- Jamf Nation Community
- Products
- Jamf Pro
- Re: AD bind script does not run via Jamf, just loc...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
AD bind script does not run via Jamf, just locally
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-08-2019 05:27 AM
Hello all.
I struggle so hard for hours now to determine what could be wrong with the following AD script:
#!/bin/bash
apiurl="https://jss.company.com"
# decrypt API user auth string
function DecryptString() {
echo "${1}" | /usr/bin/openssl enc -aes256 -d -a -A -S "${2}" -k "${3}"
}
apistring=$(DecryptString "somestring" "$8" "$9")
echo "$apistring"
# decrypt AD user auth string
function DecryptString() {
echo "${1}" | /usr/bin/openssl enc -aes256 -d -a -A -S "${2}" -k "${3}"
}
adstring=$(DecryptString "somestring" "$10" "$11")
echo "$adstring"
# get Mac's serial number
serial=$(system_profiler SPHardwareDataType | awk '/Serial/ {print $4}')
echo "$serial"
# download some xml stuff from Jamf Pro and extract site name out of it
siteName=$( curl -sku "$apistring" $apiurl/JSSResource/computers/serialnumber/$serial/subset/general -X GET -H "Accept: application/xml" | xpath '/computer/general/site/name/text()' )
echo "$siteName"
echo "This Mac is assigned to Site $siteName"
# check AD status
adstatus=$( dsconfigad -show | awk '/Active Directory Domain/{print $NF}' )
echo $adstatus
# check if already bound to AD, then unbind
if [ "$adstatus" = "company.com" ]
then dsconfigad -remove $adstring
echo "This Mac has been previously bound to AD and got unbound now."
fi
# add to AD container matching to site
if [ "$siteName" = "Site1" ]
then dsconfigad -add "company.com" $adstring -computer "$ComputerName" -mobile enable -mobileconfirm disable -localhome enable -shell /bin/bash -ou "OU=Macintosh,OU=Computer,OU=CITY1,OU=COUNTRY1,OU=CONTINENT1,DC=company,DC=com" -groups "" -passinterval 0
echo "Mac added to AD Container company.com/CONTINENT1/COUNTRY1/CITY1/Computer/Macintosh"
elif [ "$siteName" = "Site2" ]
then dsconfigad -add "company.com" $adstring -computer "$ComputerName" -mobile enable -mobileconfirm disable -localhome enable -shell /bin/bash -ou "OU=Macintosh,OU=Computer,OU=CITY2,OU=COUNTRY2,OU=CONTINENT2,DC=company,DC=com" -groups "" -passinterval 0
echo "Mac added to AD Container company.com/CONTINENT2/COUNTRY2/CITY2/Computer/Macintosh"
# ...much more sites to follow, same pattern
else echo "Mac could not be added for some obscure reason to AD. Please check and do manually."
fi
exitThis script runs totally fine when running locally in CodeRunner and does exactly what it should. However, when running via Jamf (assumingly as root?), it just brings up:
Running script: bindToAD.sh
Script exit code: 0
Script result: (null)Surprisingly, if I add "sudo su -" on top of local CodeRunner scripts, it also keeps on running with any progress at all, after entering password.
WTH?
Does anyone might have an idea where's the flaw in my script?
Labels:
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-08-2019 05:38 AM
Try putting your salt values in parameters $4 and higher in the policy under the script payload?
--
https://donmontalvo.com
https://donmontalvo.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-08-2019 05:48 AM
@donmontalvo , I just tried again by putting in the auth strings in plain text, for testing purposes... even that does not do any change. So I think we can discard Salt variables to be the cause...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-08-2019 10:37 AM
Mistype...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-08-2019 11:28 AM
Sorry, @timelost , would you mind telling me where I mistyped?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-08-2019 02:00 PM
I looked through it and can't find anything that catches my eye. Apologies it was just a misplaced response (mistype) on my part, nothing regarding your script. I thought I was typing into a different window.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-11-2019 12:58 AM
Sorry for pushing this up, but this drives me nuts. Anyone has any idea how to solve this?
Jamf support had the approach "Just add it as elf service policy", but that is obviously not the approach I am following, as I want to automate things in a workflow and make things easier, not more complicated.
Thanks a million...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-11-2019 08:17 AM
I second @donmontalvo and think the issue is probably due to the fact that jamf will automatically send $1, $2, $3 parameters into your script.
I would add this to the top of your script (just below #!/bin/bash), then compare the values when running it locally vs. as a policy:
echo "param1 is $1"
echo "param2 is $2"
echo "param3 is $3"
echo "param4 is $4"
echo "param5 is $5"
echo "param6 is $6"
echo "param7 is $7"
echo "param8 is $8"
echo "param9 is $9"
echo "param10 is $10"
echo "param11 is $11"Also, this shouldn't matter, but you don't need to define the DecryptString function twice.
