Posted on 04-08-2015 05:31 PM
Being the masochist that I am, I have already started testing imaging configs based on 10.10.3. As part of our provisioning process, we have an AppleScript-based app that, among other things, runs a command that creates a mobile account on the system using an AD account.
Binary location:
/System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount
Sample script:
createmobileaccount -n bmarks
Up until 10.10.3, this command (as part of a much larger script) would successfully create a mobile user. However, as of 10.10.3, this doesn't work and the following output is what happens if I run this command manually. Any help would be greatly appreciated.
bash-3.2# ./createmobileaccount -n bmarks
createmobileaccount built Mar 4 2015 21:45:09
2015-04-08 16:58:16.640 createmobileaccount[2090:16297] ### syncProxyWithSemaphore error:Error Domain=NSCocoaErrorDomain Code=4097 "Couldn’t communicate with a helper application." (connection to service named com.apple.systemadministration.writeconfig) UserInfo=0x7fda2c0035e0 {NSDebugDescription=connection to service named com.apple.systemadministration.writeconfig}
2015-04-08 16:58:16.933 createmobileaccount[2090:16291] MCXCCacheMCXRecordAndGraph(): vproc_swap_integer(NULL, VPROC_GSK_PERUSER_SUSPEND, &(uid=282448354), NULL) failed
2015-04-08 16:58:17.459 createmobileaccount[2090:16291] MCXCCacheMCXRecordAndGraph(): vproc_swap_integer(NULL, VPROC_GSK_PERUSER_RESUME, &(uid=282448354), NULL) failed
2015-04-08 16:58:17.732 createmobileaccount[2090:16360] ### syncProxyWithSemaphore error:Error Domain=NSCocoaErrorDomain Code=4097 "Couldn’t communicate with a helper application." (connection to service named com.apple.systemadministration.writeconfig) UserInfo=0x7fda2a609520 {NSDebugDescription=connection to service named com.apple.systemadministration.writeconfig}
2015-04-08 16:58:17.732 createmobileaccount[2090:16291] MCXCCreateMobileAccount(): Failed to create account. Error = -6304 (mobile account file path is either not a directory or could not be properly created). Cleaning up mobile account record.
2015-04-08 16:58:17.735 createmobileaccount[2090:16292] ### syncProxyWithSemaphore error:Error Domain=NSCocoaErrorDomain Code=4097 "Couldn’t communicate with a helper application." (connection to service named com.apple.systemadministration.writeconfig) UserInfo=0x7fda2a60c0d0 {NSDebugDescription=connection to service named com.apple.systemadministration.writeconfig}
2015-04-08 16:58:17.737 createmobileaccount[2090:16291] MCXCDeleteAccount(): vproc_swap_integer(NULL, VPROC_GSK_PERUSER_SUSPEND, &(uid=282448354), NULL) failed
2015-04-08 16:58:17.738 createmobileaccount[2090:16359] ### syncProxyWithSemaphore error:Error Domain=NSCocoaErrorDomain Code=4097 "Couldn’t communicate with a helper application." (connection to service named com.apple.systemadministration.writeconfig) UserInfo=0x7fda2a60c100 {NSDebugDescription=connection to service named com.apple.systemadministration.writeconfig}
2015-04-08 16:58:17.761 createmobileaccount[2090:16359] ### syncProxyWithSemaphore error:Error Domain=NSCocoaErrorDomain Code=4097 "Couldn’t communicate with a helper application." (connection to service named com.apple.systemadministration.writeconfig) UserInfo=0x7fda2a551070 {NSDebugDescription=connection to service named com.apple.systemadministration.writeconfig}
2015-04-08 16:58:17.761 createmobileaccount[2090:16291] MCXCDeleteAccount(): vproc_swap_integer(NULL, VPROC_GSK_PERUSER_RESUME, &(uid=282448354), NULL)failed
* mobile account could not be created: -6304 (MCXCCreateMobileAccount(): [newUser createHomeDirectory] failed)
Posted on 04-09-2015 06:14 AM
I have a similar workflow and am seeing the same issue. I'm investigating.
Posted on 04-09-2015 07:44 AM
I'm able to reproduce this behavior as well. I've filed a bug report with Apple and opened a ticket with Apple Enterprise support.
For those who want to duplicate the bug report, the bug ID is 20482382. I have it also posted here to OpenRadar:
Posted on 04-09-2015 08:34 AM
Dittoing that the behavior is reproducible. Filed a duplicate ticket against rtrouton's.
Posted on 04-09-2015 08:55 AM
Confirmed it here as well just now. Just frickin' great! We use a similar process for creating our AD mobile accounts. Good lord Apple! Can't they get any release out without major bugs these days? What is going on with them lately!?
Posted on 04-09-2015 10:00 AM
Also confirmed this bug. Couldn't figure out why my known working script just didn't work in 10.10.3 hope a fix comes out soon or someone finds a workaround.
Posted on 04-09-2015 10:25 AM
I think I'm almost able to get this to work using a more manual process. I found that its failing on creating the user's home directory, not on creating the account in dscl (although it indicates its cleaning up the dscl record when the process fails). What I did was the following (replacing "username" with a valid AD account on an AD joined Mac):
sudo cp -R /System/Library/User Template/English.lproj /Users/username
sudo chown -R username:staff /Users/username
sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n username -h /Users/username
It successfully creates the cached mobile account. It shows up with the full name in Users & Groups, as pulled from the AD record. I just need to test logging in and using the account to be sure there isn't anything wonky with it.
The above steps are far less than ideal, so I hope a real fix comes soon from Apple for this one. Never a dull day.
Posted on 04-09-2015 10:27 AM
I have a post up now with my findings:
Posted on 04-09-2015 10:29 AM
Duplicate bug report filed. Also opened a case with my Apple TAM. Speculation seems to be that by patching the vulnerability mentioned here, 10.10.3 broke createmobileaccount as it was relying on the unpatched API.
Posted on 04-09-2015 11:36 AM
All:
The output from the failed createmobileaccount script posted by @bmarks is very similiar to the output that I get when I try to run the exploit that is called out here in 10.10.3:
Hidden backdoor API to root privileges in Apple OS X
acunning-mn1:~ acunning$ python /Users/acunning/Desktop/exploit.py /usr/sbin/jamf /private/var/root/jamf
will write file /private/var/root/jamf
2015-04-09 10:56:05.889 Python[18781:2924942] ### syncProxyWithSemaphore error:Error Domain=NSCocoaErrorDomain Code=4097 "Couldn’t communicate with a helper application." (connection to service named com.apple.systemadministration.writeconfig) UserInfo=0x7fefcb019d80 {NSDebugDescription=connection to service named com.apple.systemadministration.writeconfig}
Done!
I do not see this error on 10.10.2; the script lets me write to /private/var/root as an unprivileged user.
This leads me to believe that createmobileaccount relies upon the systemadministration service, which has been "patched" in 10.10.3. In other words, Apple broke their own shit with this update.
Joy!
--Andy
Posted on 04-10-2015 05:47 AM
why not use JAMFs AD Binding tool and set it to crate mobile accounts?
Posted on 04-10-2015 07:28 AM
@jwojda its not an either/or thing. Most people do turn that on. With the command line tool you don't need to log in as the user to create their mobile account which we need to do in many cases and obviously you can't insert "this is where user physically logs on to computer" into your shell script :)
But one of the biggest things is convenience. Example, when we migrate a user who has had their AD account changed from an old naming standard to a new standard, we have to delete the old cached account so their passwords will keep syncing, etc, we rename their user folder to the new matching name, check permissions, then create their mobile account with the new AD account name and make sure they are admins again and that their mobile account is created and there.
Its a lot easier for me to just have them log off and do everyithing on the command line and never have to ask the user their password than to ask them to log in a few times for me, then log out, etc. I can do the bulk of the work while they are at a meeting or out to lunch.
Posted on 04-10-2015 07:41 AM
Many of our clients receive Macs in their home, away from any office locations as they may be 'work from home' types of employees. In some cases, they are many miles from the nearest company office.
We have a custom build process that sets up a temporary auto login account after done with initial imaging and binding to AD. When the user receives the Mac and they power it on, it auto logs into an "imaging" account which is very locked down with Parental Controls. It launches a custom app that prompts them to connect to the company network over VPN if necessary (or just plug into the network if they are in an office location) They answer a few questions about their location and language, and type in their AD username. It checks their AD account and then prompts them for their password. Once they enter that, a custom script runs to create their cached mobile AD account on the Mac and cache their password (after verifying it against AD) Its at this point that we use the createmobileaccount binary to create their account.
As you can see, since the user isn't physically connected to the office, there isn't a logical way we can just have them log in at the login screen to create their account. They first have to be connected to VPN which can't be done from the login screen unfortunately.
Without the createmobileaccount process working, our entire user setup process won't work. IOW, this is a showstopper bug for us until Apple resolves it. We aren't going to be moving to 10.10.3 until it gets fixed and we confirm its working again. While we can redesign our process to use the more manual steps I outlined above, its a lot of work to get around a stupid bug, so we'll likely not go that route and instead wait for Apple to fix it.
Posted on 04-10-2015 07:48 AM
also opened a bug report with apple 20498120
Posted on 04-10-2015 08:12 AM
Hopefully the fix will be an update to the ARD client or a similar update rather than waiting for the .4 update, since that's a longer release cycle.
Posted on 04-10-2015 08:18 AM
@Serge I'm hoping so as well. But knowing how Apple is operating these days, I fear this will be something that gets low priority inside Apple and not get fixed until 10.10.4. Especially since according to Rich's blog, the accounts get created properly at the login window. Apple will claim there is a valid workaround, but there really isn't.
Posted on 04-21-2015 01:46 PM
FYI, as documented in the comments on @rtrouton's blog post, the workaround for this is to create the home directory for the user before running createmobileaccount. We are testing this approach, but it does not seem to work on the dev seed of 10.10.4. Can anyone confirm our finding (within the constraints of the NDA, of course)?
Posted on 04-21-2015 02:28 PM
Yes if the home folder exists and is owned by the user then createmobileaccount worked fine.
Posted on 04-21-2015 02:29 PM
OK, it seems that our method for creating the home directory (we were using createhomedir) was the problem. False alarm!
Posted on 04-27-2015 06:51 AM
Here is an interesting explanation of why "createmobileaccount" breaks in OS X 10.10.3 (and why a particular workaround works)
Posted on 04-27-2015 07:38 AM
Also - if you have not yet, PLEASE submit a bug report to Apple. The more bugs the higher the response they will have on this, so I beg of you to submit this bug ASAP! https://bugreport.apple.com
Posted on 04-28-2015 12:00 PM
Bug submitted!
Posted on 04-28-2015 12:02 PM
Good to know. The most recent response to my ticket indicated 10.10.4 did fix this, but I hadn't had time to test yet.
Posted on 06-15-2015 07:09 AM
Happy to report this now fixed in 10.10.4.
Posted on 06-24-2015 01:26 PM
@mm2270 Would you be willing to share your custom app for at home user account setup? I have to migrate some at home users ASAP.
Posted on 06-25-2015 08:23 AM
Hi @spraguga Unfortunately, I'm not able to do that for a couple of reasons.
1 - I'm not the author of the custom application. It was written by a colleague in AppleScript Objective C
2 - The app has heavily customized code for our environment, so even if I was allowed to publish it somehow, I'd need to rip out quite a bit that is specific to our environment to make it suitable for public consumption.
Sorry about that.
If you can post some more specifics on what you need to do, there may be some ways to create a simple app out of cocoaDialog embedded in an .app bundle with Platypus to do what you want. I've written several little "apps" like that which can be effective in their own way.
Posted on 06-25-2015 08:29 AM
@mm2270 I totally understand. No problem at all! I've been working on a custom app this morning and it's almost ready for testing.
Cheers!
Posted on 11-03-2015 04:17 PM
@spraguga - any chance you could share what you are trying / doing?