[sketch]

when is the script running and how is it running? Is it running fron a loginhook? Login scripts run as the root user, so that might be why you’re gettin that. Use the $USER or $1 variable instead.

We use a php script that passes the info along to a database and is web viewable. Sadly I didn’t make the system or have access to the code so all I have is the client piece, but it might help you:
—————————————————
1 ? $mode = $argv[1] : exit();

$argc > 2 ? $username = $argv[2] : $username = $_SERVER[‘USER’];

$nodename = str_replace(“\n”, “”, str_replace(“\r”, “”, `scutil –get LocalHostName`));
$ipAddress = str_replace(“\n”, “”, str_replace(“\r”, “”, `ipconfig getifaddr en0`));

$host = “www.college.edu”;
$path = “/itservices/mac_scripts/UserTracking.aspx”;

$data = “username=$username”;
$data .= “&nodename=$nodename”;
$data .= “&mode=$mode”;
$data .= “&verify=” . SHA1($ipAddress);

$out = “POST $path HTTP/1.0\r\n”;
$out .= “Host: $host\r\n”;
$out .= “User-Agent: UserTrackingScript\r\n”;
$out .= “Content-type: application/x-www-form-urlencoded\r\n”;
$out .= “Content-length: ” . strlen($data) . “\r\n”;
$out .= “Connection: close\r\n\r\n”;
$out .= $data;

$conn = fsockopen($host, 80, $errno, $errstr, 3);

if ($conn)
{
fwrite($conn, $out);
fclose($conn);
}

?>

[sketch]

Got it working. Thanks for the help. In the end the solution was quite embarrasing: typo 😳

[sketch]

well all of this has led to another odd issue. I figured out how to used id to check group membership of an account, and I’m NOT seeing the group I’m looking for. I’m seeing all of them BUT that group. And not just on my account, on all accounts that are members of that group.

Whisky
Tango
Foxtrot

[sketch]

How do I test the group lookup? I’m assuming this methodology variates from nesting the group via the AD settings in Directory Access?

[sketch]

Really? What are the differences?

And no. it doesn’t seem to matter, although it might.

just for reference, this is the line in my sudoers file that states the group:

%MacLabAdminUsers ALL=(ALL) ALL

perhaps there should be an AD\ in front of it?

[sketch]

All 10.4. Some 10.4.8, some 10.4.9

[sketch]

further investigation has revealed the nobrowse option is the culprit.

Now I’m wondering if there’s a workaround, because the nobrowse is kind of nice.

[sketch]

Yes, I understand how kerberos is designed, I also understand that if a user stays logged into their workstation for longer than 10 hours, then tries to use a network resource, things don’t work as smoothly as they should.

Thus this thread.

[sketch]

OOH! I was unaware of scp. Thanks!

No, this isn’t for centralized logging, this is for centralized system profiling/asset management.

[sketch]

so if I do this:

sudo kadmin.local -q “add_principal -e des-cbc-crc:normal -pw apple krbtgt/[email protected]”

and …

sudo kadmin.local -q “add_principal -e des-cbc-crc:normal -pw apple krbtgt/[email protected]”

my OD realm will trust tickets from AD? Or do I also have to use Active Directory Users and Computer and “right-click on a user you’d like to enable cross-realm authentication for”?

[sketch]

is there anything in your 10.4.1 client logs to indicate what might be occurring when it tries to access the network home directory?

[sketch]

I have been told that 10.4 (Tiger) will have the kind of access control you’re looking for.

I didn’t have time to wait for 10.4 which is why I wrote the script that’s posted in another thread, however that can only descriminate who’s a member of a specific local group or not.

[sketch]

This is definitely more of a question for AD gurus, but I think you can make a different home folder attribute for your PC users and get all of your PCs to use that.
For your Macs you have to stick with ADs default home folder attribute.

I only know that you can use different attributes with PCs because I helped troubleshoot another school’s setup and saw them using almost everything BUT the default for their homes, which was why the Macs weren’t working for them.

[sketch]

http://support.microsoft.com/default.aspx?scid=kb;en-us;883480

[sketch]

got it

——————-
#!/bin/sh

###variables
username=$1
groupstatus=$(nireport . /groups name users | grep -w $1 | grep -w admin | wc -l)
###actions
if [ $username = labuser ]; then
exit 0
elif [ $groupstatus = 1 ]; then
exit 0
else
/usr/bin/killall -HUP loginwindow
fi
exit 0
———

Now I would like to figure out how to get dialog boxes to pop-up so people know they’re being kicked off, instead of just being left to scratch their heads.

[Author]

Posts