Running a large network of macs in a secure environment leads to regular password changes on the local administrator account. Doing this in a 10.3 environment is quite a simple endeavor, but for those with some older 10.2.x machines around, it can be quite frustrating. Read on for an expect script for running on 10.3.x and a bash script to be used on 10.2.x machines.First, the expect script:
The reason I went about doing this, is while passwd would suit my needs, I really wanted to use a non-user interactive script that could be pushed out to all machines at the same time.
First put your password you want used into a temporary text file (made readable only by root, and deleted immediately after the script was run). This was done as some characters will present an error “tcsh: sudo: No match” when you just try to put the new password after the command. To run on the client machine, see the following:
sudo cpasswd.tcl cat password_file
This is the contents of my cpasswd.tcl script, note that in the second line I’ve used the username of admin, change this to whatever the short name of the user on your machine is.
#!/usr/bin/expect
spawn passwd admin
expect "ssword:"
send [lindex $argv 0]r
expect "ssword:"
send [lindex $argv 0]r
expect eof
And that’s it for a 10.3.x machine, very simple.
The 10.2.x machines required a bit more thought as they do not have expect or tcl/tk installed by default. The full bash script is shown below, there’s a couple things to note before just running the script however. You will have to change one machine manually first, this will be your “known good machine”. Note the second comment in the script, and perform the nidump as instructed on your known good machine.
This script should not overwrite any custom user account passwords on the machine as long as you create your nidump file from a machine that only has the one local account that you want to change on the rest of your machines. Again, I’ve used admin as the account to look out for in this script, change it to whatever suits your environment. And of course, before pushing this out to all your machines, make sure to test this thoroughly to make sure it suits your needs.
#!/bin/bash
Script for changing the password on Mac OS 10.2.x machines using nidump from a machine that
has had it's admin password changed to affect changes on all other machines.
BEFORE RUNNING THIS SCRIPT run the following on your known good machine:
nidump passwd . > /shared/network/drive/accessible/by/all/machines/nidumpfile
(Ed. Note if you are cutting and pasting the above line is all in the comment. Stupid html…)
# Check to see if root
amiroot=whoami
if [ $amiroot != root ];then
echo ""
echo "ERROR: You must be root to use this script"
echo ""
exit
fi
Check to see if nidump has been run on the known good system before proceeding
if [ ! -e '/shared/network/drive/accessible/by/all/machines/nidumpfile' ]
then
echo ""
echo "You have not run nidump on your known good machine - do this first and then run this script again"
echo ""
exit
fi
Create a temporary directory at the root of Netinfo
nicl . -create /temp
Move the current admin entry into the newly created temp directoy
nicl . -move /users/admin /temp
Load the nidump passwords from your known good machine into the Netinfo database
niload passwd .
Clean up by deleting the temporary directory that was housing the old admin details
nicl . -delete /temp
Use kickstart to let the ARD agent recognize there's a new admin password
/System/Library/CoreServices/ARD Agent.app/Contents/Resources/kickstart -uninstall -settings -prefs
/System/Library/CoreServices/ARD Agent.app/Contents/Resources/kickstart -activate
/System/Library/CoreServices/ARD Agent.app/Contents/Resources/kickstart -configure -users admin -access -on -privs -all
(Ed. Note. I’ve put the two scripts and article together in an archive. You can download the scripts from our servers. -Josh)
