Jamf Nation Community

@davidacland][/url Sounds like a challenge for a scripting newbie like myself.

But I greatly appreciate the input, I'll certainly look in to doing it this way (I had expected that is the kind of answer I would get, but a writeup of the steps is really helpful)

I will post my progress for the script here, in case anyone would like to input on it.
Google is my main resource for this so I will be gathering some parts of the script from online sources.

This is what I have come up with so far, I haven't tested it too thoroughly however.
Some parts are taken from sources procured from the googles.

#!/bin/bash

#  Recreate account.sh
#  
#  This script is designed to remove a mobile user account and re-create
#  a local account with the same username and the password from user-input.
#  It will also give read/write permissions to the user's home folder.

#Gets the short name of the currently logged in user
loggedInUser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`

#Gets the real name of the currently logged in user
userRealName=`dscl . -read /Users/$loggedInUser | grep RealName: | cut -c11-`
if [[ -z $userRealName ]]; then
userRealName=`dscl . -read /Users/$loggedInUser | awk '/^RealName:/,/^RecordName:/' | sed -n 2p | cut -c 2-`
fi

#Prompts user to enter their login password
loginPassword=`/usr/bin/osascript <<EOT
tell application "System Events"
activate
set myReply to text returned of (display dialog "Please enter your login password." ¬
    default answer "" ¬
    with title "Ruyton IT" ¬
    buttons {"Continue."} ¬
    default button 1 ¬
    with hidden answer)
end tell
EOT`

#This will delete the currently logged in user
dscl . delete /Users/$loggedInUser

#Gets the current highest user UID
maxid=$(dscl . -list /Users UniqueID | awk '{print $2}' | sort -ug | tail -1)

#New UID for the user
newid=$((maxid+1))

#Creating the new user
dscl . -create /Users/"$loggedInUser"
dscl . -create /Users/"$loggedInUser" UserShell /bin/bash
dscl . -create /Users/"$loggedInUser" RealName "$userRealName"
dscl . -create /Users/"$loggedInUser" UniqueID "$newid"
dscl . -create /Users/"$loggedInUser" PrimaryGroupID 80

#Set the user's password to the one entered prior
dscl . -passwd /Users/"$loggedInUser" "$loginPassword"

#Remove old permissions and set new ownership and permissions on User's home directory
chmod -R -N /Users/"$loggedInUser"
chown -R "$loggedInUser":staff /Users/"$loggedInUser"
chmod -R 600 /Users/"$loggedInUser"

It seems to fetch root as the loggedInUser variable instead of the actual user.

May need to trigger this from a LaunchAgent instead?

@bentoms I believe I found a post you made and got the loggedInUser and userRealName variables from there.
Experiences in using these in casper scripts?

When attempting to use `/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'` to get the logged in user, when run on login it would return root, resulting in the root account breaking due to being edited with dscl, $3 seems to actually return the correct user (in my initial tests it did not, so I decided not to use it.)

It does seem to re-create the account now, but there are issues with the library, asks to repair on first login, doing some testing with it now.

#!/bin/bash

#  Recreate account.sh
#  
#  This script is designed to remove a mobile user account and re-create
#  a local account with the same username and the password from user-input.
#  It will also give read/write permissions to the user's home folder.

#Gets the short name of the currently logged in user
loggedInUser=$3

#Gets the real name of the currently logged in user
userRealName=`dscl . -read /Users/$loggedInUser | grep RealName: | cut -c11-`
if [[ -z $userRealName ]]; then
userRealName=`dscl . -read /Users/$loggedInUser | awk '/^RealName:/,/^RecordName:/' | sed -n 2p | cut -c 2-`
fi

#Prompts user to enter their login password
loginPassword=`/usr/bin/osascript <<EOT
tell application "System Events"
activate
set myReply to text returned of (display dialog "Please enter your login password." ¬
    default answer "" ¬
    with title "Ruyton IT" ¬
    buttons {"Continue."} ¬
    default button 1 ¬
    with hidden answer)
end tell
EOT`

#This will delete the currently logged in user
dscl . delete /Users/$loggedInUser

#Gets the current highest user UID
maxid=$(dscl . -list /Users UniqueID | awk '{print $2}' | sort -ug | tail -1)

#New UID for the user
newid=$((maxid+1))

#Creating the new user
dscl . -create /Users/"$loggedInUser"
dscl . -create /Users/"$loggedInUser" UserShell /bin/bash
dscl . -create /Users/"$loggedInUser" RealName "$userRealName"
dscl . -create /Users/"$loggedInUser" UniqueID "$newid"
dscl . -create /Users/"$loggedInUser" PrimaryGroupID 80

#Set the user's password to the one entered prior
dscl . -passwd /Users/"$loggedInUser" "$loginPassword"

#Remove old permissions and set new ownership and permissions on User's home directory
chmod -R -N /Users/"$loggedInUser"
chown -R "$loggedInUser":staff /Users/"$loggedInUser"
chmod -R 600 /Users/"$loggedInUser"

The only bit that might cause a few problems is the final chmod -R 600. This should be ok for the top level folders but I don't think the LaunchAgents and plist files etc would work properly with those permissions so might be causing the "library repair" problem. I would probably use something like:

chmod 600 /Users/"$loggedInUser"/*

To set 600 just for the top level items.

Creating users is a lot easier in 10.10 thankfully. Now you can just use sysadminctl to do it all in one line!

@davidacland Gave that a go and still seem to be getting the same library repair prompt!
I don't see any file system changes, so it quite possibly is just permissions that is the problem, I'm trying to work out exactly where the issue lies.

I also seem to be having a problem where the downloads folder in the dock and the favourites in the sidebar of finder are somehow linked to the incorrect location (/private/var/empty/) instead of the user's home folder.

This is the point where I have gotten up to currently.

I found that using dscl to append the NFSHomeDirectory key seems to fix the broken link with finder favourites.

I'm having some trouble with my first if statement, it seems to just follow the else regardless of what $UserUID is.

I also want to add in some kind of loop to prompt users to re-enter their password again if they don't match.

#!/bin/bash

#  Recreate account.sh
#  
#  This script is designed to remove a mobile user account and re-create
#  a local account with the same username and the password from user-input.
#  It will also give read/write permissions to the user's home folder.

#Gets the short name of the currently logged in user
loggedInUser=$3

#Get loggedInUser UID
UserUID=`dscl . read /Users/"$loggedInUser" UniqueID | grep UniqueID: | cut -c 11-`

#Exit if UID is under 1000 (local account)
if [[ "$UserUID" > 1000 ]]; then
    echo "Not a mobile account, exiting"
    exit 2
else

#Gets the real name of the currently logged in user
userRealName=`dscl . -read /Users/$loggedInUser | grep RealName: | cut -c11-`
if [[ -z $userRealName ]]; then
userRealName=`dscl . -read /Users/$loggedInUser | awk '/^RealName:/,/^RecordName:/' | sed -n 2p | cut -c 2-`
fi

#Prompts user to enter their login password
loginPassword=`/usr/bin/osascript <<EOT
tell application "System Events"
activate
set myReply to text returned of (display dialog "Please enter your login password." ¬
    default answer "" ¬
    with title "Ruyton IT" ¬
    buttons {"Continue."} ¬
    default button 1 ¬
    with hidden answer)
end tell
EOT`

#Confirm password.
confirmPassword=`/usr/bin/osascript <<EOT
tell application "System Events"
activate
set myReply to text returned of (display dialog "Please confirm your password" ¬
default answer "" ¬
with title "Ruyton IT" ¬
buttons {"Continue."} ¬
default button 1 ¬
with hidden answer)
end tell
EOT`

#Make sure passwords match
if [ $loginPassword != $confirmPassword ]; then
/usr/bin/osascript <<EOT
tell application "System Events"
activate
display dialog "Passwords do not match." ¬
with title "Ruyton IT" ¬
buttons {"Continue."}
end tell
EOT
exit 3
else

#This will delete the currently logged in user
dscl . delete /Users/$loggedInUser

#Gets the current highest user UID
maxid=$(dscl . -list /Users UniqueID | awk '{print $2}' | sort -ug | tail -1)

#New UID for the user
newid=$((maxid+1))

#Creating the new user
dscl . -create /Users/"$loggedInUser"
dscl . -create /Users/"$loggedInUser" UserShell /bin/bash
dscl . -create /Users/"$loggedInUser" RealName "$userRealName"
dscl . -create /Users/"$loggedInUser" UniqueID "$newid"
dscl . -create /Users/"$loggedInUser" PrimaryGroupID 80

#Set the user's password to the one entered prior
dscl . -passwd /Users/"$loggedInUser" "$loginPassword"

#Makes the user an admin
dscl . -append /Groups/admin GroupMembership "$loggedInUser"

#Reset ownership on home directory and append location
chown -R "$loggedInUser":staff /Users/"$loggedInUser"
dscl . -append /Users/"$loggedInUser" NFSHomeDirectory /Users/"$loggedInUser"/

echo "Script successful."

    fi
fi

sleep 3

ps -Ajc | grep loginwindow | awk '{print $2}' | xargs kill -9

Not sure if it makes a difference but I normally use -gt (greater than) and that works for me.

For the user password bit, I would use a while loop, possibly for up to 3 attempts to avoid infinity! Use "if -z" to check if the variable is empty.

David

We also use eDirectory for primary Identity Management, so I feel your pain. I'm interested to know how you handle network logins. Do you use the Kanaka Plugin?

@guidotti We do use the Kanaka plugin yes, but it is unstable at best, the kanaka server has a memory leak that Novell has not bothered to fix, it doesn't play nicely with AFP, when it creates the mobile accounts it does something funny with the caching of user credentials that can lead to users unable to log in when not on the school network.. It's just messy, hence why we are moving away from the plugin and we will be using the Kanaka client.

That's a bummer!
I was planning on going from the Kanaka client to the plugin, but now I am not so sure.
All of my accounts are local, but I would like their passwords to get synced with eDirectory somehow, and automap their drives without a separate login to Kanaka client.

The other issue we have is with users seeing the super-long, full pathnames to their server shares when they get mounted in Finder. Their folders are nested two or three levels deep inside of the network share. The users are used to the old Windows/DOS style naming conventions with drive letters (personal share is F: drive, common share is G: drive, etc). I was looking into a way of obscuring the long paths and just showing a name like "F-Drive" in the Finder sidebar, but it seems to be more complicated than I thought.

From my own experiences I would not recommend using the plugin, it had caused nothing but trouble for me, but you may have better luck. Being as I am working in a school the syncing of passwords isn't of the highest importance (not to mention it causes keychain issues. There are nice plugins for AD bound accounts for dealing with keychain issues but none for kanaka). There is also the issue of users who stay logged in for long periods of time, if the network share become unmounted they need to log out and then log back in (as I deployed just the plugin without the client)

Our shares are on the top level, so they have a (reasonably) nice name.. servername.sharename, however I haven't looked in to a possible way of re-naming these, so I can't help you out there sorry.

That's ok - I can post elsewhere about it.
Just nice sharing the pain! :)
Great job on the script.

Thank you much for this script. We also use the Kanaka plugin (haven't really had much issues other then the server memory leak which causes it to stop listening). I'm looking at this because our students are getting the option to purchase the MacBook when they leave the district. I was planning on just removing the Kanaka plugin and just leaving the account as "Mobile, Managed." From my testing that seemed to work fine. But it would be nice to clean up the account to remove the "Mobile, Managed" flags.

I'll see about incorporating this into the cleanup script I have going.

Thanks again.

@musat Just make sure you do a bit of testing first, as I have not tested it extensively just yet, but it seems to be working correctly. And obviously, just make sure you edit the osascript to reflect what you want it to say.

@musat Sorry to bring this up here.
But I was wondering, in your imaging process, how do you handle installing the kanaka plugin?
I need to keep it up on a few machines, but after installing the plugin and plist for the server info, it doesn't work without manually pressing apply in directory utility. Did you have a work around for this at all?

@Matt.Sim, no problem. We use two DMG packages to install Kanaka during imaging. The first is a DMG that contains the application files in: Applications, Library. Applications contains the Plugin console, while Library contains DirectoryServices/Plugins and a few items from Preferences folder. Probably the critical one is OpenDirectory/Configurations/Search.plist.

The second DMG contains the "class" specific configs. We have two different Kanaka servers configured. One for staff that creates admin level local users, and one for students that creates non-admin users. We could have achieved this same result by some post processing of the local user, but this worked out easier for us. So this DMG contains the /Library/Preferences/DirectodyServices/Kanaka.plist that points to the appropriate server for the user class. Of course doing it this way means that we have a different Mac image for staff Macs and student Macs. Which is fine because they are slightly different in other ways as well.

We did find when running Composer for the original install, we needed to do a "New and Modified" scan, because of the changes to existing files. And, of course, that meant that we had to do a lot of digging through the result to make sure we were getting rid of what wasn't necessary, while keeping only the critical parts.

Let me know if you have any more questions. As I mentioned, the only issue we have with Kanaka is that the server randomly stops accepting connections on port 3089, even though it is still listening according to netstat. We are using Nagios to alert us to when that happens so that we can get it restarted fairly quickly.

@musat Thanks for that, I think I was missing the Search.plist, I'd managed to filter that out when initially creating the package.

I would just like to put a word in on this script.

Our environment, we are going to be giving the macbooks to the students as they graduate so their mobile account must be converted. This script will ease that burden a million fold. Thanks for your hard work on it!

@immaculateheart Just to stress, please make sure you test this first! I did have the odd hiccup with it where the permissions for the new user didn't set quite correctly, and obviously in the applescript you will need to edit the title and the text to reflect your environment.

@Simmo I'm using your applescript code to prompt my users to change their password but I want it to make that the new password matches the password complexity reqs. for my company. Have you run into this issue at all on your side? Or have any ideas to get around the fact that I can enter whatever password I want?
Thanks for the reply in advance.

@evobe I just run a

sudo -u $3 open /System/Library/PreferencePanes/Accounts.prefPane

at the end of my change password script. When the user changes is passwords in there then the normal password complexity requirements that were defined with the passcode configuration profile are active.