Jetpack has locked your site's login page.

This topic has 10 replies, 5 voices, and was last updated 16 years, 2 months ago by thegooch49.

Viewing 8 posts - 1 through 8 (of 8 total)

Author

Posts
November 7, 2007 at 1:27 am #370451

thegooch49
Participant

If you are creating an image with 10.5, be warned the instauser script will NOT create the user as an administrator. The current script has NetInfo commands, that don’t translate in 10.5. If you are using 10.5, replace the last line in the ‘Make the account’ section (which referneces /NetInfo/DefaultLocalNode) with the line below. That will add the user ‘instadmg’ to the admin group in 10.5.

dscl / -append /Groups/admin GroupMembership instadmg

November 9, 2007 at 1:55 am #370475

thegooch49
Participant

Sorry, my syntax was incorrect. The correct line for 10.5 is:

dscl . -append /Groups/admin GroupMembership instadmg

November 9, 2007 at 6:13 pm #370490

Greg Neagle
Participant

This edit should work in 10.4 as well.

November 9, 2007 at 7:26 pm #370491

thegooch49
Participant

Good point, I just confirmed this. It does indeed work in 10.4. In that case, I would recommend replacing this line all together to make it universal between 10.4 and 10.5.

November 9, 2007 at 11:00 pm #370495

thegooch49
Participant

I would love to set this up with a shadow password. Can you give any guidance? Can I force a GUID with this?

dscl . -create Users/mysuer generateduid 000F640-88B5-4F3D-9DFC-86S61CDD1495

That seems to work when do do the ‘read’ for generatedUID. I can then create a file in /var/db/shadow/hash
called 000F640-88B5-4F3D-9DFC-86S61CDD1495 that contains the shadow password. How do I set AuthenticationAuthority to read this shadow password from here?

Thanks for the help.

November 13, 2007 at 9:54 pm #370512

thegooch49
Participant

I got this figured out. To accomplish this, I added the following lines to my instadmg script.

/usr/bin/dscl . -passwd Users/adminuser “PhoneyPassword”
dscl . -create Users/adminuser generateduid 000W640-88D5-4F3D-9DFC-86S61BTD1465
#Move the hash to set the password for the locadmin
cp /var/db/shadow/hash/TempHash /var/db/shadow/hash/000W640-88D5-4F3D-9DFC-86S61BTD1465

In order for this to work, the instauser package install must include a file called:
/var/db/shadow/hash/TempHash

The TempHash file contains the hashed password. The script copies this pre-configured hash file, to the GUID that was created by the script. So the instadmg script initially sets the password to ‘PhoneyPassword’, but that hash file is replaced w/ the TempHash file that we are swapping out. This has the real password. Remember to be very cautious that all your permissions are set correctly. If the instauser script does not have the exact correct permissions, it will not run, and you will have no user at all 🙂

I hope that makes sense, I can explain better if needed.

December 2, 2007 at 5:49 pm #370692

johnemac
Participant

Many questions.

I’m not sure I see the point of moving the hash file. Why do you need to create the “PhoneyPassword” if you are changing the GUID and the moving in a hash file? And where are these hash files coming from, another system?

And just putting in a .plist and a hash file wouldn’t take care of group membership would it? It seems that the group .plist needs to be altered as well. Or use dscl to enter the record?

/usr/bin/dscl . -create Users/instadmg
/usr/bin/dscl . -create Users/instadmg UserShell /bin/bash
/usr/bin/dscl . -create Users/instadmg RealName “Instadmg Admin”
/usr/bin/dscl . -create Users/instadmg UniqueID 1024
/usr/bin/dscl . -create Users/instadmg PrimaryGroupID 20
/usr/bin/dscl . -create Users/instadmg NFSHomeDirectory /Users/instadmg
/usr/bin/dscl . -passwd Users/instadmg “password”
/usr/bin/dscl . -append /Groups/admin GroupMembership instadmg
/usr/bin/dscl . -append /Groups/staff GroupMembership instadmg

December 3, 2007 at 6:49 pm #370711

thegooch49
Participant

Hello, I set the password with a phony value, because I need to use it once. I’m enabling the root user as well, so I use this phony password with the dsenable command. See below. Once the phony password is set, I use it to enable root. Once root is enabled, I replace the hash for the locadmin AND root accounts.

There might be an easier way, but this works for me. As for the hash files, I create them on a different system. I deploy them with the instauser package, withe a different name. At the end of this instauser script, it moves the actual hash files into place.

#Make the account
/usr/bin/dscl . -create Users/locadmin
/usr/bin/dscl . -create Users/locadmin home /Users/locadmin
/usr/bin/dscl . -create Users/locadmin shell /bin/bash
/usr/bin/dscl . -create Users/locadmin uid 589
/usr/bin/dscl . -create Users/locadmin gid 589
/usr/bin/dscl . -create Users/locadmin realname “Local Admin”
/usr/bin/dscl . -create Groups/locadmin
/usr/bin/dscl . -create Groups/locadmin gid 589
/usr/bin/dscl . -passwd Users/locadmin “phoneypass”

#Make this useful! Add locadmin to the admin group
/usr/bin/dscl . -append /Groups/admin GroupMembership locadmin

#Enable root, using the bogus password before it’s changed
/usr/sbin/dsenableroot -u locadmin -p phoneypass -r bork
Author

Posts

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.