Skip to main content
Solved

Flushing out dscl on logout for lab machine

  • June 4, 2015
  • 33 replies
  • 111 views
Show first post

33 replies

N
Forum|alt.badge.img+7
  • NightFlight
  • Contributor
  • June 23, 2015
#!/bin/bash
function delete_local_user {
    if [ -z "$1" ]; then return; fi
    dscl . -delete /Users/${1}  &>/dev/null;
    if [ -d /Users/${1} ]; then echo deleting local account: /Users/${1}; rm -rf /Users/${1}; fi
}


function create_local_user {
    delete_local_user $1
        echo  - Creating local account: $1

    # Generate a new UniqueID
    aUID=99             # 99 = nobody
    while [ ! -z "`dscl . -search /Users UniqueID $aUID`" ]
    do 
        aUID=$RANDOM
        aUID=$((aUID % 100))    # Mod 100 keeps the value between 0-100
        aUID=$((aUID + 500))    # Add 500 = 500 - 599
    done
    # Create the local directory entry
    dscl . -create /Users/$1
    dscl . -create /Users/$1 UniqueID $aUID
    dscl . -create /Users/$1 RealName "$3"
    dscl . -create /users/$1 NFSHomeDirectory /Users/$1
    dscl . -create /Users/$1 UserShell /dev/null
#   dscl . -create /Users/$1 UserShell /bin/bash
    dscl . -create /Users/$1 PrimaryGroupID 20

    # Create the Home folder from template
    cp -a /System/Library/User Template/English.lproj /Users
    mv /Users/English.lproj /Users/$1

    # Set the password
    dscl . -passwd /Users/$1 $2

    # Fix the rights.
    chown -R ${1} /Users/${1}
    find /Users/${1}/Library -type f -exec chmod a-x {} ;

}


# Call the function:

create_local_user username userpass "User Name"
C
Forum|alt.badge.img+10
  • calumhunter
  • New Contributor
  • June 23, 2015

Have you tried kill opendirectoryd as part of your logout script?

Or

Perhaps you can change the UID of the account on the fly with some of what chris has suggested

aUID=$RANDOM
aUID=$((aUID % 100))    # Mod 100 keeps the value between 0-100
aUID=$((aUID + 500))    # Add 500 = 500 - 599

dscl . -change /Users/$1 UniqueID $old_static_mapped_UID $aUID

With Per's LoginScriptPlugin
you can run Login Scripts as root pre home directory mounting this might give you a chance to change the UID to a random number for the user logging in before their home directory is created and mounted.

check out

https://developer.apple.com/library/mac/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html#//apple_ref/doc/uid/10000172i-SW10-BAJCGEGG

specifically:

Authentication Plug-Ins

Authentication plug-ins are the recommended way to perform tasks during the login process. An authentication plug-in executes while the user is logging in, and is guaranteed to complete before the user is allowed to actually interact with his or her account.

You might write an authentication plug-in if you need to programmatically reset an account to a predetermined state, perform some administrative task such as deleting caches to reduce server utilization, and so on.

To learn more about writing an authentication plug-in, read Running At Login.

P
Forum|alt.badge.img+11
  • pblake
  • Author
  • Contributor
  • June 24, 2015

@calumhunter & @chris.hotte

Thanks for the scripts I will play with them tomorrow and see what sticks. I appreciate the help. I have to figure out exactly how your suggestions work, but I will play around.

Thanks!

R
Forum|alt.badge.img+5

Ahh the joys of being down under. g/l

N
Forum|alt.badge.img+7
  • NightFlight
  • Contributor
  • June 24, 2015

All the issues you will encounter repeatedly creating local accounts with randomly generated UID's are (hopefully) taken into account with the function. It works like this:

  • Expect 3 parameters passed in.
  • Delete the user name passed in from the local directory
  • While loop the random number generator test generated UID for conflict.
  • Create user in the local directory as per parameters passed in.
  • Copy the user template.
  • Assign ownership to the copied template to the newly created user.

I use this function for generic accounts with a known password for when a users directory account is unavailable for whatever reason. Its a limited account and counter policy, but it allows work to continue in a squeeze.

bentoms
Forum|alt.badge.img+35
  • bentoms
  • Hall of Fame
  • June 26, 2015

@pblake You might want to find a different approach come 10.11

N
Forum|alt.badge.img+7
  • NightFlight
  • Contributor
  • June 29, 2015

I've found cached AD mobile accounts very troublesome, since after password change time they do not appear to update correctly and in my environment at least - results in consistent/frequent account lockouts. Thus my Kludge for this issue has been to clear the cached user account on the logout hook.

P
Forum|alt.badge.img+11
  • pblake
  • Author
  • Contributor
  • July 20, 2015

Turns out there was a unique field in the LDAP, but I have to obtain a privileged service account to read it. Once I got that, I was able to map it to a unique number.

Thanks all for the help!
Special Shouts to:
@chris.hotte @nessts @c0up3 @mm2270 @rhysforrester @calumhunter

Terms & ConditionsCookie settingsAccessibility statement