Jamf Nation Community

scoth · ‎08-17-2015

I'm trying to get auto login to work using an AD account. So far it has been hit and miss. Some work fine, some don't. Here is what I have been doing.

cp -R /System/Library/User Template/English.lproj /Users/student
chown -R student:"Domain Users" /Users/student
/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n student -h /Users/student
Push kcpassword to /private/etc/
defaults write /Library/Preferences/com.apple.loginwindow autoLoginUser student
defaults write /Users/student/Library/Preferences/com.apple.screensaver.plist askForPassword -int 0

Mac are 10.9 and above

Anyone see issues?

scoth · ‎08-19-2015

Update on this... I have found more information and have been successful with auto login since.
The issue seems to be creating the home directory from AD and not setting the password with createmobileaccount. I have edited my script to do the following:

mkdir /Users/student
/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n student -p {password}
rm -rf /Users/student
createhomedir -c -u student
Push kcpassword to /private/etc/
defaults write /Library/Preferences/com.apple.loginwindow autoLoginUser student
defaults write /Users/student/Library/Preferences/com.apple.screensaver.plist askForPassword -int 0

View solution in original post

davidacland · ‎08-17-2015

Not sure if this is it but in the createmobileaccount help page it says If you do not specify a password, the account's cached password will be created during the account's first log in.

For local accounts the password is hashed in /var/db/shadow/hash, I haven't looked if its the same for mobile accounts but it would be worth checking.

That all being said, you mentioned that it works some of the time which would indicate the syntax is all correct, its just not reliable.

Any chance you could use a local account instead?

scoth · ‎08-17-2015

Using iBOSS, when an account logs in to AD the IP and user information is passed so the filter knows how to group the user. A local account will be filtered at Default which is not what I would like.

--Scot

joshuasee · ‎08-17-2015

Unfortunately, I'm hard pressed to see how it would ever work given that createmobileaccount can't create the password hash, and the reversible format of kcpassword is unrelated to the irreversible shadowed hash format in directory services records. You can't derive the former from the latter.

scoth · ‎08-17-2015

I'll update the script to use the password for testing purposes and see what happens.

Thanks.

davidacland · ‎08-17-2015

If it's any help you could use the createuserpkg app and pacifist to pull apart the resulting package to see what files are going where.

Might give you some more info.

scoth · ‎08-19-2015

Update on this... I have found more information and have been successful with auto login since.
The issue seems to be creating the home directory from AD and not setting the password with createmobileaccount. I have edited my script to do the following:

mkdir /Users/student
/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n student -p {password}
rm -rf /Users/student
createhomedir -c -u student
Push kcpassword to /private/etc/
defaults write /Library/Preferences/com.apple.loginwindow autoLoginUser student
defaults write /Users/student/Library/Preferences/com.apple.screensaver.plist askForPassword -int 0

joshuasee · ‎08-19-2015

OOC, how are you generating the kcpassword file? Is student a static account where the password is known?

lionelgruenberg · ‎08-20-2015

@joshuasee check out Gavin Brock's perl script for encoding/decoding kcpassword files

Jamf Nation Community

Auto Login with AD Account