JSS user reporting user as admin dscl says no?

tlarkin
Honored Contributor

everyone,

So a user has a true flag under their account in the JSS for the inventory of that machine, I will just copy/paste an example, sorry if it doesn't format correctly.

User in the JSS shows this: Username Real Name UID Home Directory Home Directory Size Admin File Vault Enabled Mia Green 22221 /Users/11miagre 5.28 GB true false 11miagre Mia Green 22221 /Users/11miagre 5.28 GB false false student KCK Student 505 /Local/Users/student N/A false false

For some reason it shows the user name twice and on the top one it says True False, the First True being the admin flag

Now, when I ssh into said client machine and do some digging I find this:

id 11miagre uid221(11miagre) gid(staff) groups(staff),98(_lpadmin),101(com.apple.sharepoint.group.1),104(com.apple.sharepoint.group.2),1042(allstudents),1053(washington_2011)

GID 98 shows as _lpadmin what the heck is that? Google says it configures the print system, so I must assume it is a daemon from the OS?

Anyone else see this stuff? Also dscl does not list this user under /Groups/admin either

Thanks



Thomas Larkin
TIS Department
KCKPS USD500
tlarki at kckps.org
blackberry: 913-449-7589
office: 913-627-0351

7 REPLIES 7

Not applicable

_lpadmin is the CUPS account that correlates to the lpadmin command you find in the terminal. I can't tell you why this account is showing up twice, but since it is a member for the staff group that should make it admin. Our local amdinistrator account is uid=501(adm) gid(staff) ...

AFAIK the user is not directly a member of the admin group, but staff is, so it's like embedded groups.

Ryan Harter
UW - Stevens Point
Workstation Developer
715.346.2716
Ryan.Harter at uwsp.edu

tlarkin
Honored Contributor

Ryan

Thanks for the conformation, that is what I found googling it for lpadmin. For the double user entry that still baffles me. It lists my local admin account under the staff group and the admin group

$ id tlarkin uid=1305(tlarkin) gid(staff) groups(staff),80(admin),101(com.apple.sharepoint.group.1),1031(tis),104(com.apple.sharepoint.group.2)

I think everyone is under staff, these are directory accounts though not local, and my account is flagged to administer the directory. I guess I am not quite grasping why it displays that in the JSS inventory.

thanks



Thomas Larkin
TIS Department
KCKPS USD500
tlarki at kckps.org
blackberry: 913-449-7589
office: 913-627-0351

milesleacy
Valued Contributor

I don't know if I'm misunderstanding your message, but it sounds like you're
saying that membership in admin (80) is inherited by membership in staff
(20).
I don't believe that's the case. All accounts are members of staff by
default. Only admin users are members of admin. An account can be a member
of staff but not be a member of admin.

The output is showing you the following:
uid=<the account's user ID> gid=<the account's "primary group ID", as seen
in Workgroup Manager, Groups tab> # What follows is a list of all of the
groups that the account in question belongs to, including the "primary
group". This is why you see "staff" appear twice in the command's output. The first instance lets you know what the account's "primary group" is, and
it appears again when listing all groups that the account is a member of.

My apologies if I misunderstood your message.

----------
Miles A. Leacy IV

? Certified System Administrator 10.4
? Certified Technical Coordinator 10.5
? Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com
www.themacadmin.com

tlarkin
Honored Contributor

That is what I thought but wasn't 100% on it. Everyone is part of staff
(20) but this is reading it off the directory LDAP. So, if a user goes
into System Preferences, and checks the box that says allow this user to
administer this computer on their mobile account, will it add the admin
group, or will it list the user under /Groups/admin on the machine
locally?

As far as I can tell it doesn't do either. When I invoke the dscl
command it lists no one under the /Groups/admin on that machine locally. When I run the id command on a user it pulls up their info from LDAP,
not the local machine.

I guess is what I am trying to get to the bottom of is, how do I tell if
a user has checked the box to flag them as an administrator for just
that machine in System Preferences? Perhaps that is why I am getting
the double entries in the JSS inventory?

Thoughts?

Thanks again for reading and helping with this,

Tom

milesleacy
Valued Contributor

Under Leopard (10.5.5), if you have a network account, and check the box in
System Preferences to make it an admin account, the account becomes a member
of the admin group (80) on the local machine.

If you run "dscl . read /Groups/admin" on a the same computer, the shortname
of your network account should appear in the "GroupMembership" line of
dscl's output.

I'm not sure I'm understanding the "double entries" part. Can you send a
screenshot of the output you're referring to?

----------
Miles A. Leacy IV

? Certified System Administrator 10.4
? Certified Technical Coordinator 10.5
? Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com
www.themacadmin.com

Not applicable

Mark Hughes, Apple Technician
TIS Department, KCKPS USD500
Cell 913-449-7791
mahughe at kckps.org

milesleacy
Valued Contributor

That is interesting. I'd contact JAMF support and ask about it. Let me
know what they say.
My guess is that whatever method is used to gather the local account info
via Recon either has a bug or is running into a bug in the Mac OS.

----------
Miles A. Leacy IV

? Certified System Administrator 10.4
? Certified Technical Coordinator 10.5
? Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com
www.themacadmin.com