dseditgroup network admin to local admin issues

andrew_shur
New Contributor III

I wrote a script to check if the account that just logged in is an admin or not and adds them to the local admin group. (So if the teacher goes home they still have admin rights off our domain)

Right now I'm testing it locally but it will eventually become a login script. When I run the script everything seems to work right but it throws the error "Group not found.". If I run the same command that the script is running in a terminal window it will work just fine, no "Group not found." error.

Why is the exact same command working differently depending how it is being run? Does OSX run their shell scripts in a special way?

Here is my script with certain GID's, usernames, and passwords removed:

#!/bin/sh

Username=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`
Domain_Admins=GID1
BSD_Desktop_Admins=GID2
District_Administrators=GID3
District_Teachers=GID4
echo $Username

First_ID=$(id -g $Username)
echo $First_ID

if [ "$First_ID" = "$Domain_Admins" ] || [ "$First_ID" = "$BSD_Desktop_Admins" ] || [ "$First_ID" = "$District_Administrators" ] || [ "$First_ID" = "$District_Teachers" ]; then
    /usr/sbin/dseditgroup -o edit -u local_admin_account -P local_admin_password -a $Username -t user admin
    exit 0;
fi

So when the scripts runs /usr/sbin/dseditgroup -o edit -u local_admin_account -P local_admin_password -a $Username -t user admin I get "Group not found." But if I copy it and replace $Username with my username and run it in terminal it works just fine. Can't seem to find any answer on the internet why this is happening. Hopefully you guys know. Thanks!

1 REPLY 1

tlarkin
Honored Contributor

Hi @andrew.shur

If you add this line in your script under your shebang we can see line by line output:

#!/bin/bash
set -x

Then run your script and copy and paste the output on there so we can take a look at it. Furthermore you actually don't have to change the script you can simply run this command for output:

bash -x /path/to/script.sh

In the past I have used dseditgroup -o edit -a ${u} -t user admin where ${u} is a variable that gets the current logged in user to add users to the admin group. You shouldn't need to supply credentials since Casper will run the script as root, and we are adding it to the local admin group.

However, once we see the line by line output of your script we can better tell what output the code is getting and see where it goes wrong and fix it.

Thanks,
Tom