[Rusty Myers]

Keychain Minder 1.5, just downloaded yesterday.

I’m using Launchd like this, placed in LaunchAgents:

[code]
Label
edu.psuetc.keychainminder
ProgramArguments

/Library/Scripts/ETC/login-keychainminder.sh

QueueDirectories

RunAtLoad
WatchPaths


[/code]
Here’s the script:

[code]#!/bin/bash
#keychain minder script

open -a /Library/Managment/Keychain\ Minder.app/

exit 0
[/code]

Console says:
[code]
LSOpenFromURLSpec() failed with errror -10661[/code]

Thanks again!

[Rusty Myers]

This is a total guess, but I’ve always assumed that the installer must be using some launchd item at first boot to install/configure something, then reboot again. Again, total guess, but I would think it should work if it was doing that. It would just assume that the first boot was right after you installed the package, and then it would do what it needs to and reboot again. It’s totally possible though that something else is stomping on those configurations and creating a un-bootable image. Perhaps try to narrow it down by isolating that specific install and testing.

[Rusty Myers]

[QUOTE][u]Quote by: mleacy[/u][p]I used createUser, and followed the instructions for shadowHash.

On booting my system, it will not accept the password. I even went back through my bash history to make sure I wasn’t misremembering and/or I didn’t mistype the password originally.

The password_hash file was created after I ran “shadowHash mypassword>password_hash”. It contains what looks like a password hash.

Any suggestions?

[/p][/QUOTE]

Does your password include anything special besides letters and numbers? Check this thread if your using reserved characters.

https://www.afp548.com/forum/viewtopic.php?showtopic=20674&mode=&show=5&page=3

You have to comment them out when making your password hash.

[Rusty Myers]

[QUOTE][u]Quote by: knowmad[/u][p]ok, silly/dumb questions because I am not awake yet….. (maybe I should wait and read after coffee…. nah I’ll just ask)
1) you are referring to etcadmin ….. is that because your account is named etcadmin or because your account is hidden (why you would put it there I don’t know) in the etc folder….?

Am I correct in assuming it would read something like this if my account was named ACCOUNTNAME: (grabbed code from an earlier example in the thread but it should suffice to understand the situation)
[code]
#!/bin/sh

#Enable ARD for ACCOUNTNAME
“$3″/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -targetdisk “$3” -configure -allowAccessFor -specifiedUsers
“$3″/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -targetdisk “$3” -activate -configure -access -on -users “ACCOUNTNAME” -privs -all -restart -agent

exit 0[/code]

2) creating the permissions you are referring to is done separately from creating the accounts in dslocal?

3) Please break this down into a time line of when your doing what…. ie something like adding events to this list:
a) instadmg
b) reboot/firstboot
c) boot script
d) login script
because I am am not following something and I think it is in that time line.

Thank you,
Knowmad – asking the dumb questions so you don’t have to.
[/p][/QUOTE]

1) ETC=Education Technology Center, it’s our admin account. Local admin, all the Apple defaults. You are correct in your assumption of the code, the user I want to give permissions to would be in the “ACCOUNTNAME” location.

2) The users is created first, then the ARD permissions are assigned. They are done separately.

3) Events:

instadmg train:
OS X 10.5
OS X Update 10.5.5 + Base Updates
Custom Packages:
CreateUser package with etcadmin account
Office 2008
ARD package
Misc. Apps
ClearReg package
First boot

I don’t currently have any scripts running on first boot/reboot/login. I am trying to get ARD to activate during the build, instead of after. It’s not that I can’t get it to work with launchd, but it’s that I wasn’t going that route at the moment.

Thanks,
Rusty

[Rusty Myers]

[QUOTE][u]Quote by: Patrick+Fergus[/u][p]Silly question (but boy did this one get me for a few hours), have you created your admin’s user record (/var/db/dslocal/nodes/Default/users/etcadmin.plist) [i]before[/i] trying to set the ARD rights? The record has to be there first. After that, you should be able to set the privileges and read them back:[code]defaults read /var/db/dslocal/nodes/Default/users/etcadmin naprivs
(
“-2147483395″
)[/code]”naprivs” would mean “Network Assistant privileges” for those unlucky enough to remember Apple Network Assistant. Maybe ARDAgent horks if you’re “specifying users” but you don’t have any users enabled? Also, I created a custom installer, and the postflight_kickstart_entries file here:

~/Desktop/Custom\ Remote\ Desktop\ Installer.mpkg/Contents/Installers/RemoteDesktopClient.pkg/Contents/Resources

Has the “specifiedUsers” command [i]after[/i] the privilege-granting command (backslashed for readability):[code]-configure -users ‘etcadmin’ -access -on -privs -DeleteFiles -TextMessages -OpenQuitApps \
-GenerateReports -RestartShutDown -SendFiles -ChangeSettings
-configure -allowAccessFor -specifiedUsers[/code]Perhaps order of operations is important?

– Patrick

[/p][/QUOTE]

If “created your admin’s user record” comes with creating the Account, then yes. I use createUser to make my account and then the ARD script comes afterwards in the build train. I will need to run another build to be sure that the user record is created, unless you know that it’s not until after first boot.

I see what your saying about the order. I assume my order is correct because the commands work when run after first boot from the terminal.

Thanks!
Rusty

[Rusty Myers]

I did something similar for host names (computer names).

I took Bombich’s script to set the name from NetRestore and modified it to run at each boot. I wrote a script that downloads a CSV file from my website so that I can update hostnames. The CSV file is replaced daily on the laptops connected to the internet.

I would have preferred using MCX, but we didn’t have time to set it up. There is probably a better way, but I couldn’t find a way to lock down the host name on the laptops either and I had to keep the host names the same through the year (k-12). I’d still like to know how to lock a share name without MCX or the script.

[code]#!/bin/bash

##Script to test for the availability of internet and download, copy, and overwrite a csv file that has updated computer names.

#Set loop variable.
viperecho=FALSE

while [ $viperecho = ‘FALSE’ ];do
# If block to test internet availability
if ping -nc 3 http://mywebserver.com | grep ‘100%’ >/dev/null 2>&1 ;
then
echo “failed to connect to server”
else
cd /tmp
mkdir ownhard
pwd
# This is to copy file from webserver to localhost
echo “Downloading computer names file”
curl http://mywebserver.com/managment/computernames/computernames.csv > /tmp/ownhard/computernames.csv
echo “Done downloading”
cp /tmp/ownhard/computernames.csv /Library/Scripts/ETC/sharenames/ownhard.csv
echo “Exiting Loop”
viperecho=TRUE
fi
done[/code]

[Rusty Myers]

Scr,

I tried using the script in the OP and it doesn’t seem to work for me. It enables Remote Management, but doesn’t enable any options and leaves it on all users.

[code]#!/bin/sh

#Enable ARD for etcadmin
“$3″/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -targetdisk “$3” -configure -allowAccessFor -specifiedUsers
“$3″/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -targetdisk “$3” -activate -configure -access -on -users “etcadmin” -privs -all -restart -agent

exit 0[/code]

The commands work on a booted volume, with the $3 fully qualified. I have not seen anything in the logs that would make me think it’s failing during InstaDMG install.

In my package, I made the script a pre-install script on a empty folder. I am now trying a post-install script instead. Would that make that much of a difference?

If you could post your updated script again, I would appreciate it. Thanks!

[Rusty Myers]

[QUOTE][u]Quote by: scr[/u][p]Ok, so apparently its all my fault.

Unplugging the Firewire cable from the back of the machine stopped the delay before the loginwindow! I dont know how or why, but I’m glad it has nothing to do with my build train.

Still working on the ‘specified users’ option in ARD though.[/p][/QUOTE]

Hi scr,

Did you get the “specified users” option working? I tried for a hour but didn’t get it.

[Rusty Myers]

[QUOTE][u]Quote by: thomasb[/u][p]Good. It seems like that is the way to go with PackageMaker 3.x.x.

The only problem now, is that the latest version of PackageMaker can not remember the [b]destination[/b] set for each component. Do you have the same problem?

1. Open PackageMaker 3.0.2 (174)
2. Create a new Package
3. Add a component or more
4. Set the destination for your component(s)
5. Save and close your project
6. Reopen the project

When you look at the destination field for your component(s) after reopening the PackerMaker project, it is blank.[/p][/QUOTE]

I’ve seen this recently. Working with PackageMaker earlier in the year, the packages always saved their paths. I’ve done a few updates since then, so I can’t pinpoint when it stopped working. It has not been worth my time to try to fix it, yet. Nothings special in my installs, mostly files to Applications and Library/*.

[Rusty Myers]

I don’t know much about Adobe Reader, but I think there are some PDFs that have advanced features that require Reader. It’s small and easy to install, so I just add it. I leave Preview as the default, giving my users the option to choose, assuming they know how.

[Rusty Myers]

I used InstallEase to repackage vpn and it works (after a restart) on OS X 10.5, but I have NOT tried it with Instadmg. Did you get it working outside the workflow?

[Rusty Myers]

I’ve seen somewhere, someone, who had used curl and cron (or launchd) to curl a form on their website that would fill out the form with specific data from that computer. Might be simpler than mounting/unmounting and appending a file. According to the man page, use -F for a form and fill out data using the “name of feild”=@/local/file/on/computer. See example from man page:

curl -F password=@/etc/passwd http://www.mypasswords.com

Good luck and post any good results! Oh, I suppose the bad results too.

Rusty

[Rusty Myers]

[QUOTE][u]Quote by: thespider[/u][p][QUOTE][u]Quote by: akinspe[/u][p][QUOTE][u]Quote by: thespider[/u][p]I have a question about my password and the shadowhash script, I use a pipe “|” and I know why the script is failing, but if I quote the whole password, will that work? Are there other methods, short of changing my password, to fix the issue? Thanks![/p][/QUOTE]

I’m not sure I understand the question. But you shouldn’t use a pipe, it should be a greater than “>” i.e.

/path/to/shadowHash “yourpassword”>password_hash

And yes quoting it should be fine, but I haven’t done thorough tests on “exotic” passwords. In theory it should work with any ASCII characters.If you’re having trouble with a particular password, let me know. I wouldn’t expect you to tell me the password, but perhaps if there’s some wacky characters there may be an issue. Also when you say the script is failing what do you mean?[/p][/QUOTE]

Sorry, I should have been clearer. Lets just say my password is “abra|cadabra”, without quotes the pipe is interpreted in the script, as I’m sure your aware. So I am testing with the quotes and I wasn’t sure if the quotes would then become part of the password, or not.

Again:

/path/to/shadowHash abra|cadabra>password_hash

Fails, tries to use the pipe and can’t find the cadabra program

But, I am trying

/path/to/shadowHash “abra|cadabra”>password_hash

And you say it should work. Thanks! I’ll let you know if I have any problems with it today. Cheers![/p][/QUOTE]

Hi Again!!

Just an update. I finaly got around to testing it and I figured out that I can use the \ to use the |. for example:

shadowHash abra\|cadabra>password_hash

It works fine! Thanks for the awesome package!

[Rusty Myers]

Don’t know much, but if you are using a username/password view of logging into the machines, you can specify an alias for the guest account. Right click, or ctrl click the guest account and choose “Advanced Options”. Hit the plus button for aliases and enter your schools name. Password is still blank at that point though.

Sounds like your way might still be the better option. Good luck!

[Rusty Myers]

Thanks for posting the mods you have figured out so far. I haven’t made it to the interface customization yet, but If you can keep posting what you find, I’d appreciate it. Thanks!

[Author]

Posts