- Jamf Nation Community
- Products
- Jamf Pro
- Re: low UID users not migrated on 10.7 upgrade
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
low UID users not migrated on 10.7 upgrade
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-06-2011 07:52 AM
have any of you seen cases of < 500 accounts not migrating with 10.7 upgrades?
specifically, a client is seeing issues with hidden admin accounts with low UIDs and homedirs under the non standard /var/home.
expanding the previous dslocal archive created on upgrade, copying the user record plists to /var/db/dslocal/nodes/Default/users, starting opendirectoryd, then changing the password does allow login, but that's obviously not an efficient workflow.
i believe those affected are machines that were upgraded manually with a bootable USB key or other disk, not that it should matter.
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-06-2011 08:08 AM
Nate,
I'd noticed that with the Casper management account I'm using. I was able to fix it in my DeployStudio-based 10.7 upgrade workflow by having DeployStudio automatically uninstall the current Casper agent, then reinstalling it after the upgrade using a Casper QuickAdd package. The reinstall added the management account to the Mac as part of the installation.
Thanks,
Rich
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-06-2011 08:11 AM
Yes, we are seeing this also with our hidden (< 500) admin accounts.
The home directory still exists in /var at least.
Our workaround has been to implement the following procedure as we
prepare for our Lion upgrade on our pool of laptops:
1) Create a Casper policy that creates an admin user called "Lion
Upgrade" on each machine. Scope the policy to run on computer groups
that are getting the upgrade.
2) When the computer visits the Tech Center, log in as the now-created
"Lion Upgrade" user. Log in as this new "Lion Upgrade" admin user. Run
the Lion upgrade from a USB flash drive. Lion installs, reboots, and
the two accounts are present on the machine: the original user's
account and the recently-created "Lion Upgrade" admin account.
3) Log in as the "Lion Upgrade" account again. Run a package I called
"Lion Fixes.pkg" which is really just a bash script to do a few
things:
- recreates the hidden admin account with the same name and sets its password
- points its home folder the appropriate place in /var
- deletes the "Lion Recovery" partition from the HD and merges the
open space back into the main partition (and renames the HD "Lion" so
we have a visual indicator in the Finder that it's occurred).
- fixes permissions on this hidden admin account's home folder
4) This "Lion Fixes.pkg" lives on the same USB flash drive alongside
the Lion Installer. Techs are instructed to run it after logging in
for the first time into the upgraded Lion machine.
5) Tech logs out and then back in as the hidden admin account. Tech
deletes the "Upgrade Lion" user from the system and then logs out.
Doing these things restores the system to the state it was in pre-Lion
upgrade. Our hidden admin account exists again on the machine. We
don't have to know the user's password or reset it to get into the
machine to perform the upgrade.
We thought about doing the Lion upgrade via Self Service but it would
put too much of a strain on our network and would take way way longer
than doing it from flash drives. So it means hands-on for each
machine, but since we're also putting a new battery in every machine
at the same time, we're killing two birds with one stone.
I can share the bash script with anyone who's interested. I just need
to strip out some of the identifiers first.
Damien Barrett
System Technician, ACMT, CCA
Montclair Kimberley Academy
Montclair, NJ 07042
973-842-2812
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-06-2011 08:12 AM
Yep, seeing that here as well. Takes out our local hidden admin account and the Casper management account. Working up something to get around it but haven't gotten there yet.
Tom
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-06-2011 08:17 AM
good to know it's a common occurrence, though it's pretty lame. i'd say it's a bug, no?
i'm looking to automate the process of adding the admin users as part of a payload using greg neagle's lion installer wrapper. all the monkey work (no pun intended) after the fact should be unnecessary.
http://code.google.com/p/munki/downloads/detail?name=InstallLionPkg_20110908.zip
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-06-2011 08:27 AM
That's a good way to handle it. You could add CreateLionUser (http://code.google.com/p/instadmg/source/browse/trunk/AddOns/createUser/) installer packages as well as a Casper QuickAdd package to InstallLion.pkg. That should automate the process of putting those hidden admin accounts back.
Thanks,
Rich
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-06-2011 08:30 AM
that's the idea. there should be no reason to do any "login, install something, run a fix" dance.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-06-2011 08:41 AM
I've seen this when upgrading from 10.5 to 10.6. Usually I just copy the user over to an external and then use migration assistant to copy it back if a user upgrades on their own.
-Tom
