210 lines
8.2 KiB
Bash
210 lines
8.2 KiB
Bash
#!/bin/bash
|
|
|
|
## set -x
|
|
|
|
## passed variables
|
|
## $1 - new username
|
|
## $2 - password for user
|
|
## $3 - indicate if we're changing the home directory name; 0 - no change, 1 - change
|
|
## $4 - type of user to create; standard or admin
|
|
## $5 - whether or not to unbind - true or false
|
|
## $6 - whether or not the app runs silently - true or false
|
|
|
|
log() {
|
|
/bin/echo "$(date "+%a %b %d %H:%M:%S") $computerName ${currentName}[migrate]: $1" >> /var/log/jamf.log
|
|
}
|
|
|
|
jamfH="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"
|
|
dsclBin="/usr/bin/dscl"
|
|
|
|
## standard attributes for a local account - these will not be deleted from the mobile account
|
|
attribsToKeep="_writers_AvatarRepresentation\|_writers_hint\|_writers_jpegphoto\|_writers_passwd\|_writers_picture\|_writers_unlockOptions\|_writers_UserCertificate\|accountPolicyData\|AvatarRepresentation\|HeimdalSRPKey\|KerberosKeys\|LinkedIdentity\|record_daemon_version\|ShadowHashData\|unlockOptions\|AltSecurityIdentities\|AppleMetaNodeLocation\|AuthenticationAuthority\|GeneratedUID\|JPEGPhoto\|NFSHomeDirectory\|Password\|Picture\|PrimaryGroupID\|RealName\|RecordName\|RecordType\|UniqueID\|UserShell"
|
|
|
|
## in case the jamf.log does not exist
|
|
if [ ! -f /var/log/jamf.log ];then
|
|
/usr/bin/touch /var/log/jamf.log
|
|
fi
|
|
|
|
## grab the computer name to use in the log
|
|
computerName=$(scutil --get ComputerName)
|
|
|
|
## get logged in user
|
|
currentName=$(stat -f%Su /dev/console)
|
|
## new new logon name
|
|
newName="$currentName"
|
|
|
|
## check admin status
|
|
isAdmin=$(/usr/sbin/dseditgroup -o checkmember -m "${currentName}" admin | cut -d" " -f1)
|
|
log "result of isAdmin check: ${isAdmin}"
|
|
|
|
## check the OriginalNodeName to determine if it is a local or mobile account
|
|
mobileUserCheck=$($dsclBin . -read "/Users/$currentName" OriginalNodeName 2>/dev/null | grep -v dsRecTypeStandard)
|
|
if [ "${mobileUserCheck}" = "" ];then
|
|
## account is a local account
|
|
log "$currentName is a local account."
|
|
exit 1000
|
|
fi
|
|
|
|
if [ true != "true" ];then
|
|
## verify we're either keeping the same username or new name doesn't exist
|
|
nameCheck=$(dscl . -read "/Users/${newName}" RealName &> /dev/null;echo $?)
|
|
if [ "$nameCheck" = "0" ] && [ ! "${newName}" = "${currentName}" ];then
|
|
## account already exists and belongs to a different user
|
|
log "${newName} belongs to another user."
|
|
exit 500
|
|
fi
|
|
password="$2"
|
|
fi
|
|
|
|
log "current user: ${currentName}"
|
|
|
|
## renameHomeDir is 0 if we're not renaming the user home directory to the new name (if different the the existing) and 1 if we are
|
|
renameHomeDir="0"
|
|
if [ "${renameHomeDir}" = "1" ];then
|
|
log "Home directory will be renamed"
|
|
else
|
|
log "Home directory will not be renamed"
|
|
fi
|
|
|
|
## set user type to create, if passed, to be either standard or admin. If nothing is passed local will match mobile account
|
|
userType="standard"
|
|
if [ "${userType}" = "standard" ];then
|
|
log "User will be migrated as a $userType user"
|
|
else
|
|
log "User will be migrated as an $userType user"
|
|
fi
|
|
|
|
## set the unbind var; 'true' or 'false'
|
|
unbind="true"
|
|
if [ "${unbind}" = "true" ];then
|
|
log "machine will be unbound from Active Directory"
|
|
else
|
|
log "no change to current bind status will be performed"
|
|
fi
|
|
|
|
## define icon location
|
|
theIcon="${BASH_SOURCE%/*}/../MigrateAsst.png"
|
|
|
|
## see if account is FileVault enabled
|
|
FileVaultUserCheck=$(fdesetup list | grep -w "${currentName}")
|
|
if [ "${FileVaultUserCheck}" != "" ];then
|
|
log "${currentName} is a FileVault enabled user"
|
|
else
|
|
log "${currentName} is not a FileVault enabled user"
|
|
fi
|
|
|
|
|
|
if [ "$unbind" == "true" ];then
|
|
log "performing machine unbind"
|
|
/usr/sbin/dsconfigad -remove -force -username "$currentName" -password "${password}"
|
|
/bin/rm "/Library/Preferences/OpenDirectory/Configurations/Active Directory/*.plist"
|
|
fi
|
|
|
|
## remove .account file if present
|
|
/bin/rm -f "/Users/${currentName}/.account" || true
|
|
|
|
aa=$($dsclBin -plist . -read /Users/"${currentName}" AuthenticationAuthority)
|
|
log "original AuthenticationAuthority from mobile account:"
|
|
log "${aa}"
|
|
lcu=$(/bin/echo "${aa}" | xmllint --xpath 'string(//string[contains(text(),";LocalCachedUser;")])' -)
|
|
krb5=$(/bin/echo "${aa}" | xmllint --xpath 'string(//string[contains(text(),";Kerberosv5;")])' -)
|
|
|
|
$dsclBin -plist . -delete /Users/"${currentName}" AuthenticationAuthority "${lcu}"
|
|
$dsclBin -plist . -delete /Users/"${currentName}" AuthenticationAuthority "${krb5}"
|
|
|
|
pid=$(ps -ax | grep opendir | grep -v grep | awk '/ / {print $1}')
|
|
echo "restarting opendirectoryd with pid $pid"
|
|
killall opendirectoryd
|
|
sleep 1
|
|
## wait for opendirectoryd to start back up
|
|
pid=$(ps -ax | grep opendir | grep -v grep | awk '/ / {print $1}')
|
|
while [ "$pid" = "" ];do
|
|
sleep 1
|
|
pid=$(ps -ax | grep opendir | grep -v grep | awk '/ / {print $1}')
|
|
done
|
|
echo "opendirectoryd restarted with pid $pid"
|
|
|
|
|
|
## export updated AuthenticationAuthority for the account
|
|
log "$dsclBin . -read /Users/${currentName} AuthenticationAuthority"
|
|
## localAuthenticationAuthority=$($dsclBin . -read /Users/"${currentName}" AuthenticationAuthority)
|
|
log "AuthenticationAuthority for local account:"
|
|
localAuthenticationAuthority=$($dsclBin -plist . -read /Users/"${currentName}" AuthenticationAuthority)
|
|
log "${localAuthenticationAuthority}"
|
|
|
|
## remove attributes from mobile account - start
|
|
while read theAttribute;do
|
|
log "deleting attribute: $theAttribute"
|
|
$dsclBin . -delete "/Users/${currentName}" $theAttribute
|
|
# echo $?
|
|
done << EOL
|
|
$($dsclBin -raw . -read "/Users/${currentName}" | grep dsAttrType | awk -F":" '{print $2}' | grep -v -w "${attribsToKeep}")
|
|
EOL
|
|
## remove attributes from mobile account - end
|
|
|
|
#### for testing to pause the script ####
|
|
#touch /Users/Shared/pause.txt
|
|
#while [ -f /Users/Shared/pause.txt ];do
|
|
# sleep 10
|
|
#done
|
|
|
|
## ensure proper group on home directory
|
|
## skipping the change of group permissions on the user folder to avoide PPPC prompts for contacts and calendars
|
|
#homeDir=$($dsclBin . -read /Users/"${currentName}" NFSHomeDirectory | awk -F": " '{ print $2 }')
|
|
#log "Setting group and permissions for ${homeDir}"
|
|
#result=$(chown -R ":staff" "${homeDir}" &> /dev/null;echo "$?")
|
|
#if [ "$result" = "0" ];then
|
|
# log "updated group for home directory"
|
|
# log "chown -R :staff ${homeDir}"
|
|
#fi
|
|
|
|
## add to the admins group, if appropriate
|
|
if (([ "${isAdmin}" = "yes" ] && [ "$userType" != "standard" ]) || [ "$userType" = "admin" ]);then
|
|
result=$(/usr/sbin/dseditgroup -o edit -n /Local/Default -a "${currentName}" -t user admin;echo "$?")
|
|
if [ "$result" = "0" ];then
|
|
log "${currentName} was added to the admin group"
|
|
fi
|
|
elif [ "$userType" = "standard" ];then
|
|
result=$(/usr/sbin/dseditgroup -o edit -n /Local/Default -d "${currentName}" -t user admin;echo "$?")
|
|
if [ "$result" = "0" ];then
|
|
log "${currentName} was removed from the admin group"
|
|
fi
|
|
fi
|
|
|
|
## if we changed shortnames update the RecordName attribute and add the old name as an alias
|
|
if [ "${newName}" != "${currentName}" ];then
|
|
## get current home directory
|
|
homeDir=$($dsclBin . -read /Users/"${currentName}" NFSHomeDirectory | awk -F": " '{ print $2 }')
|
|
log "Current home directory: ${homeDir}"
|
|
|
|
log "Change in login name has been requested"
|
|
log "Changing the Record name from ${currentName} to ${newName}"
|
|
$dsclBin . -change "/Users/${currentName}" RecordName "${currentName}" "${newName}"
|
|
log "adding alias for old username: ${currentName}"
|
|
$dsclBin . -append "/Users/${newName}" RecordName "${currentName}"
|
|
if [ "${renameHomeDir}" = "1" ];then
|
|
log "Moving (renaming) current home directory ${homeDir} to /Users/${newName}"
|
|
/bin/mv "${homeDir}" "/Users/${newName}"
|
|
|
|
##log "killing jamfHelper for home directory change"
|
|
##sudo killall jamfHelper
|
|
|
|
log "setting home directory (NFSHomeDirectory) to /Users/${newName}"
|
|
##log "$dsclBin . -change \"/Users/${newName}\" NFSHomeDirectory \"${homeDir}\" \"${homeDir}\""
|
|
##$dsclBin . -change "/Users/${newName}" NFSHomeDirectory "${homeDir}" "${homeDir}"
|
|
##sleep 1
|
|
log "$dsclBin . -change \"/Users/${newName}\" NFSHomeDirectory \"${homeDir}\" \"/Users/${newName}\""
|
|
$dsclBin -u "${currentName}" -P "${password}" . -change "/Users/${newName}" NFSHomeDirectory "${homeDir}" "/Users/${newName}"
|
|
fi
|
|
fi
|
|
|
|
log "killing jamfHelper and loginwindow"
|
|
sudo killall jamfHelper
|
|
|
|
loggedInUser=$(stat -f%Su /dev/console)
|
|
ps -Ajc | grep loginwindow | grep "$loggedInUser" | grep -v grep | awk '{print $2}' | sudo xargs kill &
|
|
log "loginwindow restarted." &
|
|
|
|
#rm -fr $0
|
|
|