Creating a Local Admin via PKG in Leopard Question

[Patrick Fergus]

Taking Joel’s post here:

[url]https://www.afp548.com/forum/viewtopic.php?showtopic=18558[/url]

Which says

[quote]”The pkg just needs to install 2 files. One for the plist for the user record to be put into the local db. The other file for the hash.”[/quote]

I set out to create that package. I added the following files:

[code]/var/db/dslocal/nodes/Default/groups/admin.plist[/code]
Local group file with the localadmin included.

[code]/var/db/dslocal/nodes/Default/users/localadmin.plist[/code]
Local user file defining the local admin, including the generateduid used in the shadow hash file.

[code]/var/db/shadow/hash/AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA[/code]
Password hash for the local admin

[code]/var/db/.AppleSetupDone[/code]
Flag to disable the setup assistant

Examining localadmin.plist file, the authentication_authority section includes the following (truncated for clarity):

[code];Kerberosv5;;instadmg@LKDC:SHA1.D1C813C…[/code]

I understand that there is now a local KDC in Leopard, but what should I do with these lines? Delete the local KDCs? Delete the entire line?

Thanks,

– Patrick

[Greg Neagle]

While you can create a new user by adding files to the local DS store in /private/var/db/dslocal/nodes/Default and the password hash file in /private/var/shadow, you’ll still need a post-install script to add the user to the admin group unless you set the GID of the new user to group 80, the admin group.

[Patrick Fergus]

Adding the user to the admin group can be handled by dscl inside the instauser script:

[code]/usr/bin/dscl . -append Groups/admin GroupMembership localadmin[/code]

or by replacing the admin group plist with an already-set-up admin.plist:

[code]/private/var/db/dslocal/nodes/Default/groups/admin.plist[/code]

– Patrick

[Greg Neagle]

I’d go for the dscl method, as that doesn’t lock you into your own version of he admin.plist file. In other words, if Apple changes that file in a future update, you won’t have to notice that and deal with it.

It just seems more in the InstaDMG spirit of things to remove dependancies and make things modular.

-Greg

[QUOTE][u]Quote by: Patrick+Fergus[/u][p]Adding the user to the admin group can be handled by dscl inside the instauser script:

[code]/usr/bin/dscl . -append Groups/admin GroupMembership localadmin[/code]

or by replacing the admin group plist with an already-set-up admin.plist:

[code]/private/var/db/dslocal/nodes/Default/groups/admin.plist[/code]

– Patrick[/p][/QUOTE]

[Theilgaard]

I am now working with the 1.3b release, but the instauser_10.5 script is still just installing the admin.plist file instead of a postflight script with the dscl command, or am I missing something?

How can I change the password for this user?

Thanks,
Søren

[jlevitsk]

Wouldn’t this work to set a password from a hash?

#!/bin/bash

#Make the account
exampleadmin/usr/bin/dscl . -create Users/exampleadmin
/usr/bin/dscl . -create Users/exampleadmin home /Users/exampleadmin
/usr/bin/dscl . -create Users/exampleadmin shell /bin/bash
/usr/bin/dscl . -create Users/exampleadmin uid 501
/usr/bin/dscl . -create Users/exampleadmin gid 501
/usr/bin/dscl . -create Users/exampleadmin realname “exampleadmin”
/usr/bin/dscl . -create Groups/exampleadmin
/usr/bin/dscl . -create Groups/exampleadmin gid 501
# doesn’t matter what we make it since we kill it anyways…
/usr/bin/dscl . -passwd Users/exampleadmin “FunkyChicken”
/usr/bin/dscl . -append Groups/admin GroupMembership exampleadmin

# find the GeneratedUID of the user and remove the password hash file
# from /private/var/db/shadow/hash/
# sudo ls -a /private/var/db/shadow/hash
# sudo ls -l /private/var/db/shadow/hash/

guid=”$(/usr/bin/dscl . -read “/Users/exampleadmin” GeneratedUID | /usr/bin/awk ‘{print $NF;}’)”
/bin/rm -f /private/var/db/shadow/hash/$guid
echo ‘000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000205465095A12BDF8A6B23F016C94A37F12H9D4CD5162C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000’ > /private/var/db/shadow/hash/$guid
/usr/bin/chown root:wheel /private/var/db/shadow/hash/$guid
/bin/chmod 600 /private/var/db/shadow/hash/$guid

/usr/bin/srm -r /Library/StartupItems/instauser
exit 0

[Theilgaard]

How do I generate the hash-code?

I have created a user on my own system, and given this user the “password” password, as in the instauser shadowhash file, but the code I get is different from the one in that file.

But could I use the dscl command with the password to set this hash-code?

Then the instauser Installer should just install the user-file, and as a postflight script run the two dscl-lines with the password and the admin-group. Would that work?

[Theilgaard]

Just saw Josh’ reply.

I did look at the PackageMaker project (which btw. opens as “unititled” in my 10.5 PackageMaker app).

But I need to generate the hash code for the password, so how do I do that?

[akinspe]

[quote]But I need to generate the hash code for the password, so how do I do that?[quote]

It’s like I heard the question coming.

Check out the script I posted today. I created it for that very reason. You simply run it:

./shadowHash password>$VOLUME/var/db/shadow/hash/AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA

the file name is the GUID of the user you want to save the password to.

This will generate a hash file with the appropriate password. Obviously you’ll want to protect this if it’s in a script since it’ll have the cleartext of the password in it. So maybe just use it to generate the hash initially.

Because it uses a random salt, you’ll get a different hash everytime, but it’s the same password.

What’s nice about this also is that you can SET a password on a volume you have root access to, even if it’s not booted.

[Theilgaard]

Thank you!

Just what I needed, but you already knew that 😉

Søren

[Author]

Posts