If you are creating an image with 10.5, be warned the instauser script will NOT create the user as an administrator. The current script has NetInfo commands, that don’t translate in 10.5. If you are using 10.5, replace the last line in the ‘Make the account’ section (which referneces /NetInfo/DefaultLocalNode) with the line below. That will add the user ‘instadmg’ to the admin group in 10.5.
dscl / -append /Groups/admin GroupMembership instadmg
Sorry, my syntax was incorrect. The correct line for 10.5 is:
dscl . -append /Groups/admin GroupMembership instadmg
This edit should work in 10.4 as well.
Good point, I just confirmed this. It does indeed work in 10.4. In that case, I would recommend replacing this line all together to make it universal between 10.4 and 10.5.
I would love to set this up with a shadow password. Can you give any guidance? Can I force a GUID with this?
dscl . -create Users/mysuer generateduid 000F640-88B5-4F3D-9DFC-86S61CDD1495
That seems to work when do do the ‘read’ for generatedUID. I can then create a file in /var/db/shadow/hash
called 000F640-88B5-4F3D-9DFC-86S61CDD1495 that contains the shadow password. How do I set AuthenticationAuthority to read this shadow password from here?
Thanks for the help.
I got this figured out. To accomplish this, I added the following lines to my instadmg script.
/usr/bin/dscl . -passwd Users/adminuser “PhoneyPassword”
dscl . -create Users/adminuser generateduid 000W640-88D5-4F3D-9DFC-86S61BTD1465
#Move the hash to set the password for the locadmin
cp /var/db/shadow/hash/TempHash /var/db/shadow/hash/000W640-88D5-4F3D-9DFC-86S61BTD1465
In order for this to work, the instauser package install must include a file called:
/var/db/shadow/hash/TempHash
The TempHash file contains the hashed password. The script copies this pre-configured hash file, to the GUID that was created by the script. So the instadmg script initially sets the password to ‘PhoneyPassword’, but that hash file is replaced w/ the TempHash file that we are swapping out. This has the real password. Remember to be very cautious that all your permissions are set correctly. If the instauser script does not have the exact correct permissions, it will not run, and you will have no user at all 🙂
I hope that makes sense, I can explain better if needed.
Many questions.
I’m not sure I see the point of moving the hash file. Why do you need to create the “PhoneyPassword” if you are changing the GUID and the moving in a hash file? And where are these hash files coming from, another system?
And just putting in a .plist and a hash file wouldn’t take care of group membership would it? It seems that the group .plist needs to be altered as well. Or use dscl to enter the record?
/usr/bin/dscl . -create Users/instadmg
/usr/bin/dscl . -create Users/instadmg UserShell /bin/bash
/usr/bin/dscl . -create Users/instadmg RealName “Instadmg Admin”
/usr/bin/dscl . -create Users/instadmg UniqueID 1024
/usr/bin/dscl . -create Users/instadmg PrimaryGroupID 20
/usr/bin/dscl . -create Users/instadmg NFSHomeDirectory /Users/instadmg
/usr/bin/dscl . -passwd Users/instadmg “password”
/usr/bin/dscl . -append /Groups/admin GroupMembership instadmg
/usr/bin/dscl . -append /Groups/staff GroupMembership instadmg
Hello, I set the password with a phony value, because I need to use it once. I’m enabling the root user as well, so I use this phony password with the dsenable command. See below. Once the phony password is set, I use it to enable root. Once root is enabled, I replace the hash for the locadmin AND root accounts.
There might be an easier way, but this works for me. As for the hash files, I create them on a different system. I deploy them with the instauser package, withe a different name. At the end of this instauser script, it moves the actual hash files into place.
#Make the account
/usr/bin/dscl . -create Users/locadmin
/usr/bin/dscl . -create Users/locadmin home /Users/locadmin
/usr/bin/dscl . -create Users/locadmin shell /bin/bash
/usr/bin/dscl . -create Users/locadmin uid 589
/usr/bin/dscl . -create Users/locadmin gid 589
/usr/bin/dscl . -create Users/locadmin realname “Local Admin”
/usr/bin/dscl . -create Groups/locadmin
/usr/bin/dscl . -create Groups/locadmin gid 589
/usr/bin/dscl . -passwd Users/locadmin “phoneypass”
#Make this useful! Add locadmin to the admin group
/usr/bin/dscl . -append /Groups/admin GroupMembership locadmin
#Enable root, using the bogus password before it’s changed
/usr/sbin/dsenableroot -u locadmin -p phoneypass -r bork