems to work well. If you have a functioning Local MCX implementation that you are happy with, I don't blame you if you don't want to go through all the work needed to change to using an alternate local node. After all, the benefits of the change are minor. But if you are doing a new implementation, or overhauling your current implementation for a Snow Leopard rollout, consider using a /Local/MCX node. Good luck!


Greg Neagle is a member of the steering committee of the Mac OS X Enterprise Project (macenterprise.org) and is a senior systems engineer at a large animation studio. Greg has been working with the Mac since 1984, and with OS X since its release. He can be reached at gregneagle@mac.com.

 

Community Search:
MacTech Search:

Software Updates via MacUpdate

Capture One 15.3.1 - RAW workflow softwa...
Capture One is a professional RAW converter offering you ultimate image quality with accurate colors and incredible detail from more than 400 high-end cameras - straight out of the box. It offers... Read more
Connect Fonts 23.0.3 - Font management s...
Connect Fonts is the creative professional's font manager. Every professional font manager should deliver the basics: spectacular previews, powerful search tools, and efficient font organization. You... Read more
CleanMyMac X 4.11.0 - Delete files that...
CleanMyMac X makes space for the things you love. Sporting a range of ingenious new features, CleanMyMac lets you safely and intelligently scan and clean your entire system, delete large, unused... Read more
Firefox 102.0 - Fast, safe Web browser.
Firefox offers a fast, safe Web browsing experience. Browse quickly, securely, and effortlessly. With its industry-leading features, Firefox is the choice of Web development professionals and casual... Read more
Hopper Disassembler 5.6.1 - Binary disas...
Hopper Disassembler is a binary disassembler, decompiler, and debugger for 32- and 64-bit executables. It will let you disassemble any binary you want, and provide you all the information about its... Read more
Skim 1.6.11 - PDF reader and note-taker...
Skim is a PDF reader and note-taker for OS X. It is designed to help you read and annotate scientific papers in PDF, but is also great for viewing any PDF file. Skim includes many features and has a... Read more
Alfred 4.6.7 - Quick launcher for apps a...
Alfred is an award-winning productivity application for OS X. Alfred saves you time when you search for files online or on your Mac. Be more productive with hotkeys, keywords, and file actions at... Read more
Transmit 5.8.7 - Excellent FTP/SFTP clie...
Transmit is an excellent FTP (file transfer protocol), SFTP, S3 (Amazon.com file hosting) and iDisk/WebDAV client that allows you to upload, download, and delete files over the internet. With the... Read more
Adobe Lightroom Classic 11.4.1 - Import,...
You can download Lightroom for Mac as a part of Creative Cloud for only $9.99/month with Photoshop, included as part of the photography package. The latest version of Lightroom gives you all of the... Read more
MarsEdit 4.5.9 - Quick and convenient bl...
MarsEdit is a blog editor for OS X that makes editing your blog like writing email, with spell-checking, drafts, multiple windows, and even AppleScript support. It works with with most blog services... Read more

Latest Forum Discussions

See All

Apple Arcade Weekly Round-Up: Major Upda...
Apple recently revealed July’s upcoming Apple Arcade releases in a new App Store Story, and this week’s new release is My Bowling 3D+ featuring offline and online multiplayer support, and more. It arrives from the developers of Pro Darts 2022+ and... | Read more »
Downhill Mountain Biking Game ‘Descender...
Just over three years ago in May of 2019 developer RageSquid and publisher No More Robots released a quirky downhill mountain biking game called Descenders on PC and Xbox One. Bemoaning a lack of “extreme sports" titles in recent years led RageSquid... | Read more »
SwitchArcade Round-Up: ‘Monster Hunter R...
Hello gentle readers, and welcome to the SwitchArcade Round-Up for June 30th, 2022. Thursday is once more upon us, and that means a bunch of new releases to look at. We start things off with DLC for some very big games, Monster Hunter Rise and... | Read more »
‘HOOK 2’ Review – A Sharp Left Hook From...
The original HOOK ($1.99) had a very simple idea behind it. You were presented with a tangled mess of hooks and loops, and you needed to remove each one without snagging any others. Extremely simple at first, but as the puzzles rolled along,... | Read more »
‘Dicey Dungeons’ Mobile Version Launchin...
After a very long wait, Terry Cavanagh’s dungeon crawling roguelite deckbuiler hybrid experience Dicey Dungeons is coming to mobile platforms next week alongside a huge free DLC pack on all platforms. This DLC will be included in the mobile... | Read more »
Distract Yourself With These Great Mobil...
Every day, we pick out a curated list of the best mobile discounts on the App Store and post them here. This list won't be comprehensive, but it every game on it is recommended. Feel free to check out the coverage we did on them in the links below... | Read more »
‘Danganronpa S: Ultimate Summer Camp’ is...
If you’ve been following Danganronp over the last few years, Spike Chunsoft celebrated its anniversary by bringing the series to mobile in the form of anniversary editions. After the first two released, there was a long delay for V3, but it finally... | Read more »
Out Now: ‘HOOK 2’, ‘Incoherence’, ‘Juras...
Each and every day new mobile games are hitting the App Store, and so each week we put together a big old list of all the best new releases of the past seven days. Back in the day the App Store would showcase the same games for a week, and then... | Read more »
Upcoming Mobile MMO RPG Shooter ‘Avatar:...
This past January a contingent of developers made up of Archosaur Games, Tencent, Lightstorm Entertainment, and Disney announced a new mobile game set in James Cameron’s Avatar universe titled Avatar: Reckoning. | Read more »
Culinary Platformer ‘Chefy-Chef’ Coming...
If your name is Chefy, it’s pretty much a given that you should be a chef. Such is the case with Chefy-Chef, a game from Bug Studio about a chef named Chefy who must travel to all sorts of exotic locations using a magical refrigerator in an effort... | Read more »

Price Scanner via MacPrices.net

July 4th sale at Verizon: Apple AirPods Pro f...
Verizon has Apple AirPods Pro on sale for $179.99 on their online store as part of their Fourth of July sale. Their price is $70 (28%) off Apple’s MSRP, and it’s among the lowest prices currently... Read more
Apple is now selling Certified Refurbished Ma...
Apple has added a full line of standard-configuration Mac Studios available in their Certified Refurbished section starting at only $1799 and ranging up to $400 off MSRP. Each Mac Studio comes with... Read more
Open-box 14″ M1 Pro MacBook Pros in stock tod...
QuickShip Electronics has open-box return Space Gray 14″ M1 Pro MacBook Pros in stock and on sale for $300-$450 off MSRP on their eBay store today. According to QuickShip, “The item in this listing... Read more
Can Being An iPhone User Really Determine Whe...
FEATURE: – If you’re traveling on the road today for the July 4th holiday, you might want to keep your Apple smartphone locked up inside the car’s glove compartment for your (and, everyone else’s)... Read more
2nd generation 4K Apple TVs with Siri remote...
Apple has restocked a full line of Certified Refurbished 2nd generation 32GB and 64GB 4K Apple TVs with Siri remotes for $30 off the cost of new models. Apple’s standard one-year warranty is included... Read more
Back in stock: Apple Watch Series 7 models fo...
Apple has restocked Certified Refurbished Apple Watch Series 7 WiFi-only models in their online store for $60-$70 off MSRP, starting at $339. Each Watch includes Apple’s standard one-year warranty, a... Read more
July 4th Sale at Expercom: $200 off any 16″ M...
Apple reseller Expercom has 16″ M1 Pro and M1 Max MacBook Pros available for $200 off MSRP as part of their July 4th sale. In addition to their MacBook Pro sale prices, take $50 off AppleCare+ when... Read more
10.2″ Apple iPads (WiFi models) are on sale f...
Amazon has Apple’s 9th generation 10.2″ WiFi iPads on sale for up to $20-$50 off MSRP for a limited time. Their prices are the lowest price currently available for one of these iPads. All models are... Read more
10-Core M1 Pro 14″ MacBook Pros on sale for $...
B&H Photo is offering $200 discounts on Apple’s new 14″ M1 Pro MacBook Pros with 10-Core CPUs (16GB RAM/1TB SSDs). Free 1-2 day shipping is available to most US addresses, and both models are in... Read more
B&H has 16-inch M1 Pro MacBook Pros in st...
New Space Gray 16″ MacBook Pros with Apple’s M1 Pro CPUs are in stock and on sale today at B&H Photo for $200 off Apple’s MSRP. Sale prices are for M1 Pro models with 512GB or 1TB of SSD storage... Read more

Jobs Board

VP, Software Engineering - *Apple* and Andr...
…Client Application Software Engineering team is seeking a VP, Software Engineering for Apple and Android. You will lead the client engineering team building Disney+, Read more
I/S Senior Engineer - *Apple* Systems Engin...
**19647BR** **Position Title:** I/S Senior Engineer - Apple Systems Engineering - Remote **Department:** Information Systems **Location:** Lakeland, FL between Read more
*Apple* IT Support Analyst - 2nd Shift - Zon...
Apple IT Support Analyst - 2nd Shift Professional Services Albany, New York Malta, New York Clifton Park, New York Menands, New York Syracuse, New York Watertown, Read more
Infotainment Certification Test Engineer (XC)...
…integration - CarPlay, android auto, MirrorLink, Baidu Carlife, MFi/iPod certification testing; Apple PPID preparation, Google HUCD and GTM preparation + 3 years of Read more
Workplace Services *Apple* Device Managemen...
…3350 Riverwood Parkway Suite 900, Atlanta, GA, 30339 USA **Workplace Services Apple Device Management** **Role Overview** Carrier is seeking an experienced and Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.