Auto Login with AD Account

scoth
New Contributor II

I'm trying to get auto login to work using an AD account. So far it has been hit and miss. Some work fine, some don't. Here is what I have been doing.

cp -R /System/Library/User Template/English.lproj /Users/student
chown -R student:"Domain Users" /Users/student
/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n student -h /Users/student
Push kcpassword to /private/etc/
defaults write /Library/Preferences/com.apple.loginwindow autoLoginUser student
defaults write /Users/student/Library/Preferences/com.apple.screensaver.plist askForPassword -int 0

Mac are 10.9 and above

Anyone see issues?

1 ACCEPTED SOLUTION

scoth
New Contributor II

Update on this... I have found more information and have been successful with auto login since.
The issue seems to be creating the home directory from AD and not setting the password with createmobileaccount. I have edited my script to do the following:

mkdir /Users/student
/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n student -p {password}
rm -rf /Users/student
createhomedir -c -u student
Push kcpassword to /private/etc/
defaults write /Library/Preferences/com.apple.loginwindow autoLoginUser student
defaults write /Users/student/Library/Preferences/com.apple.screensaver.plist askForPassword -int 0

View solution in original post

8 REPLIES 8

davidacland
Honored Contributor II
Honored Contributor II

Not sure if this is it but in the createmobileaccount help page it says If you do not specify a password, the account's cached password will be created during the account's first log in.

For local accounts the password is hashed in /var/db/shadow/hash, I haven't looked if its the same for mobile accounts but it would be worth checking.

That all being said, you mentioned that it works some of the time which would indicate the syntax is all correct, its just not reliable.

Any chance you could use a local account instead?

scoth
New Contributor II

Using iBOSS, when an account logs in to AD the IP and user information is passed so the filter knows how to group the user. A local account will be filtered at Default which is not what I would like.

--Scot

joshuasee
Contributor III

Unfortunately, I'm hard pressed to see how it would ever work given that createmobileaccount can't create the password hash, and the reversible format of kcpassword is unrelated to the irreversible shadowed hash format in directory services records. You can't derive the former from the latter.

scoth
New Contributor II

I'll update the script to use the password for testing purposes and see what happens.

Thanks.

davidacland
Honored Contributor II
Honored Contributor II

If it's any help you could use the createuserpkg app and pacifist to pull apart the resulting package to see what files are going where.

Might give you some more info.

scoth
New Contributor II

Update on this... I have found more information and have been successful with auto login since.
The issue seems to be creating the home directory from AD and not setting the password with createmobileaccount. I have edited my script to do the following:

mkdir /Users/student
/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n student -p {password}
rm -rf /Users/student
createhomedir -c -u student
Push kcpassword to /private/etc/
defaults write /Library/Preferences/com.apple.loginwindow autoLoginUser student
defaults write /Users/student/Library/Preferences/com.apple.screensaver.plist askForPassword -int 0

joshuasee
Contributor III

OOC, how are you generating the kcpassword file? Is student a static account where the password is known?

lionelgruenberg
New Contributor III

@joshuasee check out Gavin Brock's perl script for encoding/decoding kcpassword files