Howard Enos
8d975c1b44
Howard's personal MSP client documentation folder imported into shared
ClaudeTools repo via /import command. Scope:
Clients (structured MSP docs under clients/<name>/docs/):
- anaise (NEW) - 13 files
- cascades-tucson - 47 files merged (existing had only reports/)
- dataforth - 18 files merged (alongside incident reports)
- instrumental-music-center - 14 files merged
- khalsa (NEW) - 22 files, multi-site (camden, river)
- kittle (NEW) - 16 files incl. fix-pdf-preview, gpo-intranet-zone
- lens-auto-brokerage (NEW) - 3 files (name matches SOPS vault)
- _client_template - 13-file scaffold for new clients
MSP tooling (projects/msp-tools/):
- msp-audit-scripts/ - server_audit.ps1, workstation_audit.ps1, README
- utilities/ - clean_printer_ports, win11_upgrade,
screenconnect-toolbox-commands
Credential handling:
- Extracted 1 inline password (Anaise DESKTOP-O8GF4SD / david)
to SOPS vault: clients/anaise/desktop-o8gf4sd.sops.yaml
- Redacted overview.md with vault reference pattern
- Scanned all 160 files for keys/tokens/connection strings -
no other credentials found
Skipped:
- Cascades/.claude/settings.local.json (per-machine config)
- Source-root CLAUDE.md (personal, claudetools has its own)
- scripts/server_audit.ps1 and workstation_audit.ps1 at source root
(identical duplicates of msp-audit-scripts versions)
Memory updates:
- reference_client_docs_structure.md (layout, conventions, active list)
- reference_msp_audit_scripts.md (locations, ScreenConnect 80-char rule)
Session log: session-logs/2026-04-16-howard-client-docs-import.md
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
72 lines
2.1 KiB
Markdown
72 lines
2.1 KiB
Markdown
# Joining Apple Devices to khalsa.local Domain
|
|
|
|
## Prerequisites
|
|
- Mac must be on the network and able to reach DC (TROUT at 10.11.12.254)
|
|
- DNS must resolve khalsa.local (primary DNS should be 10.11.12.254)
|
|
- Ports 88 (Kerberos), 389 (LDAP), 445 (SMB) must be open to DC
|
|
- Domain admin credentials (guru)
|
|
|
|
## Steps (run all as localadmin)
|
|
|
|
### 1. Verify connectivity
|
|
```bash
|
|
ping -c 2 10.11.12.254
|
|
nc -z -w 3 10.11.12.254 389 && echo "LDAP open" || echo "LDAP closed"
|
|
nc -z -w 3 10.11.12.254 88 && echo "Kerberos open" || echo "Kerberos closed"
|
|
```
|
|
|
|
### 2. Join the domain
|
|
Run in Terminal (not ScreenConnect — password prompt):
|
|
```bash
|
|
sudo dsconfigad -add khalsa.local -username guru -force
|
|
```
|
|
Enter guru's password when prompted. No output = success.
|
|
|
|
### 3. Verify binding
|
|
```bash
|
|
dsconfigad -show
|
|
id guru
|
|
```
|
|
Should show `uid=...(guru)` with KHALSA\Domain Admins in groups.
|
|
|
|
### 4. Grant Domain Admins local admin rights
|
|
```bash
|
|
sudo dsconfigad -groups "KHALSA\Domain Admins"
|
|
```
|
|
|
|
### 5. Set default domain (so users type just username, not KHALSA\username)
|
|
```bash
|
|
sudo defaults write /Library/Preferences/com.apple.loginwindow DefaultDomain -string "KHALSA"
|
|
```
|
|
|
|
### 6. Reboot and test
|
|
Log in with just the domain username (e.g., `guru`) — no `KHALSA\` prefix needed.
|
|
|
|
## Troubleshooting
|
|
|
|
**"Connection failed to the directory server" (2100)**
|
|
- If the Mac was previously joined and the trust is broken, force remove first:
|
|
```bash
|
|
sudo dsconfigad -remove -username guru -force
|
|
```
|
|
Then redo step 2.
|
|
|
|
**"Data source (/Active Directory/KHALSA/All Domains) is not valid"**
|
|
- Directory plugin not loading. Run:
|
|
```bash
|
|
sudo killall opendirectoryd
|
|
```
|
|
Wait 10 seconds, then test with `id guru`.
|
|
|
|
**Domain user doesn't have sudo**
|
|
- Must be logged in as localadmin to run step 4. Domain Admins group must be added via `dsconfigad -groups`.
|
|
|
|
**User has to type KHALSA\ at login**
|
|
- Step 5 wasn't applied, or needs a reboot after applying.
|
|
|
|
## Network Info
|
|
- DC: TROUT (10.11.12.254)
|
|
- Domain: khalsa.local
|
|
- DNS: 10.11.12.254 (primary), 10.11.12.1 (secondary)
|
|
- 10.11.12.243 is a DNS server but NOT the DC
|