I am reaching out to the community to ask if anyone has tried to add a single user account from AD to ssh access on the Mac?
I have tried the following
Created a policy to run a single terminal command:
dseditgroup -o edit -a “(networkid)” -t group com.apple.access_ssh
Also I have tried scripting this out in case the com.apple.access_ssh group is not there.
!/bin/bash/
dseditgroup -o create -q com.apple.access_ssh
dseditgroup -o edit -a "DOMAIN(networkid)" -t com.apple.access_ssh
Does anyone have any thoughts or have gotten this to work for them.
Best answer by mschroder
Hi,
we don't open it for individual users, but rather groups of users. Here is a script that adds groups to ssh, screen-sharing, and admin:
#!/bin/sh## set access permissions for the AD network groups (e-groups) passed in $4 to $11 # # The initial idea was to accept one group name (in $4) and call the same script several times. # But Jamf does not allow this. In 9.101 it calls the script twice, but both times with # the argument passed in the first case listed :(## check if Mac is bound to domain
domain=$(dsconfigad -show | awk '/Active Directory Domain/{print $NF}')
if [ "$domain" != "Your.Domain" ]; thenecho"Problem with AD binding, domain = $domain"exit2fi# global settings# enable sshd ("remote login")echo"Enabling 'Remote Login'"
systemsetup -f -setremotelogin on
# enable screen sharingecho"Enabling 'Screen Sharing'"
defaults write /var/db/launchd.db/com.apple.launchd/overrides.plist com.apple.screensharing -dict Disabled -bool false
launchctl load -w /System/Library/LaunchDaemons/com.apple.screensharing.plist
i=4# treat all arguments from $4 on...for userGroup in"${@:4}"; do# make sure we have a valueif [ "$userGroup" != "" ]; thenecho"handling parameter $i, $userGroup"for accessGroup in"com.apple.loginwindow.netaccounts""com.apple.access_ssh""com.apple.access_screensharing""admin"; doecho"Adding group $userGroup to $accessGroup"# check whether group exists, if not create it
/usr/bin/dscl . -read /Groups/${accessGroup} > /dev/null 2>&1 || /usr/sbin/dseditgroup -o create -q ${accessGroup}
/usr/sbin/dseditgroup -o edit -a${userGroup} -t group ${accessGroup}done# And now we still have to add this
userGroup="com.apple.loginwindow.netaccounts"
accessGroup="com.apple.access_loginwindow"echo"Adding group $userGroup to $accessGroup"# would be surprising i it did not exist, but...
/usr/bin/dscl . -read /Groups/${accessGroup} > /dev/null 2>&1 || /usr/sbin/dseditgroup -o create -q ${accessGroup}
/usr/sbin/dseditgroup -o edit -n /Local/Default -a${userGroup} -t group ${accessGroup}fi
i=$(($i+1))
doneexit
we don't open it for individual users, but rather groups of users. Here is a script that adds groups to ssh, screen-sharing, and admin:
#!/bin/sh## set access permissions for the AD network groups (e-groups) passed in $4 to $11 # # The initial idea was to accept one group name (in $4) and call the same script several times. # But Jamf does not allow this. In 9.101 it calls the script twice, but both times with # the argument passed in the first case listed :(## check if Mac is bound to domain
domain=$(dsconfigad -show | awk '/Active Directory Domain/{print $NF}')
if [ "$domain" != "Your.Domain" ]; thenecho"Problem with AD binding, domain = $domain"exit2fi# global settings# enable sshd ("remote login")echo"Enabling 'Remote Login'"
systemsetup -f -setremotelogin on
# enable screen sharingecho"Enabling 'Screen Sharing'"
defaults write /var/db/launchd.db/com.apple.launchd/overrides.plist com.apple.screensharing -dict Disabled -bool false
launchctl load -w /System/Library/LaunchDaemons/com.apple.screensharing.plist
i=4# treat all arguments from $4 on...for userGroup in"${@:4}"; do# make sure we have a valueif [ "$userGroup" != "" ]; thenecho"handling parameter $i, $userGroup"for accessGroup in"com.apple.loginwindow.netaccounts""com.apple.access_ssh""com.apple.access_screensharing""admin"; doecho"Adding group $userGroup to $accessGroup"# check whether group exists, if not create it
/usr/bin/dscl . -read /Groups/${accessGroup} > /dev/null 2>&1 || /usr/sbin/dseditgroup -o create -q ${accessGroup}
/usr/sbin/dseditgroup -o edit -a${userGroup} -t group ${accessGroup}done# And now we still have to add this
userGroup="com.apple.loginwindow.netaccounts"
accessGroup="com.apple.access_loginwindow"echo"Adding group $userGroup to $accessGroup"# would be surprising i it did not exist, but...
/usr/bin/dscl . -read /Groups/${accessGroup} > /dev/null 2>&1 || /usr/sbin/dseditgroup -o create -q ${accessGroup}
/usr/sbin/dseditgroup -o edit -n /Local/Default -a${userGroup} -t group ${accessGroup}fi
i=$(($i+1))
doneexit
We use 3 different kinds of cookies. You can choose which cookies you want to accept. We need basic cookies to make this site work, therefore these are the minimum you can select. Learn more about our cookies.
