ad-bind-login.sh

This script has been modified to work in our environment, and is not the same as the original. Please see Mike Bombich's site for original scripts. I have commented where applicable to explain changes. code format="text"
 * 1) !/bin/sh


 * 1) This script binds to AD and configures advanced options of the AD plugin
 * 2) As this scripts contains a password, be sure to take appropriate security
 * 3) precautions
 * 4) A good way to run this script is to set it as a login hook on your master machine
 * 5) Because it only needs to be run once, the last thing this script does is to delete
 * 6) itself. If you have another login script that you typically run, include the
 * 7) script on your master machine, and indicate its path in the "newLoginScript"
 * 8) variable.
 * 9) If running this as a one-time login hook to bind to AD after imaging,
 * 10) be sure to enable auto-login (for any local user) before creating your master image
 * 1) If running this as a one-time login hook to bind to AD after imaging,
 * 2) be sure to enable auto-login (for any local user) before creating your master image

sudo /usr/sbin/ntpdate -u
 * 1) Synchronize network time to allow joining to domain

sleep 60
 * 1) Allow time for NTP synchronization

computerid=`/sbin/ifconfig en0 | awk '/ether/ { gsub(":", ""); print $2 }'` # Use the MAC Address
 * 1) Host-specific parameters
 * 2) computerid should be set dynamically, this value must be machine-specific
 * 3) This value may be restricted to 19 characters! The only error you'll receive upon entering
 * 4) an invalid computer id is to the effect of not having appropriate privileges to perform the requested operation
 * 1) computerid=`hostname`
 * 2) computerid=`/usr/sbin/scutil --get LocalHostName | cut -c 1-19` # Assure that this will produce unique names!
 * 3) computerid=`/usr/sbin/scutil --get LocalHostName`

domain="example.com"			# fully qualified DNS name of Active Directory Domain udn="dsadmin"				# username of a privileged network user password="passwd"		       # password of a privileged network user ou="OU=Macintosh Computers,OU=Labs,OU=Computers,OU=Our_Domain,DC=example,DC=com"		# Distinguished name of container for the computer
 * 1) Standard parameters

alldomains="disable"			# 'enable' or 'disable' automatic multi-domain authentication localhome="enable"			# 'enable' or 'disable' force home directory to local drive protocol="smb"				# 'afp' or 'smb' change how home is mounted from server mobile="disable"			# 'enable' or 'disable' mobile account support for offline logon mobileconfirm="disable"			# 'enable' or 'disable' warn the user that a mobile acct will be created useuncpath="disable"			# 'enable' or 'disable' use AD SMBHome attribute to determine the home dir user_shell="/bin/bash"			# e.g., /bin/bash or "none" preferred="-nopreferred"		# Use the specified server for all Directory lookups and authentication # (e.g. "-nopreferred" or "-preferred ad.server.edu") admingroups="Domain Admins"				# These comma-separated AD groups may administer the machine (e.g. "" or "APPLE\mac admins") packetsign="allow"			# allow | disable | require packetencrypt="allow"			# allow | disable | require
 * 1) Advanced options
 * 1) passinterval="14"			# number of days
 * 2) namespace="domain"			# forest | domain

newLoginHook="/Library/Scripts/Login/restore_xp.sh"		# e.g., "/Library/Management/login.sh"
 * 1) Login hook setting -- specify the path to a login hook that you want to run instead of this script
 * 2) Set path to second loginhook that will start the windows image restore


 * 1) End of configuration

defaults write /Library/Preferences/DirectoryService/DirectoryService "Active Directory" "Active" plutil -convert xml1 /Library/Preferences/DirectoryService/DirectoryService.plist
 * 1) Activate the AD plugin

dsconfigad -f -a $computerid -domain $domain -u $udn -p "$password" -ou "$ou"
 * 1) Bind to AD

if [ "$admingroups" = "" ]; then dsconfigad -nogroups else dsconfigad -groups "$admingroups" fi
 * 1) Configure advanced AD plugin options

dsconfigad -alldomains $alldomains -localhome $localhome -protocol $protocol \ -mobile $mobile -mobileconfirm $mobileconfirm -useuncpath $useuncpath \ -shell $user_shell $preferred -packetsign $packetsign -packetencrypt $packetencrypt

killall DirectoryService
 * 1) Restart DirectoryService (necessary to reload AD plugin activation settings)

if [ "$alldomains" = "enable" ]; then csp="/Active Directory/All Domains" else csp="/Active Directory/$domain" fi
 * 1) Add the AD node to the search path


 * 1) dscl /Search -append / CSPSearchPath "$csp"
 * 2) dscl /Search -create / SearchPolicy dsAttrTypeStandard:CSPSearchPath
 * 3) dscl /Search/Contacts -append / CSPSearchPath "$csp"
 * 4) dscl /Search/Contacts -create / SearchPolicy dsAttrTypeStandard:CSPSearchPath

defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Node Custom Path Array" -array "/Active Directory/All Domains" defaults write /Library/Preferences/DirectoryService/SearchNodeConfig "Search Policy" -int 3 plutil -convert xml1 /Library/Preferences/DirectoryService/SearchNodeConfig.plist killall DirectoryService
 * 1) This works in a pinch if the above code does not

if [ "${newLoginHook}" == "" ]; then defaults delete /var/root/Library/Preferences/com.apple.loginwindow LoginHook else defaults write /var/root/Library/Preferences/com.apple.loginwindow LoginHook $newLoginHook fi
 * 1) Destroy the login hook (or change it)


 * 1) Disable autologin
 * 2) defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser
 * 3) srm /etc/kcpassword


 * 1) Kill loginwindow to return to the login screen
 * 2) killall loginwindow


 * 1) Destroy this script!
 * 2) srm "$0"

/sbin/reboot
 * 1) Reboot and run second LoginHook

code

--1233457469