Created
June 13, 2016 15:22
-
-
Save tuxudo/e91d5bbde5a5d3b712e647b13002df03 to your computer and use it in GitHub Desktop.
Script used to bind Macs to AD. Copied from DeployStudio 1.7.2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # This script shamelessly copied and edited from DeployStudio 1.7.2 | |
| # Original here: https://github.com/timsutton/DeployStudioDiffs/blob/c96f9a6244e68a7fb7af432ad47cc39d91b444b6/Packages/Admin/DeployStudio%20Admin.app/Contents/Plugins/DSADBindingTask.bundle/Contents/Resources/Scripts/ds_active_directory_binding/ds_active_directory_binding.10.7.sh | |
| # disable history characters | |
| histchars= | |
| # | |
| # functions | |
| # | |
| is_ip_address() { | |
| IP_REGEX="\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b" | |
| IP_CHECK=`echo ${1} | egrep ${IP_REGEX}` | |
| if [ ${#IP_CHECK} -gt 0 ] | |
| then | |
| return 0 | |
| else | |
| return 1 | |
| fi | |
| } | |
| # | |
| # Load script config | |
| # | |
| AD_DOMAIN="contoso.local" | |
| COMPUTER_ID=${DS_HOSTNAME} | |
| COMPUTERS_OU="OU=DomainMacs,OU=Domain_Computers,DC=contoso,DC=local" | |
| ADMIN_LOGIN="AD_ADMIN" | |
| ADMIN_PWD="SUPERPASS" | |
| MOBILE="enable" | |
| MOBILE_CONFIRM="disable" | |
| LOCAL_HOME="enable" | |
| USE_UNC_PATHS="disable" | |
| UNC_PATHS_PROTOCOL="smb" | |
| PACKET_SIGN="allow" | |
| PACKET_ENCRYPT="allow" | |
| PASSWORD_INTERVAL="0" | |
| AUTH_DOMAIN="All Domains" | |
| ADMIN_GROUPS="" | |
| # | |
| # Wait for network services to be initialized | |
| # | |
| echo "Checking for the default route to be active..." | |
| ATTEMPTS=0 | |
| MAX_ATTEMPTS=18 | |
| while ! (netstat -rn -f inet | grep -q default) | |
| do | |
| if [ ${ATTEMPTS} -le ${MAX_ATTEMPTS} ] | |
| then | |
| echo "Waiting for the default route to be active..." | |
| sleep 10 | |
| ATTEMPTS=`expr ${ATTEMPTS} + 1` | |
| else | |
| echo "Network not configured, AD binding failed (${MAX_ATTEMPTS} attempts)!" 2>&1 | |
| exit 1 | |
| fi | |
| done | |
| # | |
| # Wait for the related server to be reachable | |
| # NB: AD service entries must be correctly set in DNS | |
| # | |
| SUCCESS= | |
| is_ip_address "${AD_DOMAIN}" | |
| if [ ${?} -eq 0 ] | |
| then | |
| # the AD_DOMAIN variable contains an IP address, let's try to ping the server | |
| echo "Testing ${AD_DOMAIN} reachability" 2>&1 | |
| if ping -t 5 -c 1 "${AD_DOMAIN}" | grep "round-trip" | |
| then | |
| echo "Ping successful!" 2>&1 | |
| SUCCESS="YES" | |
| else | |
| echo "Ping failed..." 2>&1 | |
| fi | |
| else | |
| ATTEMPTS=0 | |
| MAX_ATTEMPTS=12 | |
| while [ -z "${SUCCESS}" ] | |
| do | |
| if [ ${ATTEMPTS} -lt ${MAX_ATTEMPTS} ] | |
| then | |
| AD_DOMAIN_IPS=( `host "${AD_DOMAIN}" | grep " has address " | cut -f 4 -d " "` ) | |
| for AD_DOMAIN_IP in ${AD_DOMAIN_IPS[@]} | |
| do | |
| echo "Testing ${AD_DOMAIN} reachability on address ${AD_DOMAIN_IP}" 2>&1 | |
| if ping -t 5 -c 1 ${AD_DOMAIN_IP} | grep "round-trip" | |
| then | |
| echo "Ping successful!" 2>&1 | |
| SUCCESS="YES" | |
| else | |
| echo "Ping failed..." 2>&1 | |
| fi | |
| if [ "${SUCCESS}" = "YES" ] | |
| then | |
| break | |
| fi | |
| done | |
| if [ -z "${SUCCESS}" ] | |
| then | |
| echo "An error occurred while trying to get ${AD_DOMAIN} IP addresses, new attempt in 10 seconds..." 2>&1 | |
| sleep 10 | |
| ATTEMPTS=`expr ${ATTEMPTS} + 1` | |
| fi | |
| else | |
| echo "Cannot get any IP address for ${AD_DOMAIN} (${MAX_ATTEMPTS} attempts), aborting lookup..." 2>&1 | |
| break | |
| fi | |
| done | |
| fi | |
| if [ -z "${SUCCESS}" ] | |
| then | |
| echo "Cannot reach any IP address of the domain ${AD_DOMAIN}." 2>&1 | |
| echo "AD binding failed!" 2>&1 | |
| exit 1 | |
| fi | |
| # | |
| # Unbinding computer first | |
| # | |
| echo "Unbinding computer..." 2>&1 | |
| dsconfigad -remove -username "${ADMIN_LOGIN}" -password "${ADMIN_PWD}" 2>&1 | |
| # | |
| # Try to bind the computer | |
| # | |
| ATTEMPTS=0 | |
| MAX_ATTEMPTS=12 | |
| SUCCESS= | |
| while [ -z "${SUCCESS}" ] | |
| do | |
| if [ ${ATTEMPTS} -le ${MAX_ATTEMPTS} ] | |
| then | |
| echo "Binding computer to domain ${AD_DOMAIN}..." 2>&1 | |
| dsconfigad -add "${AD_DOMAIN}" -computer "${COMPUTER_ID}" -ou "${COMPUTERS_OU}" -username "${ADMIN_LOGIN}" -password "${ADMIN_PWD}" -force 2>&1 | |
| IS_BOUND=`dsconfigad -show | grep "Active Directory Domain"` | |
| if [ -n "${IS_BOUND}" ] | |
| then | |
| SUCCESS="YES" | |
| else | |
| echo "An error occured while trying to bind this computer to AD, new attempt in 10 seconds..." 2>&1 | |
| sleep 10 | |
| ATTEMPTS=`expr ${ATTEMPTS} + 1` | |
| fi | |
| else | |
| echo "AD binding failed (${MAX_ATTEMPTS} attempts)!" 2>&1 | |
| SUCCESS="NO" | |
| fi | |
| done | |
| if [ "${SUCCESS}" = "YES" ] | |
| then | |
| # | |
| # Update AD plugin options | |
| # | |
| echo "Setting AD plugin options..." 2>&1 | |
| dsconfigad -mobile ${MOBILE} 2>&1 | |
| sleep 1 | |
| dsconfigad -mobileconfirm ${MOBILE_CONFIRM} 2>&1 | |
| sleep 1 | |
| dsconfigad -localhome ${LOCAL_HOME} 2>&1 | |
| sleep 1 | |
| dsconfigad -useuncpath ${USE_UNC_PATHS} 2>&1 | |
| sleep 1 | |
| dsconfigad -protocol ${UNC_PATHS_PROTOCOL} 2>&1 | |
| sleep 1 | |
| dsconfigad -packetsign ${PACKET_SIGN} 2>&1 | |
| sleep 1 | |
| dsconfigad -packetencrypt ${PACKET_ENCRYPT} 2>&1 | |
| sleep 1 | |
| dsconfigad -passinterval ${PASSWORD_INTERVAL} 2>&1 | |
| if [ -n "${ADMIN_GROUPS}" ] | |
| then | |
| sleep 1 | |
| dsconfigad -groups "${ADMIN_GROUPS}" 2>&1 | |
| fi | |
| sleep 1 | |
| if [ -n "${AUTH_DOMAIN}" ] && [ "${AUTH_DOMAIN}" != 'All Domains' ] | |
| then | |
| dsconfigad -alldomains disable 2>&1 | |
| else | |
| dsconfigad -alldomains enable 2>&1 | |
| fi | |
| AD_SEARCH_PATH=`dscl /Search -read / CSPSearchPath | grep "Active Directory" | sed 's/^ *//' | sed 's/ *$//'` | |
| if [ -n "${AD_SEARCH_PATH}" ] | |
| then | |
| echo "Deleting '${AD_SEARCH_PATH}' from authentication search path..." 2>&1 | |
| dscl localhost -delete /Search CSPSearchPath "${AD_SEARCH_PATH}" 2>/dev/null | |
| echo "Deleting '${AD_SEARCH_PATH}' from contacts search path..." 2>&1 | |
| dscl localhost -delete /Contact CSPSearchPath "${AD_SEARCH_PATH}" 2>/dev/null | |
| fi | |
| dscl localhost -create /Search SearchPolicy CSPSearchPath 2>&1 | |
| dscl localhost -create /Contact SearchPolicy CSPSearchPath 2>&1 | |
| AD_DOMAIN_NODE=`dscl localhost -list "/Active Directory" | head -n 1` | |
| if [ "${AD_DOMAIN_NODE}" = "All Domains" ] | |
| then | |
| AD_SEARCH_PATH="/Active Directory/All Domains" | |
| elif [ -n "${AUTH_DOMAIN}" ] && [ "${AUTH_DOMAIN}" != 'All Domains' ] | |
| then | |
| AD_SEARCH_PATH="/Active Directory/${AD_DOMAIN_NODE}/${AUTH_DOMAIN}" | |
| else | |
| AD_SEARCH_PATH="/Active Directory/${AD_DOMAIN_NODE}/All Domains" | |
| fi | |
| echo "Adding '${AD_SEARCH_PATH}' to authentication search path..." 2>&1 | |
| dscl localhost -append /Search CSPSearchPath "${AD_SEARCH_PATH}" | |
| echo "Adding '${AD_SEARCH_PATH}' to contacts search path..." 2>&1 | |
| dscl localhost -append /Contact CSPSearchPath "${AD_SEARCH_PATH}" | |
| GROUP_MEMBERS=`dscl /Local/Default -read /Groups/com.apple.access_loginwindow GroupMembers 2>/dev/null` | |
| NESTED_GROUPS=`dscl /Local/Default -read /Groups/com.apple.access_loginwindow NestedGroups 2>/dev/null` | |
| if [ -z "${GROUP_MEMBERS}" ] && [ -z "${NESTED_GROUPS}" ] | |
| then | |
| echo "Enabling network users login..." 2>&1 | |
| dseditgroup -o edit -n /Local/Default -a netaccounts -t group com.apple.access_loginwindow 2>/dev/null | |
| fi | |
| fi | |
| echo "done done" | |
| exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment