Jamf Nation Community

santoroj · ‎03-14-2019

Hello everyone,

I am reaching out to the community to ask if anyone has tried to add a single user account from AD to ssh access on the Mac?

I have tried the following

Created a policy to run a single terminal command:

dseditgroup -o edit -a “(networkid)” -t group com.apple.access_ssh

Also I have tried scripting this out in case the com.apple.access_ssh group is not there.

!/bin/bash/

dseditgroup -o create -q com.apple.access_ssh

dseditgroup -o edit -a "DOMAIN(networkid)" -t com.apple.access_ssh

Does anyone have any thoughts or have gotten this to work for them.

mschroder · ‎03-15-2019

Hi,

we don't open it for individual users, but rather groups of users. Here is a script that adds groups to ssh, screen-sharing, and admin:

#!/bin/sh
#
# set access permissions for the AD network groups (e-groups) passed in $4 to $11 
# 
# The initial idea was to accept one group name (in $4) and call the same script several times. 
# But Jamf does not allow this. In 9.101 it calls the script twice, but both times with 
# the argument passed in the first case listed :(
#
# check if Mac is bound to domain
domain=$(dsconfigad -show | awk '/Active Directory Domain/{print $NF}')
if [ "$domain" != "Your.Domain" ]; then
    echo "Problem with AD binding, domain = $domain"
    exit 2
fi

# global settings

# enable sshd ("remote login")
echo "Enabling 'Remote Login'"
systemsetup -f -setremotelogin on

# enable screen sharing
echo "Enabling 'Screen Sharing'"
defaults write /var/db/launchd.db/com.apple.launchd/overrides.plist com.apple.screensharing -dict Disabled -bool false
launchctl load -w /System/Library/LaunchDaemons/com.apple.screensharing.plist

i=4
# treat all arguments from $4 on...
for userGroup in "${@:4}"; do

    # make sure we have a value
    if [ "$userGroup" != "" ]; then
        echo "handling parameter $i,  $userGroup"
        for accessGroup in "com.apple.loginwindow.netaccounts" "com.apple.access_ssh" "com.apple.access_screensharing" "admin"; do
            echo "Adding group $userGroup to $accessGroup"
            # check whether group exists, if not create it
            /usr/bin/dscl . -read /Groups/${accessGroup} > /dev/null 2>&1 || /usr/sbin/dseditgroup -o create -q ${accessGroup}
            /usr/sbin/dseditgroup -o edit -a ${userGroup} -t group ${accessGroup}
        done

        # And now we still have to add this
        userGroup="com.apple.loginwindow.netaccounts"
        accessGroup="com.apple.access_loginwindow"
        echo "Adding group $userGroup to $accessGroup"
        # would be surprising i it did not exist, but...
        /usr/bin/dscl . -read /Groups/${accessGroup} > /dev/null 2>&1 || /usr/sbin/dseditgroup -o create -q ${accessGroup}
        /usr/sbin/dseditgroup -o edit -n /Local/Default -a ${userGroup} -t group ${accessGroup}
    fi
    i=$(($i+1))
done
exit

Hope this helps.

View solution in original post

mschroder · ‎03-15-2019

Hi,

we don't open it for individual users, but rather groups of users. Here is a script that adds groups to ssh, screen-sharing, and admin:

#!/bin/sh
#
# set access permissions for the AD network groups (e-groups) passed in $4 to $11 
# 
# The initial idea was to accept one group name (in $4) and call the same script several times. 
# But Jamf does not allow this. In 9.101 it calls the script twice, but both times with 
# the argument passed in the first case listed :(
#
# check if Mac is bound to domain
domain=$(dsconfigad -show | awk '/Active Directory Domain/{print $NF}')
if [ "$domain" != "Your.Domain" ]; then
    echo "Problem with AD binding, domain = $domain"
    exit 2
fi

# global settings

# enable sshd ("remote login")
echo "Enabling 'Remote Login'"
systemsetup -f -setremotelogin on

# enable screen sharing
echo "Enabling 'Screen Sharing'"
defaults write /var/db/launchd.db/com.apple.launchd/overrides.plist com.apple.screensharing -dict Disabled -bool false
launchctl load -w /System/Library/LaunchDaemons/com.apple.screensharing.plist

i=4
# treat all arguments from $4 on...
for userGroup in "${@:4}"; do

    # make sure we have a value
    if [ "$userGroup" != "" ]; then
        echo "handling parameter $i,  $userGroup"
        for accessGroup in "com.apple.loginwindow.netaccounts" "com.apple.access_ssh" "com.apple.access_screensharing" "admin"; do
            echo "Adding group $userGroup to $accessGroup"
            # check whether group exists, if not create it
            /usr/bin/dscl . -read /Groups/${accessGroup} > /dev/null 2>&1 || /usr/sbin/dseditgroup -o create -q ${accessGroup}
            /usr/sbin/dseditgroup -o edit -a ${userGroup} -t group ${accessGroup}
        done

        # And now we still have to add this
        userGroup="com.apple.loginwindow.netaccounts"
        accessGroup="com.apple.access_loginwindow"
        echo "Adding group $userGroup to $accessGroup"
        # would be surprising i it did not exist, but...
        /usr/bin/dscl . -read /Groups/${accessGroup} > /dev/null 2>&1 || /usr/sbin/dseditgroup -o create -q ${accessGroup}
        /usr/sbin/dseditgroup -o edit -n /Local/Default -a ${userGroup} -t group ${accessGroup}
    fi
    i=$(($i+1))
done
exit

Hope this helps.

santoroj · ‎03-15-2019

mschroder thank you for the response and your feedback,

I will have a group created in AD, add it to the $4 - $11 and test this out. I will get back to you and let you know how I make out.

Thankfully,

Jason S

santoroj · ‎06-07-2019

@mschroder Thank you for the assistance with the script. I did get it to populate the groups. Thanks again.

Jamf Nation Community

Adding a network user to SSH Remote Login

!/bin/bash/