[Casper] JSS user reporting user as admin dscl says no?

Thomas Larkin tlarki at kckps.org
Wed Dec 10 13:15:07 PST 2008 

That is what I thought but wasn't 100% on it.  Everyone is part of staff
(20) but this is reading it off the directory LDAP.  So, if a user goes
into System Preferences, and checks the box that says allow this user to
administer this computer on their mobile account, will it add the admin
group, or will it list the user under /Groups/admin on the machine
locally? 

As far as I can tell it doesn't do either.  When I invoke the dscl
command it lists no one under the /Groups/admin on that machine locally.
 When I run the id command on a user it pulls up their info from LDAP,
not the local machine. 

I guess is what I am trying to get to the bottom of is, how do I tell if
a user has checked the box to flag them as an administrator for just
that machine in System Preferences?  Perhaps that is why I am getting
the double entries in the JSS inventory?   

Thoughts? 

Thanks again for reading and helping with this, 

Tom

>>> "Miles Leacy" <miles.leacy at themacadmin.com> 12/10/08 3:06 PM >>>
I don't know if I'm misunderstanding your message, but it sounds like
you're saying that membership in admin (80) is inherited by membership
in staff (20). 


I don't believe that's the case.  All accounts are members of staff by
default.  Only admin users are members of admin.  An account can be a
member of staff but not be a member of admin. 



The output is showing you the following: 

uid=<the account's user ID> gid=<the account's "primary group ID", as
seen in Workgroup Manager, Groups tab> # What follows is a list of all
of the groups that the account in question belongs to, including the
"primary group".  This is why you see "staff" appear twice in the
command's output.  The first instance lets you know what the account's
"primary group" is, and it appears again when listing all groups that
the account is a member of. 



My apologies if I misunderstood your message. 


----------
Miles A. Leacy IV

 Certified System Administrator 10.4
 Certified Technical Coordinator 10.5
 Certified Trainer
Certified Casper Administrator
----------
voice: 1-347-277-7321
miles.leacy at themacadmin.com
www.themacadmin.com





2008/12/10 Ryan Harter 
<rharter at uwsp.edu> 




_lpadmin is the CUPS account that correlates to the lpadmin command you
find in the terminal.  I can't tell you why this account is showing up
twice, but since it is a member for the staff group that should make it
admin.  Our local amdinistrator account is uid=501(adm) gid=20(staff)
... 



AFAIK the user is not directly a member of the admin group, but staff
is, so it's like embedded groups.


Ryan Harter 

UW - Stevens Point 

Workstation Developer 

715.346.2716 


Ryan.Harter at uwsp.edu 




On Dec 10, 2008, at 2:08 PM, Thomas Larkin wrote: 





everyone, 



So a user has a true flag under their account in the JSS for the
inventory of that machine, I will just copy/paste an example, sorry if
it doesn't format correctly. 



User in the JSS shows this: 

Username 

Real Name 

UID 

Home Directory 

Home Directory Size 

Admin 

File Vault Enabled 

Mia Green 22221 /Users/11miagre 5.28 GB true false 

11miagre Mia Green 22221 /Users/11miagre 5.28 GB false false 

student KCK Student 505 /Local/Users/student N/A false false 



For some reason it shows the user name twice and on the top one it says
True False, the First True being the admin flag 



Now, when I ssh into said client machine and do some digging I find
this: 



 id 11miagre 

uid=22221(11miagre) gid=20(staff)
groups=20(staff),98(_lpadmin),101(com.apple.sharepoint.group.1),104(com.apple.sharepoint.group.2),1042(allstudents),1053(washington_2011)




GID 98 shows as _lpadmin what the heck is that?  Google says it
configures the print system, so I must assume it is a daemon from the
OS?   



Anyone else see this stuff?  Also dscl does not list this user under
/Groups/admin either 



Thanks 


___________________________
Thomas Larkin
TIS DeCasper mailing list
Casper at list.jamfsoftware.com
http://list.jamfsoftware.com/mailman/listinfo/casper




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://list.jamfsoftware.com/pipermail/casper/attachments/20081210/2e0ece0c/attachment.htm

More information about the Casper mailing list