Posted on 12-10-2008 12:08 AM
everyone,
So a user has a true flag under their account in the JSS for the inventory of that machine, I will just copy/paste an example, sorry if it doesn't format correctly.
User in the JSS shows this: Username Real Name UID Home Directory Home Directory Size Admin File Vault Enabled Mia Green 22221 /Users/11miagre 5.28 GB true false 11miagre Mia Green 22221 /Users/11miagre 5.28 GB false false student KCK Student 505 /Local/Users/student N/A false false
For some reason it shows the user name twice and on the top one it says True False, the First True being the admin flag
Now, when I ssh into said client machine and do some digging I find this:
id 11miagre uid221(11miagre) gid(staff) groups(staff),98(_lpadmin),101(com.apple.sharepoint.group.1),104(com.apple.sharepoint.group.2),1042(allstudents),1053(washington_2011)
GID 98 shows as _lpadmin what the heck is that? Google says it configures the print system, so I must assume it is a daemon from the OS?
Anyone else see this stuff? Also dscl does not list this user under /Groups/admin either
Thanks
Posted on 12-10-2008 12:37 AM
_lpadmin is the CUPS account that correlates to the lpadmin command you find in the terminal. I can't tell you why this account is showing up twice, but since it is a member for the staff group that should make it admin. Our local amdinistrator account is uid=501(adm) gid(staff) ...
AFAIK the user is not directly a member of the admin group, but staff is, so it's like embedded groups.
Ryan Harter
UW - Stevens Point
Workstation Developer
715.346.2716
Ryan.Harter at uwsp.edu
Posted on 12-10-2008 12:57 AM
Ryan
Thanks for the conformation, that is what I found googling it for lpadmin. For the double user entry that still baffles me. It lists my local admin account under the staff group and the admin group
$ id tlarkin uid=1305(tlarkin) gid(staff) groups(staff),80(admin),101(com.apple.sharepoint.group.1),1031(tis),104(com.apple.sharepoint.group.2)
I think everyone is under staff, these are directory accounts though not local, and my account is flagged to administer the directory. I guess I am not quite grasping why it displays that in the JSS inventory.
thanks
Posted on 12-10-2008 01:06 PM
I don't know if I'm misunderstanding your message, but it sounds like you're
saying that membership in admin (80) is inherited by membership in staff
(20).
I don't believe that's the case. All accounts are members of staff by
default. Only admin users are members of admin. An account can be a member
of staff but not be a member of admin.
The output is showing you the following:
uid=<the account's user ID> gid=<the account's "primary group ID", as seen
in Workgroup Manager, Groups tab> # What follows is a list of all of the
groups that the account in question belongs to, including the "primary
group". This is why you see "staff" appear twice in the command's output.
The first instance lets you know what the account's "primary group" is, and
it appears again when listing all groups that the account is a member of.
My apologies if I misunderstood your message.
----------
Miles A. Leacy IV
? Certified System Administrator 10.4
? Certified Technical Coordinator 10.5
? Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com
www.themacadmin.com
Posted on 12-10-2008 01:15 PM
That is what I thought but wasn't 100% on it. Everyone is part of staff
(20) but this is reading it off the directory LDAP. So, if a user goes
into System Preferences, and checks the box that says allow this user to
administer this computer on their mobile account, will it add the admin
group, or will it list the user under /Groups/admin on the machine
locally?
As far as I can tell it doesn't do either. When I invoke the dscl
command it lists no one under the /Groups/admin on that machine locally.
When I run the id command on a user it pulls up their info from LDAP,
not the local machine.
I guess is what I am trying to get to the bottom of is, how do I tell if
a user has checked the box to flag them as an administrator for just
that machine in System Preferences? Perhaps that is why I am getting
the double entries in the JSS inventory?
Thoughts?
Thanks again for reading and helping with this,
Tom
Posted on 12-10-2008 01:30 PM
Under Leopard (10.5.5), if you have a network account, and check the box in
System Preferences to make it an admin account, the account becomes a member
of the admin group (80) on the local machine.
If you run "dscl . read /Groups/admin" on a the same computer, the shortname
of your network account should appear in the "GroupMembership" line of
dscl's output.
I'm not sure I'm understanding the "double entries" part. Can you send a
screenshot of the output you're referring to?
----------
Miles A. Leacy IV
? Certified System Administrator 10.4
? Certified Technical Coordinator 10.5
? Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com
www.themacadmin.com
Posted on 12-10-2008 01:36 PM
Mark Hughes, Apple Technician
TIS Department, KCKPS USD500
Cell 913-449-7791
mahughe at kckps.org
Posted on 12-10-2008 01:41 PM
That is interesting. I'd contact JAMF support and ask about it. Let me
know what they say.
My guess is that whatever method is used to gather the local account info
via Recon either has a bug or is running into a bug in the Mac OS.
----------
Miles A. Leacy IV
? Certified System Administrator 10.4
? Certified Technical Coordinator 10.5
? Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com
www.themacadmin.com