Before I go down this rabbit hole, I want to find out if anyone else has
done this and if there is an easier way to handle the one hiccup I think we
are going to run into.
In my testing I discovered that if you simply remove OD binding from a
machine and add AD binding, since the UID is different in both systems, end
users will not be able to login to their machines. This means that in order
for me to make this as painless as I can, I'll need to run a script to
change the permissions on an end users home folder before they can login.
I've come up with this sequence of events:
- Policy runs on Startup that runs the ubindOD.sh script from the Resource
Kit.
- Same policy lays down a dummy receipt and runs "jamf recon" twice to get
receipt visible in JSS, and machine restarts.
- Machine rolls into a Smart Group based on that dummy receipt.
- After restarting, the user is asked to login. On first login to the
machine the following script runs to change ownership:
for i in $(dscl . -list /Users UniqueID | awk '$2 > 525 { print $1 }');
do
# now grab the UID using dscl
userID=dscl . -read /Users/$i | grep UniqueID | awk '{ print $2 }'
# grab the home folder location
userHome=`dscl . -read /Users/$i | grep -m 1 NFSHomeDirectory | awk '{ print
$2 }'`
# now chmod the home folder
chown -R $userID $userHome
done
# now force a restart
shutdown -r now
exit 0
- After this second restart, user is able to login.
What am I missing? What are my "gotchas"? Has anyone else gone through
this exercise?
Thanks to Tom for that piece of code he sent today to cycle through users.
That piece was a major time saver.
Thanks everyone!
Steve Wood
Director of IT
swood at integer.com
The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
T 214.758.6813 | F 214.758.6901 | C 940.312.2475
