[thegooch49]

Hello, you are correct, some packages don’t work properly w/ instaDMG. Quicktime is a perfect example. If it’s included in the ‘AppleUpdates’ folder, it will not run. If you read through the log, you will find a line that says that it’s unable to install this update on a non-boot volume. The only workaround that might work, is to use logGen and pkgGen. A good article on this technique is below. I used it with success for the Developer Tools. It’s a huge install, and I figured it was worth it. Since quicktime is so small, I would just run it after the image is booted.

http://blog.irisink.com/?p=106

-Jeff

[thegooch49]

Hello, I set the password with a phony value, because I need to use it once. I’m enabling the root user as well, so I use this phony password with the dsenable command. See below. Once the phony password is set, I use it to enable root. Once root is enabled, I replace the hash for the locadmin AND root accounts.

There might be an easier way, but this works for me. As for the hash files, I create them on a different system. I deploy them with the instauser package, withe a different name. At the end of this instauser script, it moves the actual hash files into place.

#Make the account
/usr/bin/dscl . -create Users/locadmin
/usr/bin/dscl . -create Users/locadmin home /Users/locadmin
/usr/bin/dscl . -create Users/locadmin shell /bin/bash
/usr/bin/dscl . -create Users/locadmin uid 589
/usr/bin/dscl . -create Users/locadmin gid 589
/usr/bin/dscl . -create Users/locadmin realname “Local Admin”
/usr/bin/dscl . -create Groups/locadmin
/usr/bin/dscl . -create Groups/locadmin gid 589
/usr/bin/dscl . -passwd Users/locadmin “phoneypass”

#Make this useful! Add locadmin to the admin group
/usr/bin/dscl . -append /Groups/admin GroupMembership locadmin

#Enable root, using the bogus password before it’s changed
/usr/sbin/dsenableroot -u locadmin -p phoneypass -r bork

[thegooch49]

Hi, I actually found the answer to part of my question. This is set using the command: dsenableroot

I can obviously enter it in a script that will set this at first bootup, but I’m not sure how to set the password. I can’t have it shown in a script that is plain text. My user create script forces a specific GUID, and I then place a pre-configured password hash in /var/db/shadow/hash. This should work the same way, since root’s hash password is in there as well. It looks like in 10.5 root’s GUID is not random, so it should automatically be the same (without me having to set it).

Anyway, I’ll post results when this is done, and let you know if it’s successful.

[thegooch49]

I got this figured out. To accomplish this, I added the following lines to my instadmg script.

/usr/bin/dscl . -passwd Users/adminuser “PhoneyPassword”
dscl . -create Users/adminuser generateduid 000W640-88D5-4F3D-9DFC-86S61BTD1465
#Move the hash to set the password for the locadmin
cp /var/db/shadow/hash/TempHash /var/db/shadow/hash/000W640-88D5-4F3D-9DFC-86S61BTD1465

In order for this to work, the instauser package install must include a file called:
/var/db/shadow/hash/TempHash

The TempHash file contains the hashed password. The script copies this pre-configured hash file, to the GUID that was created by the script. So the instadmg script initially sets the password to ‘PhoneyPassword’, but that hash file is replaced w/ the TempHash file that we are swapping out. This has the real password. Remember to be very cautious that all your permissions are set correctly. If the instauser script does not have the exact correct permissions, it will not run, and you will have no user at all 🙂

I hope that makes sense, I can explain better if needed.

[thegooch49]

I would love to set this up with a shadow password. Can you give any guidance? Can I force a GUID with this?

dscl . -create Users/mysuer generateduid 000F640-88B5-4F3D-9DFC-86S61CDD1495

That seems to work when do do the ‘read’ for generatedUID. I can then create a file in /var/db/shadow/hash
called 000F640-88B5-4F3D-9DFC-86S61CDD1495 that contains the shadow password. How do I set AuthenticationAuthority to read this shadow password from here?

Thanks for the help.

[thegooch49]

Good point, I just confirmed this. It does indeed work in 10.4. In that case, I would recommend replacing this line all together to make it universal between 10.4 and 10.5.

[thegooch49]

Sorry, my syntax was incorrect. The correct line for 10.5 is:

dscl . -append /Groups/admin GroupMembership instadmg

[thegooch49]

Yes, that is the cached record.

Thanks again for the help.

[thegooch49]

This is output from: dscl localhost -read /Search/Users/jbaker

Thanks for the help, I appreciate it!

accountConfig: blah=1
cn: Jim Baker
gecos: Jim Baker
gidNumber: 200
givenName: Jim
homeDirectory: /home/j/jbaker
l: carolina
loginShell: /bin/sh
mail: [email protected]
objectClass: top person organizationalPerson inetOrgPerson posixAccount shadowAccount apple-user Account
sn: Baker
title: Admin
uid: jbaker
uidNumber: 5099
userPassword: {MD5}wQGB7oSGUYLVGXfsTNxPow==
AppleMetaNodeLocation: /LDAPv3/ldap.company.com
EMailAddress: [email protected]
FirstName: Jim
JobTitle: Admin
LastName: Baker
NFSHomeDirectory: /home/j/jbaker
Password: {MD5}wQGB7oSGUYLVGXfsTNxPow==
PrimaryGroupID: 200
RealName: Jim Baker Jim Baker
RecordName: jbaker Jim Baker
RecordType: dsRecTypeStandard:Users
UniqueID: 5099
UserShell: /bin/sh

[Author]

Posts