Skip to main content
Question

AD bind script does not run via Jamf, just locally

M
Forum|alt.badge.img+6

Hello all.

I struggle so hard for hours now to determine what could be wrong with the following AD script:

#!/bin/bash

apiurl="https://jss.company.com"

# decrypt API user auth string
function DecryptString() {
echo "${1}" | /usr/bin/openssl enc -aes256 -d -a -A -S "${2}" -k "${3}"
}
apistring=$(DecryptString "somestring" "$8" "$9")
echo "$apistring"

# decrypt AD user auth string
function DecryptString() {
echo "${1}" | /usr/bin/openssl enc -aes256 -d -a -A -S "${2}" -k "${3}"
}
adstring=$(DecryptString "somestring" "$10" "$11")
echo "$adstring"

# get Mac's serial number
serial=$(system_profiler SPHardwareDataType | awk '/Serial/ {print $4}')
echo "$serial"

# download some xml stuff from Jamf Pro and extract site name out of it
siteName=$( curl -sku "$apistring" $apiurl/JSSResource/computers/serialnumber/$serial/subset/general -X GET -H "Accept: application/xml"  | xpath '/computer/general/site/name/text()' )
echo "$siteName"

echo "This Mac is assigned to Site $siteName"

# check AD status
adstatus=$( dsconfigad -show | awk '/Active Directory Domain/{print $NF}' )
echo $adstatus

# check if already bound to AD, then unbind
if [ "$adstatus" = "company.com" ]
then dsconfigad -remove $adstring
echo "This Mac has been previously bound to AD and got unbound now."
fi

# add to AD container matching to site
if [ "$siteName" = "Site1" ]
then dsconfigad -add "company.com" $adstring -computer "$ComputerName" -mobile enable -mobileconfirm disable -localhome enable -shell /bin/bash -ou "OU=Macintosh,OU=Computer,OU=CITY1,OU=COUNTRY1,OU=CONTINENT1,DC=company,DC=com" -groups "" -passinterval 0
    echo "Mac added to AD Container company.com/CONTINENT1/COUNTRY1/CITY1/Computer/Macintosh"
elif [ "$siteName" = "Site2" ]
then dsconfigad -add "company.com" $adstring -computer "$ComputerName" -mobile enable -mobileconfirm disable -localhome enable -shell /bin/bash -ou "OU=Macintosh,OU=Computer,OU=CITY2,OU=COUNTRY2,OU=CONTINENT2,DC=company,DC=com" -groups "" -passinterval 0
    echo "Mac added to AD Container company.com/CONTINENT2/COUNTRY2/CITY2/Computer/Macintosh"
# ...much more sites to follow, same pattern
else echo "Mac could not be added for some obscure reason to AD. Please check and do manually."
fi

exit

This script runs totally fine when running locally in CodeRunner and does exactly what it should. However, when running via Jamf (assumingly as root?), it just brings up:

Running script: bindToAD.sh
Script exit code: 0
Script result: (null)

Surprisingly, if I add "sudo su -" on top of local CodeRunner scripts, it also keeps on running with any progress at all, after entering password.

WTH?
Does anyone might have an idea where's the flaw in my script?

7 replies

donmontalvo
Forum|alt.badge.img+36
  • donmontalvo
  • Legendary Contributor
  • 4293 replies
  • October 8, 2019

Try putting your salt values in parameters $4 and higher in the policy under the script payload?

--https://donmontalvo.com
M
Forum|alt.badge.img+6
  • mucgyver-old
  • Author
  • Contributor
  • 21 replies
  • October 8, 2019

@donmontalvo , I just tried again by putting in the auth strings in plain text, for testing purposes... even that does not do any change. So I think we can discard Salt variables to be the cause...

donmontalvo
1 person likes this
  • donmontalvo
    donmontalvo
T
Forum|alt.badge.img+4
  • timelost
  • New Contributor
  • 3 replies
  • October 8, 2019

Mistype...

M
Forum|alt.badge.img+6
  • mucgyver-old
  • Author
  • Contributor
  • 21 replies
  • October 8, 2019

Sorry, @timelost , would you mind telling me where I mistyped?

T
Forum|alt.badge.img+4
  • timelost
  • New Contributor
  • 3 replies
  • October 8, 2019

I looked through it and can't find anything that catches my eye. Apologies it was just a misplaced response (mistype) on my part, nothing regarding your script. I thought I was typing into a different window.

M
Forum|alt.badge.img+6
  • mucgyver-old
  • Author
  • Contributor
  • 21 replies
  • October 11, 2019

Sorry for pushing this up, but this drives me nuts. Anyone has any idea how to solve this?
Jamf support had the approach "Just add it as elf service policy", but that is obviously not the approach I am following, as I want to automate things in a workflow and make things easier, not more complicated.
Thanks a million...

M
Forum|alt.badge.img+9
  • merps
  • Contributor
  • 149 replies
  • October 11, 2019

I second @donmontalvo and think the issue is probably due to the fact that jamf will automatically send $1, $2, $3 parameters into your script.

I would add this to the top of your script (just below #!/bin/bash), then compare the values when running it locally vs. as a policy:

echo "param1 is $1"
echo "param2 is $2"
echo "param3 is $3"
echo "param4 is $4"
echo "param5 is $5"
echo "param6 is $6"
echo "param7 is $7"
echo "param8 is $8"
echo "param9 is $9"
echo "param10 is $10"
echo "param11 is $11"

Also, this shouldn't matter, but you don't need to define the DecryptString function twice.

Reply


Most helpful members this week

Terms & ConditionsCookie settingsAccessibility statement

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings