forked from UoE-macOS/jss
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcoreconfig-admin-from-ad-group.sh
140 lines (108 loc) · 4.25 KB
/
coreconfig-admin-from-ad-group.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
#!/bin/bash
###################################################################
#
# Script to assign admin rights based on the membership of an AD group
# with the Computers name. NoMAD caches user AD group membership, so
# admin rights will remain, even when the machine is offsite.
#
# Date: Tue 16 Jan 2018 14:30:26 GMT
# Version: 0.2.0
# Creator: dsavage
#
##################################################################
Random_Domain_Controller ()
{
Random_DC="aviemore brora ceres crieff cromarty kelso leven oban vesta"
Num_Random=`echo $Random_DC | wc -w`
Random_Number=`jot -r 1 1 $Num_Random`
Select_DC=`eval echo \"$Random_DC\" | awk '{print $'${Random_Number}'}' `
echo "$Select_DC"
}
# may switch - `python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "\n");'`
User_Name=`ls -l /dev/console | awk '{print $3}'`
echo $User_Name
Computer_Name=`/usr/sbin/scutil --get ComputerName | tr '[:upper:]' '[:lower:]'`
echo $Computer_Name
# Incase of a mismatch between the local folder and the username
Home_Path=`dscl . -read /Users/$User_Name | grep "NFSHomeDirectory" | grep -v "OriginalNFSHomeDirectory:" | grep '/Users/' | awk '{print $2}'`
# Path to the preference
NoMAD_Path="${Home_Path}/Library/Preferences/com.trusourcelabs.NoMAD.plist"
echo "$NoMAD_Path"
if ! [ -e "$NoMAD_Path" ];
then
exit 254; # NoMAD hasn't launched
fi
user_uid=`id -u $User_Name`
# Change Auth_User to use python to call the klist command as the shell just wasn't working.
Auth_User=$(python - <<EOF
import subprocess
import os
try:
subprocess.check_call(['launchctl', 'asuser', str($user_uid), 'klist', '-s'])
print "[email protected]\n"
except subprocess.CalledProcessError:
print "False\n"
EOF
)
if [ "$Auth_User" == "False" ];
then
echo "No KRB5 ticket for user $User_Name"
exit 255; # No Kerberos ticket.
fi
Admin_Group=`defaults read $NoMAD_Path "Groups" | grep -i $Computer_Name | tr -d '[:space:]' | awk -F ',' '{print $1}' | tr -d '"' | tr '[:upper:]' '[:lower:]'`
UUN=`echo $Auth_User | tr @ " " | awk '{print $1}'`
Who_is_Admin=`dscl . -read /Groups/admin | grep GroupMembership`
Domain_Controller="$(Random_Domain_Controller)"
AD_Unavailable=0
# Until we can ping a domain controller
until ping -c 1 ${Domain_Controller}.ed.ac.uk | grep -q '1 packets received'
do
echo "No response to ping, server $Domain_Controller down or no network."
Domain_Controller="$(Random_Domain_Controller)"
AD_Unavailable=$(($AD_Unavailable+1))
if [ "$AD_Unavailable" -gt 3 ]; then
Domain_Controller="AD_Failed_To_Respond"
echo "Breaking loop and failing out as we cannot reach a DC"
exit 256
#break # Skip entire rest of loop.
fi
done
#if [ "$Domain_Controller" == "AD_Failed_To_Respond" ]; then
# exit 256
#fi
echo "$Domain_Controller responded to ping, using for AD rights..."
Admin_Users=( `launchctl asuser $user_uid ldapsearch -b"ou=Authorisation,ou=UoESD,dc=ed,dc=ac,dc=uk" -H "ldap://${Domain_Controller}.ed.ac.uk" "(cn=${Computer_Name})" member | grep "member:" | awk -F "CN=" '{print $2}' | awk -F "," '{print $1}' `)
echo ${Admin_Users[@]}
# Apply admin rights
for AD_User in ${Admin_Users[@]}
do
# Is there a local account with the uun name
UUN_Present=`dscl . -list /Users | grep $AD_User`
# check the local username matches the UUN or that the UUN is present in the local node.
if [ "${User_Name}@ED.AC.UK" == "$Auth_User" ] || [ "$AD_User" == "$UUN_Present" ];
then
echo checking if admin rights need added
Admin_Exists=`echo $Who_is_Admin | tr " " "\n" | grep $AD_User`
if ! [ "$Admin_Exists" == "$AD_User" ];
then
/usr/sbin/dseditgroup -o edit -a $AD_User -t user admin
echo adding admin rights for $AD_User
fi
fi
done
UUN_Present=`dscl . -list /Users | grep $UUN`
# Revoke admin rights
if ! [ "$Admin_Group" == "$Computer_Name" ] && [ "$UUN" == "$UUN_Present" ];
then
if [ "$Admin_Exists" == "$UUN" ];
then
echo revoke admin for "$UUN"
/usr/sbin/dseditgroup -o edit -d $UUN -t user admin
fi
if [ "$Admin_Exists" == "$User_Name" ];
then
echo revoke admin for "$User_Name"
/usr/sbin/dseditgroup -o edit -d $User_Name -t user admin
fi
fi
exit 0;