Solved

Auto Login with AD Account

Forum|Forum|10 years ago
August 17, 2015
8 replies
16 views

scoth
New Contributor

I'm trying to get auto login to work using an AD account. So far it has been hit and miss. Some work fine, some don't. Here is what I have been doing.

cp -R /System/Library/User Template/English.lproj /Users/student
chown -R student:"Domain Users" /Users/student
/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n student -h /Users/student
Push kcpassword to /private/etc/
defaults write /Library/Preferences/com.apple.loginwindow autoLoginUser student
defaults write /Users/student/Library/Preferences/com.apple.screensaver.plist askForPassword -int 0

Mac are 10.9 and above

Anyone see issues?

Best answer by scoth

Update on this... I have found more information and have been successful with auto login since.
The issue seems to be creating the home directory from AD and not setting the password with createmobileaccount. I have edited my script to do the following:

mkdir /Users/student
/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n student -p {password}
rm -rf /Users/student
createhomedir -c -u student
Push kcpassword to /private/etc/
defaults write /Library/Preferences/com.apple.loginwindow autoLoginUser student
defaults write /Users/student/Library/Preferences/com.apple.screensaver.plist askForPassword -int 0

+18

davidacland
Valued Contributor
Forum|Forum|10 years ago
August 17, 2015

Not sure if this is it but in the createmobileaccount help page it says If you do not specify a password, the account's cached password will be created during the account's first log in.

For local accounts the password is hashed in /var/db/shadow/hash, I haven't looked if its the same for mobile accounts but it would be worth checking.

That all being said, you mentioned that it works some of the time which would indicate the syntax is all correct, its just not reliable.

Any chance you could use a local account instead?

scoth
Author
New Contributor
Forum|Forum|10 years ago
August 17, 2015

Using iBOSS, when an account logs in to AD the IP and user information is passed so the filter knows how to group the user. A local account will be filtered at Default which is not what I would like.

--Scot

+17

joshuasee
Valued Contributor
Forum|Forum|10 years ago
August 17, 2015

Unfortunately, I'm hard pressed to see how it would ever work given that createmobileaccount can't create the password hash, and the reversible format of kcpassword is unrelated to the irreversible shadowed hash format in directory services records. You can't derive the former from the latter.

scoth
Author
New Contributor
Forum|Forum|10 years ago
August 17, 2015

I'll update the script to use the password for testing purposes and see what happens.

Thanks.

+18

davidacland
Valued Contributor
Forum|Forum|10 years ago
August 17, 2015

If it's any help you could use the createuserpkg app and pacifist to pull apart the resulting package to see what files are going where.

Might give you some more info.

scoth
Author
New Contributor
Answer
Forum|Forum|10 years ago
August 19, 2015

+17

joshuasee
Valued Contributor
Forum|Forum|10 years ago
August 19, 2015

OOC, how are you generating the kcpassword file? Is student a static account where the password is known?

lionelgruenberg
Contributor
Forum|Forum|10 years ago
August 20, 2015

@joshuasee check out Gavin Brock's perl script for encoding/decoding kcpassword files

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded