Based on some ideas in this thread I started experimenting with some changes to my Local MCX setup with the goal of eliminating warnings like these from /var/log/system.log:
Mar 7 10:41:19 allure com.apple.loginwindow[39]: MCXCCacheGraph(local_laptop, dsRecTypeStandard:Computers): Cannot cache because an existing record named "local_laptop" has conflicting attributes and must be deleted before caching.
This is a common warning when managing MCX data in the local directory service and seems to be harmless. Another seemingly related problem in when the OS deletes local_computer type records from the local DS node at startup, which isn’t so harmless, as it stops local MCX settings from being applied.
So as, root, I did this:
cd /var/db/dslocal/nodes
mkdir MCX
mkdir MCX/computers
mkdir MCX/computergroups
mv Default/computers/* MCX/computers/
mv Default/computergroups/* MCX/computergroups/
Then I needed to restart DirectoryService so it will notice the changes:
killall DirectoryService
I then opened Directory Utility and added the new /Local/MCX node to the authentication search path; higher than my LDAPv3 directory, so the search path looked like this:
/Local/Default
/BSD/local
/Local/MCX
/LDAPv3/ldap.mycompany.com
I rebooted for good measure, logged back in and checked the MCX settings – they were all being applied and worked as expected. Better yet, no sign of any MCXCCacheGraph warnings in the log. Success!
So this looked like a good refinement to the way I was implementing Local MCX. I opened up Workgroup Manager, and authenticated to localhost as a local admin. It showed me the /Local/Default node. I switched nodes to /Local/MCX. It showed that I wasn’t authenticated, so I clicked the padlock icon. Workgroup Manager then prompted me for an administrator’s name and password. I entered the same admin name and password i used to authenticate to the /Local/Default node.
FAIL.
Nothing I’ve tried works. I cannot use Workgroup Manager to edit records in a non-default local node.
This makes using a special MCX node very cumbersome. You could work around this issue by using the shell to move records back and forth between nodes.
Or you could put just the computer record(s) in the /Local/MCX node, since those are the ones that are problematic in /Local/Default.
But none of these are as appealing as just working with the records directly in a /Local/MCX node.
Has anyone else experimented with this configuration?
Has anyone else figured out how to use Workgroup Manager with non-default local nodes?
UPDATE: reader Brian Warsing suggested that I try adding an admin user to the new /Local/MCX node.
I created a user named mcxadmin in /Local/MCX and set its gid to 80, making it a member of the admin group. I did not add an admin group; I assumed (rightly) that it would honor the admin group from /Local/Default.
I could then authenticate to the /Local/MCX node and use Workgroup Manager to edit records.
Success!
Managing OS X 
Greg,
Did you try adding an administrative user & group to the new “MCX” node and using that?
Ding ding ding! We have a winner!
I created a user named mcxadmin in /Local/MCX and set its gid to 80, making it a member of the admin group. I did not add an admin group; I assumed (rightly) that it would honor the admin group from /Local/Default.
I could then authenticate to the /Local/MCX node and use Workgroup Manager to edit records.
[…] Managing OS X Trials and Tribulations of an OS X Administrator « MCX in non-default local nodes […]
Greg,
I’ve only just tried the new node setup on my test laptop running 10.6. I found that after creating the /var/db/dslocal/nodes/MCX/* directories, I could not add /Local/MCX to the search path. Tried Directory Utility and dscl; in the former the new node did not appear and in the latter it produced an error. However, after a reboot I was able to add the new node to the search path.
No more MCXCCacheGraph errors!
Sorry – I missed a step in the write-up. After creating the directories and populating them, you need to restart DirectoryService so it will notice your changes. Either do a `killall DirectoryService`, or just reboot, like you did.
I’ll update the post.
[…] MCX in non-default local nodes […]
[…] https://managingosx.wordpress.com/2010/03/07/mcx-in-non-default-local-nodes/ […]
[…] and I don’t have one. Luckily the internet lead me to Greg Neagle’s great Tutorial on setting up local MCX. I built my 10.7 test machine, bound to AD, assigned the Administrators group, locked it […]
How do I add the /Local/MCX into Directory Utility from within Terminal?
I presume dscl but cannot figure out the rest of it.
Thanks in advance!
Hi there! This is my first visit to your blog! We are
a team of volunteers and starting a new initiative in
a community in the same niche. Your blog provided us beneficial information to
work on. You have done a extraordinary job!