Silly rabbit, always check the Stack (yes and easier than I thought):
http://apple.stackexchange.com/questions/86746/enable-ssh-access-for-ad-admin-accounts
Don't use "dscl" to add/delete members to a group, this is a common mistake : one day, you will end up with a messed/corrupted OSX database, or inconsistencies between the GUI and command-line tools, so always use "dseditgroup" (this if the only official supported way, and I think it is mentionned in the 10.7 OSX Server Admin book).
dseditgroup command takes care about adding the UUID of the group, the name of the group...and update the "dslocal" cache (according to Apple Tech Support).
For example, to add a member to the "com.apple.access_ssh" group, we use :
# sudo dseditgroup -o edit -a billgatesADaccount -t group com.apple.access_ssh
billgatesADaccount can be probably replaced by an AD group, although I never tested it myself.
Sidenote : jamf binary also uses "dscl . -append xxxxxxxxx" when it has to add a user to local admin group (at least in 8.6) : this should not be done this way, as this is not the proper way to do it.
Thanks for clarifying Olivier. Don't have that book, but working through the usual man file for dseditgroup to make sense. Command you have above generates a record not found error so I must still be doing something wrong.
UPDATE: confirmed adding the restricted ssh group, adding our AD admin group, then checking access for user within that group all work by following 3 commands:
- dseditgroup -o create -q com.apple.access_ssh
- dseditgroup -o edit -a YourADAdminGroup -t group com.apple.access_ssh
- dseditgroup -o checkmember -m YourAdminUser com.apple.access_ssh
Works great! And much easier than manually specifying the UUID via dscl.
Stupid question but how do I do this AND keep/re-add our casper management account with this method. Do I execute the command again and it appends the correct user to it?
Nothing stupid franton. Basically just 2 commands, yes. Updated an existing script I found for exactly this purpose. Am sure others have ideas on how to improve, but here's what I pieced together this AM. Basically we're just using Casper's standard variable $4 and $5 to set both primary Casper admin user and domain-based admin group. If anything's unclear just let me know.
#!/bin/sh
# script to enable a particular user of SSH of OS X systems
# Marc Kerr http://marckerr.com 5/31/13
# http://marckerr.com/?tag=shell-scripts
# Updated by C. Hirtle on 8/1/13 for Casper
USERNAME="$4"
ADMINGROUP="$5"
# check that root is running the script otherwise nothing works
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root" 1>&2
exit 1
fi
# disable SSH to start with regardless of if it's on (off to prevent nixing remote execution)
# systemsetup -setremotelogin off
# remove the existing SSH access group (revert to all user access)
dseditgroup -o delete -t group com.apple.access_ssh
# create the access group and add the user(s)
dseditgroup -o create -q com.apple.access_ssh
dseditgroup -o edit -a $USERNAME -t user com.apple.access_ssh
# add our standard AD computer admins group as subgroup
dseditgroup -o edit -a $ADMINGROUP -t group com.apple.access_ssh
# finally confirm who's in the group before we quit
dseditgroup -o read -t group com.apple.access_ssh
# ensure SSH is back on
systemsetup -setremotelogin on
exit 0
Brilliant! I shall modify for my own needs and test.
Ick. Another stupid question. The AD group name ... how exactly should it be specified? domaingroupname or just groupname?
May depend on your infrastructure, but in our case it is just group name. No domain necessary.
Thanks! I'm going to give that a try tomorrow.
I have a couple of posts showing how to using dseditgroup to set access controls with SSH. The second post listed references how to reference AD group names by domain:
http://derflounder.wordpress.com/2011/02/03/setting-access-controls-on-ssh/
http://derflounder.wordpress.com/2011/05/02/setting-access-controls-for-ssh-part-2/
That has worked beautifully! I've made some changes as we have more than one AD group to allow. Thanks!
