CFEngine Help: Re: CFEngine Help: Re: user management darwin

Thu, 14 Jun 2012 08:14:48 -0700 

Forum: CFEngine Help
Subject: Re: CFEngine Help: Re: user management darwin
Author: [email protected]
Link to topic: https://cfengine.com/forum/read.php?3,26204,26209#msg-26209

... well as mentioned it works TODAY (for OS X 10.7.4) 
but might go away with the next OSX update :-/
It might be riding on a bug, but see for youself:

Problem:
We have an OSX fleet on which we have a local admin account.
For this account we want to change the password from a central point.
AD/OD doesn't work because you can mark 
network-accounts being admins on the server (ack!)
but not on "all the clients".
You can make a network-account being a local admin 
on the local machine, but really only ON the local machine, 
that's not an MCX(central) setting (nor profilemanager... )

Solution:
At deployment of the client we run a script (or make cf3 execute something 
alike) like:

...
name=$1    # admin
uid=$2        # 510
admin=$3  # 1
dscl . -create /Users/$name
dscl . -create /Users/$name RealName $name
dscl . -create /Users/$name UniqueID $uid
dscl . -create /Users/$name UserShell /bin/bash
dscl . -create /Users/$name PrimaryGroupID 20
createhomedir -c -u $name
dscl . create /Users/$name NFSHomeDirectory /Users/$name
[[ "$admin" = "1" ]] && dseditgroup -o edit -a $name -t user admin
# echo "created account $name, to enable it run \"dscl . -passwd /Users/$name\""
...

Now, on one of our maintenance machines I have the very same account, 
(but logged in as another user with admin rights too)
and run 
dscl . -passwd /Users/$name 

and now the low level magic:

cp /private/var/db/dslocal/nodes/Default/users/${name}.plist 
/our/cf3/template/dir/${name}.plist

That's it, now we'll make cf3 distribute the file the usual way, it needs to be 
copied to the same location on all clients.
( that is to:  /private/var/db/dslocal/nodes/Default/users/${name}.plist )

With xcode, PlistBuddy or, in a way, dscl I can inspect the .plist file, but 
because being unfamiliar with OSX 
(and impatient ;-) I couldn't figure out how to set new values for 
ShadowHashData and KerberosKey 
(all other values are replaced easily)
Still, even that would work only until they come up with binding a _local_ 
account to a local machine.
(They might forget it though, I hope ;-))

hth, comments are welcome!

Bernhard

_______________________________________________
Help-cfengine mailing list
[email protected]
https://cfengine.org/mailman/listinfo/help-cfengine

Reply via email to