Posted on 11-10-2016 07:15 AM
As part of DEP, it autogenerates a binded computer name based off serial numbers. I need to unbind the machine and take out the computer record and then rebind it. The I see a lot of information on the force unbind with garbage username and passwords, but if I supply a real account instead of the garbage account, will it remove the extra cruft?
Posted on 11-10-2016 07:41 AM
Yes it will but then you have the problem of how to get the password in without it being visible in the script. I have been working on this today and used the following to encrypt it https://github.com/jamfit/Encrypted-Script-Parameters
. The problem I am now having is that after unbinding I want to rename the machine and then bind again but it seems to always bind with the old name.
No longer having the above problem thanks to this post https://www.jamf.com/jamf-nation/discussions/13965/ad-directory-binding-computer-name
Posted on 11-10-2016 07:49 AM
This looks promising. Thanks for the script!
As for the renaming - do you set the name in the 3 different locations - HostName, LocalHostName, and ComputerName prior to rebinding it?
Posted on 11-10-2016 07:58 AM
can you provide more information on how to run the script by chance?
Posted on 11-10-2016 08:17 AM
So I simply use the "sudo jamf setComputerName -useSerialNumber" to do the rename, I have seen the 3 locations you mention and checked that they are all the same after using the above jamf command.
=== Script Begin===
#!/bin/sh
function DecryptString() {
echo "${1}" | /usr/bin/openssl enc -aes256 -d -a -A -S "${2}" -k "${3}"
}
echo "Attempting unbind..."
sudo dsconfigad -remove -u $4 -p $(DecryptString $5 5f481fb12c9bv191 48cdd84b5dc45a9702652c89a)
id -u $4
if [[ $? == 0 ]]; then
echo "Unbind Failed!"
exit 1
else
else
echo "Unbind Successful!"
# Rename the machine
sudo jamf setComputerName -useSerialNumber
# This should allow enough time for the existing computer account to disappear from AD
sleep 20
# Rebind the machine
sudo jamf policy -trigger bind
exit 0
fi
=== Script End===
I use TextMate to run the script initially: simply run GenerateEncryptedString yourpassword and it will provide an "Encrypted String", the "Salt" and "Passphrase". Keep these strings handy.
In the script above you have to include the DecryptString function and send it the "Encrypted String" as a parameter ($5 in this case) and then the "Salt" and "Passphrase" are hardcoded straight in. I use $4 for the username.
Posted on 11-10-2016 10:10 AM
the GenerateEncryptedString just exits with no prompt or anything, just returns a prompt...
Posted on 11-10-2016 01:23 PM
are you running with quotes? For example GenerateEncryptedString "MyPassword"
Posted on 11-10-2016 01:29 PM
you might want to try this download instead, I think I may have linked to a slightly different version when googling! https://github.com/brysontyrrell/EncryptedStrings
Posted on 11-10-2016 01:35 PM
$ ./GenerateEncryptedString.sh "mypassword"
$
$ GenerateEncryptedString "mypassword"
-bash: GenerateEncryptedString: command not found
Posted on 11-10-2016 01:50 PM
Ah I see whats happening. The GenerateEncryptedString is a function inside the script so you have to call it from within the script itself. Edit the script and add to the bottom following command: GenerateEncryptedString "MyPassword"
You should just need to call the script without adding the password on the end: $ ./GenerateEncryptedString.sh
Posted on 11-10-2016 01:53 PM
that worked, thank you!
Posted on 11-10-2016 01:58 PM
Great stuff! If you see in the original script I posted above I only include the function DecryptString in the final script as that is all that's needed. Good luck!
Posted on 04-10-2018 01:10 PM
Has anyone found out how to get the user cert without being bound? We are talking about going away from binding and going to local accounts.