Help

Screen Sharing/SSH and AD Groups

kylefour
New Contributor

Posted on ‎05-25-2016 04:48 AM

Just wondering how everyone is handling their access lists for screen sharing and SSH.
I'm playing with this now and the script i'm using is as such:

#!/bin/sh
sudo systemsetup -setremotelogin on
sudo defaults write /var/db/launchd.db/com.apple.launchd/overrides.plist com.apple.screensharing -dict Disabled -bool false
sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.screensharing.plist

sudo dseditgroup -o create -q com.apple.access_ssh
sudo dseditgroup -o create -q com.apple.access_screensharing
sudo dseditgroup -o edit -a 'AD GROUP' -t group com.apple.access_ssh
sudo dseditgroup -o edit -a 'AD GROUP' -t group com.apple.access_screensharing

I've run this on a few test machines, all works OK and i confirm that my account (located in that AD group) exists in com.apple.access.ssh/screensharing.

However when trying to VNC onto one of these machines, it does not accept any credentials, even though my credentials exist in that group now? Maybe i've missed something out that someone can point out

Thanks!

0 Kudos
2 REPLIES 2

millersc
Valued Contributor

Posted on ‎05-25-2016 05:27 AM

I'm doing it this way prior via script.

#Set VNC console default
sudo defaults write /Library/Preferences/com.apple.RemoteManagement VNCAlwaysStartOnConsole -bool true

# Set VNC Password
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -clientopts -setvncpw -vncpw PASSWORD -restart -agent

# Reset Screen Sharing password and privs
# Set ARD privs and users with these two lines. They MUST be separate lines!
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -specifiedUsers

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -configure -users USERS_HERE -access -on -privs -all -restart -agent
0 Kudos

mschroder
Valued Contributor

Posted on ‎05-25-2016 06:22 AM

I have not yet applied the settings via the command line, but when troubleshooting screeensharring I usually check the membership of the following groups:

com.apple.access_loginwindow
com.apple.loginwindow.netaccounts

0 Kudos